Overview

overview

10

Static

static

3

JaffaCakes...ea.exe

windows7-x64

10

JaffaCakes...ea.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8aa0896372c84465ec2c153ae0e52cea.exe

  • Size

    189KB

  • MD5

    8aa0896372c84465ec2c153ae0e52cea

  • SHA1

    02e86601cd1dc584ee59cd7f45607ea3cc4d79f4

  • SHA256

    2f64c0bb42e364108eb4a8f7134f5dd59aa64862fe8b1fed62aad9b2757fe4a3

  • SHA512

    706a25651a10a16833a2ecf96f88442b9920ccd160b140bfccd716fd86547a17824aa34ac220ee331977dd110c488a4e84580f322066a541e88dbe45b02ccadc

  • SSDEEP

    3072:VX1T/7/i+aCYjYT9IbbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFyVU7bm026qes:rTj/i+aCOG9GwvP6bQ7yMP+DE827y0x6

Score
10/10
metasploitbackdoordefense_evasiondiscoverytrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Windows security bypass 2 TTPs 5 IoCs
    defense_evasiontrojan
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 5 IoCs
    defense_evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aa0896372c84465ec2c153ae0e52cea.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aa0896372c84465ec2c153ae0e52cea.exe"
    1⤵
    • Looks for VMWare Tools registry key
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    PID:1628
  • C:\Windows\AGPdivX.exe
    "C:\Windows\AGPdivX.exe"
    1⤵
    • Modifies security service
    • Windows security bypass
    • Looks for VMWare Tools registry key
    • Deletes itself
    • Executes dropped EXE
    • Windows security modification
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    PID:1412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\AGPdivX.exe
    Filesize

    189KB

    MD5

    8aa0896372c84465ec2c153ae0e52cea

    SHA1

    02e86601cd1dc584ee59cd7f45607ea3cc4d79f4

    SHA256

    2f64c0bb42e364108eb4a8f7134f5dd59aa64862fe8b1fed62aad9b2757fe4a3

    SHA512

    706a25651a10a16833a2ecf96f88442b9920ccd160b140bfccd716fd86547a17824aa34ac220ee331977dd110c488a4e84580f322066a541e88dbe45b02ccadc

    Download Submit

  • memory/1412-31-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-34-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-43-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-42-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-41-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-40-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-39-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-38-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-37-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-25-0x0000000000980000-0x0000000000981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1412-36-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-35-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-16-0x00000000005F0000-0x0000000000620000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1412-23-0x00000000009A0000-0x00000000009A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1412-21-0x0000000000F60000-0x0000000000F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1412-20-0x0000000000F50000-0x0000000000F51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1412-33-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-19-0x0000000000950000-0x000000000095B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1412-30-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-22-0x0000000000970000-0x0000000000971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1412-29-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-24-0x0000000000990000-0x0000000000991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1412-27-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1412-28-0x00000000005F0000-0x0000000000620000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1628-10-0x0000000002370000-0x0000000002371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-4-0x0000000002390000-0x0000000002391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-0-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1628-18-0x0000000000A70000-0x0000000000AA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1628-17-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/1628-7-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-11-0x0000000002360000-0x0000000002361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-9-0x0000000002380000-0x0000000002381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-2-0x0000000002340000-0x0000000002342000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1628-8-0x0000000000660000-0x0000000000661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-6-0x0000000002350000-0x0000000002351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-5-0x00000000023A0000-0x00000000023A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-1-0x0000000000A70000-0x0000000000AA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1628-3-0x0000000000670000-0x000000000067B000-memory.dmp

    Filesize

    44KB

    Download