Overview

overview

10

Static

static

1213.js

windows7-x64

10

1213.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1213.js.js

  • Size

    365KB

  • Sample

    220717-3f4qasfhh8

  • MD5

    352203feb48a1a9f3802d7843b24c098

  • SHA1

    464f6ba005b98ba177e00cc4e321689fe6b50ca9

  • SHA256

    cd2cbe0dd156322afcea2627b4561d453ee2400db203f6c778d1b0b71b17d8fd

  • SHA512

    b0c5300bbea0825a72a0a37dd0be485d51891a1f7e617b22e2b2241ce36b041885af3d056f3128b02fce8dd39117b447bb451c43313e03c4a187ec2ed1a1d655

Score
10/10
metasploitbackdoorbootkitpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      1213.js.js

    • Size

      365KB

    • MD5

      352203feb48a1a9f3802d7843b24c098

    • SHA1

      464f6ba005b98ba177e00cc4e321689fe6b50ca9

    • SHA256

      cd2cbe0dd156322afcea2627b4561d453ee2400db203f6c778d1b0b71b17d8fd

    • SHA512

      b0c5300bbea0825a72a0a37dd0be485d51891a1f7e617b22e2b2241ce36b041885af3d056f3128b02fce8dd39117b447bb451c43313e03c4a187ec2ed1a1d655

    Score
    10/10
    metasploitbackdoorbootkitpersistencetrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks