metasploit | dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a

General

Target

dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe
Size

76KB
MD5

3e139a52141b5095d8454225b2a06741
SHA1

cf07fd790cf04bd6fe31b370280fb6510de9b0b3
SHA256

dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a
SHA512

18abfd1d66a532bf90602a6b3a7425858df7b7021e7bd58d2edc43448b5a8ccb4ba458716abc9f10c0822d7d46d854b8a05f130d7044560f8825e8e5c2ef5b07
SSDEEP

1536:MXNGoSt/3TleJjulF0OrWaooVggP2qsKmxit:yGftLlq8BrPVggP2lg

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe"	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe

Executes dropped EXE 2 IoCs

pid	Process
800	jodrive32.exe
364	jodrive32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe"	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 828 set thread context of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 800 set thread context of 364	800	jodrive32.exe	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\%windir%\eilfiie32.log	jodrive32.exe
File created	C:\Windows\jodrive32.exe	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe
File opened for modification	C:\Windows\jodrive32.exe	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1088	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe
1088	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 828 wrote to memory of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 828 wrote to memory of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 828 wrote to memory of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 828 wrote to memory of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 828 wrote to memory of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 828 wrote to memory of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 828 wrote to memory of 1088	828	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	27
PID 1088 wrote to memory of 800	1088	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	28
PID 1088 wrote to memory of 800	1088	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	28
PID 1088 wrote to memory of 800	1088	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	28
PID 1088 wrote to memory of 800	1088	dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe	28
PID 800 wrote to memory of 364	800	jodrive32.exe	29
PID 800 wrote to memory of 364	800	jodrive32.exe	29
PID 800 wrote to memory of 364	800	jodrive32.exe	29
PID 800 wrote to memory of 364	800	jodrive32.exe	29
PID 800 wrote to memory of 364	800	jodrive32.exe	29
PID 800 wrote to memory of 364	800	jodrive32.exe	29
PID 800 wrote to memory of 364	800	jodrive32.exe	29
PID 800 wrote to memory of 364	800	jodrive32.exe	29

C:\Users\Admin\AppData\Local\Temp\dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe
"C:\Users\Admin\AppData\Local\Temp\dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe
  C:\Users\Admin\AppData\Local\Temp\dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a.exe
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\jodrive32.exe
    "C:\Windows\jodrive32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\jodrive32.exe
      C:\Windows\jodrive32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\jodrive32.exe

Filesize
76KB

MD5
3e139a52141b5095d8454225b2a06741

SHA1
cf07fd790cf04bd6fe31b370280fb6510de9b0b3

SHA256
dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a

SHA512
18abfd1d66a532bf90602a6b3a7425858df7b7021e7bd58d2edc43448b5a8ccb4ba458716abc9f10c0822d7d46d854b8a05f130d7044560f8825e8e5c2ef5b07

Download Submit
C:\Windows\jodrive32.exe

Filesize
76KB

MD5
3e139a52141b5095d8454225b2a06741

SHA1
cf07fd790cf04bd6fe31b370280fb6510de9b0b3

SHA256
dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a

SHA512
18abfd1d66a532bf90602a6b3a7425858df7b7021e7bd58d2edc43448b5a8ccb4ba458716abc9f10c0822d7d46d854b8a05f130d7044560f8825e8e5c2ef5b07

Download Submit
C:\Windows\jodrive32.exe

Filesize
76KB

MD5
3e139a52141b5095d8454225b2a06741

SHA1
cf07fd790cf04bd6fe31b370280fb6510de9b0b3

SHA256
dc6d81e8897fa7a630446f358604b5b55d2006df923fde8a0d3495117e37430a

SHA512
18abfd1d66a532bf90602a6b3a7425858df7b7021e7bd58d2edc43448b5a8ccb4ba458716abc9f10c0822d7d46d854b8a05f130d7044560f8825e8e5c2ef5b07

Download Submit
memory/364-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/364-119-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/364-113-0x0000000000407650-mapping.dmp

Download
memory/800-95-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/800-116-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/800-83-0x0000000000000000-mapping.dmp

Download
memory/828-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/828-79-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1088-93-0x00000000007A0000-0x00000000007B3000-memory.dmp

Filesize
76KB

Download
memory/1088-92-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1088-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1088-94-0x00000000007A0000-0x00000000007B3000-memory.dmp

Filesize
76KB

Download
memory/1088-78-0x0000000000407650-mapping.dmp

Download
memory/1088-77-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1088-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1088-82-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1088-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1088-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1088-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads