metasploit | 13ac9d5ce9f34c40884f67e0767d87d8fc5a705fe8d4ebaa1773ea8626a2e468

General

Target

f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
Size

177KB
MD5

f57ef56616de54fc88e803abf57cdab4
SHA1

e5938463fd7895cc07a0a38cfd401660dcc333a8
SHA256

13ac9d5ce9f34c40884f67e0767d87d8fc5a705fe8d4ebaa1773ea8626a2e468
SHA512

5ab487aee65f7527e4861f1626e900bbe749a04279556b99d8da53aff3e88ccbe4f100fe43c9adb504305ecdae4ea2699ad22fd8eea7dbff4cf4cee1a08bf502
SSDEEP

3072:bnrRqBYMmJGOyXmRWyE+4NQNIDYw2az/aLOGBiVqzJqvvr9y2/DhmOCQZF5G7cxh:bSDBO5Vn4YwN2fYqNqvT9JbIMF8gN/

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.1.21:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

4444.exe4444.exe

pid process

2620 4444.exe
2432 4444.exe

pid	process
2620	4444.exe
2432	4444.exe

Loads dropped DLL 9 IoCs

Processes:

f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe4444.exe4444.exe

pid	process
2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
2620	4444.exe
2620	4444.exe
2620	4444.exe
2620	4444.exe
2432	4444.exe
2432	4444.exe
2432	4444.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4444.exe

description	pid	process	target process
PID 2620 set thread context of 2432	2620	4444.exe	4444.exe
PID 2620 set thread context of 2432	2620	4444.exe	4444.exe
PID 2620 set thread context of 2432	2620	4444.exe	4444.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe4444.exe

description	pid	process	target process
PID 2904 wrote to memory of 2620	2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe	4444.exe
PID 2904 wrote to memory of 2620	2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe	4444.exe
PID 2904 wrote to memory of 2620	2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe	4444.exe
PID 2904 wrote to memory of 2620	2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe	4444.exe
PID 2904 wrote to memory of 2620	2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe	4444.exe
PID 2904 wrote to memory of 2620	2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe	4444.exe
PID 2904 wrote to memory of 2620	2904	f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe	4444.exe
PID 2620 wrote to memory of 2432	2620	4444.exe	4444.exe
PID 2620 wrote to memory of 2432	2620	4444.exe	4444.exe
PID 2620 wrote to memory of 2432	2620	4444.exe	4444.exe
PID 2620 wrote to memory of 2432	2620	4444.exe	4444.exe
PID 2620 wrote to memory of 2432	2620	4444.exe	4444.exe
PID 2620 wrote to memory of 2432	2620	4444.exe	4444.exe
PID 2620 wrote to memory of 2432	2620	4444.exe	4444.exe

C:\Users\Admin\AppData\Local\Temp\f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f57ef56616de54fc88e803abf57cdab4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\4444.exe
"C:\Users\Admin\AppData\Local\Temp\4444.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\4444.exe
"C:\Users\Admin\AppData\Local\Temp\4444.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hacknowfr.exe
Filesize
239KB

MD5
d549eed7c940512dd522d075660838f2

SHA1
9d8a5fb1889fc01a881036aa69dd4a143b773f4c

SHA256
94a682801f158c58c4cee8aa35ef49ae1e8a87f8ad8ff8dac8b48671b3f12735

SHA512
4a9c36dc8a98c926eed91aedcafbdfbe9271e0132d8bce7d14874a17594cc4259c8922b5e111e9d9904c7ae5451b40a2bfb5e21368c629191747a3b1121780e6

Download Submit
\Users\Admin\AppData\Local\Temp\4444.exe
Filesize
69KB

MD5
072e42b025e88144e21f26e6286fa39d

SHA1
a1595a95bebfc8fecb58f8eb62140a150c1f366b

SHA256
a0f2c78653e8c527d19cd764cc901c95a62b9dd89abe2e98f64dcdb268b4fbaf

SHA512
69d8f216446041c4ed89e7d6488d6271c895b74370e771aa5c4efac72003e472e585562f31324303fba53c30b214295482d8a9eb4731a4805e119ce6b5e6ed31

Download Submit
memory/2432-38-0x0000000000400000-0x000000000041B0B7-memory.dmp

Filesize
108KB

Download
memory/2432-39-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2432-41-0x0000000000400000-0x000000000041B0B7-memory.dmp

Filesize
108KB

Download
memory/2620-36-0x0000000000400000-0x000000000041B0B7-memory.dmp

Filesize
108KB

Download
memory/2620-37-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2620-35-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2620-34-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2620-30-0x0000000000400000-0x000000000041B0B7-memory.dmp

Filesize
108KB

Download
memory/2620-40-0x0000000000400000-0x000000000041B0B7-memory.dmp

Filesize
108KB

Download
memory/2904-12-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/2904-5-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads