metasploit | 8b2e5890687ce54f8ed6b9aac54b0cab0b051c724961b0d3ab22d8b4ef8b7c40

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe
Size

102KB
MD5

f7c288227694f2c5b88d411c576b5213
SHA1

08541911d55f1bd8e3981f21fde0378d7c553f51
SHA256

8b2e5890687ce54f8ed6b9aac54b0cab0b051c724961b0d3ab22d8b4ef8b7c40
SHA512

62ee17a6d5e50d2c4649818c626fd3351c85ffc6f8514c8928ca711f8997aa8f0105d2f788f50f30f2db2adf886568d929f13d33f3ce86c014019fd749a4ade3
SSDEEP

3072:LEvW22Z2DdSKp9mGelKwybYFJ8ldPihkGAmGnZE:L1kDdSG9xelZybYJQihkGr

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

127.0.0.1:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

fichier.exe

pid process

960 fichier.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
960	fichier.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe

description	pid	process	target process
PID 4164 wrote to memory of 960	4164	f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe	fichier.exe
PID 4164 wrote to memory of 960	4164	f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe	fichier.exe
PID 4164 wrote to memory of 960	4164	f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe	fichier.exe

C:\Users\Admin\AppData\Local\Temp\f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7c288227694f2c5b88d411c576b5213_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\fichier.exe
"C:\Users\Admin\AppData\Local\Temp\fichier.exe"
2⤵
- Executes dropped EXE
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fichier.exe
Filesize
72KB

MD5
4324fb11eed4acde74918ee55b4029e0

SHA1
92c61bb4817fd95b4f09130cf56bc946a417ce45

SHA256
1ba1e4b8fcffb12874f86ec8d459fd963fc063f6ffdc3b4d38cd0cf813ad4a1f

SHA512
92149c4d81e4087fb1d7ce3a5aba76475ec247516d5c52d3f02ec9092df80e87ee816fbe2f8f6d5404bb6670fe21c42bdb2db1b0a6c50d415b8fe583affc6ee1

Download Submit
memory/960-19-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4164-0-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/4164-1-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/4164-2-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/4164-3-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/4164-4-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/4164-5-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4164-6-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/4164-7-0x00000000052F0000-0x0000000005346000-memory.dmp

Filesize
344KB

Download
memory/4164-21-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download