metasploit | 7fc428d3d81f070ddadaa04b22268f0c48513c07a6cb8bb981c5a0b53c7a5ee3

General

Target

f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
Size

294KB
MD5

f7ccad9ff12aa38a3b2b9887485cad56
SHA1

78d71be9e51d25754bd148b1ac168dbcb92c6184
SHA256

7fc428d3d81f070ddadaa04b22268f0c48513c07a6cb8bb981c5a0b53c7a5ee3
SHA512

8e6c629637260e76c802c219442d2de34bb08f3dab26a77376d725eb31c888e49bae58176197e2660d0f06a1806c13e7eebebadc5ae908be963c6aabca5438f1
SSDEEP

6144:FpjkUdnUwHP0Ea+DppEBpZ+uIb1u1wyguu:FpjkUBLJa+DTYD+n6Lru

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 20 IoCs

Processes:

stmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exe

pid	process
2460	stmea.exe
2556	stmea.exe
2672	stmea.exe
2376	stmea.exe
1876	stmea.exe
1100	stmea.exe
1960	stmea.exe
752	stmea.exe
2016	stmea.exe
1556	stmea.exe
1752	stmea.exe
1624	stmea.exe
2984	stmea.exe
2844	stmea.exe
340	stmea.exe
944	stmea.exe
2256	stmea.exe
2940	stmea.exe
876	stmea.exe
2316	stmea.exe

Loads dropped DLL 21 IoCs

Processes:

f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exe

pid	process
2228	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
2228	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
2460	stmea.exe
2556	stmea.exe
2556	stmea.exe
2376	stmea.exe
2376	stmea.exe
1100	stmea.exe
1100	stmea.exe
752	stmea.exe
752	stmea.exe
1556	stmea.exe
1556	stmea.exe
1624	stmea.exe
1624	stmea.exe
2844	stmea.exe
2844	stmea.exe
944	stmea.exe
944	stmea.exe
2940	stmea.exe
2940	stmea.exe

Drops file in System32 directory 22 IoCs

Processes:

stmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exef7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exestmea.exestmea.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File opened for modification	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe
File created	C:\Windows\SysWOW64\stmea.exe	stmea.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exe

description	pid	process	target process
PID 2212 set thread context of 2228	2212	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
PID 2460 set thread context of 2556	2460	stmea.exe	stmea.exe
PID 2672 set thread context of 2376	2672	stmea.exe	stmea.exe
PID 1876 set thread context of 1100	1876	stmea.exe	stmea.exe
PID 1960 set thread context of 752	1960	stmea.exe	stmea.exe
PID 2016 set thread context of 1556	2016	stmea.exe	stmea.exe
PID 1752 set thread context of 1624	1752	stmea.exe	stmea.exe
PID 2984 set thread context of 2844	2984	stmea.exe	stmea.exe
PID 340 set thread context of 944	340	stmea.exe	stmea.exe
PID 2256 set thread context of 2940	2256	stmea.exe	stmea.exe
PID 876 set thread context of 2316	876	stmea.exe	stmea.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exef7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exestmea.exe

description	pid	process	target process
PID 2212 wrote to memory of 2228	2212	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
PID 2212 wrote to memory of 2228	2212	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
PID 2212 wrote to memory of 2228	2212	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
PID 2212 wrote to memory of 2228	2212	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
PID 2212 wrote to memory of 2228	2212	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
PID 2212 wrote to memory of 2228	2212	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
PID 2228 wrote to memory of 2460	2228	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	stmea.exe
PID 2228 wrote to memory of 2460	2228	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	stmea.exe
PID 2228 wrote to memory of 2460	2228	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	stmea.exe
PID 2228 wrote to memory of 2460	2228	f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe	stmea.exe
PID 2460 wrote to memory of 2556	2460	stmea.exe	stmea.exe
PID 2460 wrote to memory of 2556	2460	stmea.exe	stmea.exe
PID 2460 wrote to memory of 2556	2460	stmea.exe	stmea.exe
PID 2460 wrote to memory of 2556	2460	stmea.exe	stmea.exe
PID 2460 wrote to memory of 2556	2460	stmea.exe	stmea.exe
PID 2460 wrote to memory of 2556	2460	stmea.exe	stmea.exe
PID 2556 wrote to memory of 2672	2556	stmea.exe	stmea.exe
PID 2556 wrote to memory of 2672	2556	stmea.exe	stmea.exe
PID 2556 wrote to memory of 2672	2556	stmea.exe	stmea.exe
PID 2556 wrote to memory of 2672	2556	stmea.exe	stmea.exe
PID 2672 wrote to memory of 2376	2672	stmea.exe	stmea.exe
PID 2672 wrote to memory of 2376	2672	stmea.exe	stmea.exe
PID 2672 wrote to memory of 2376	2672	stmea.exe	stmea.exe
PID 2672 wrote to memory of 2376	2672	stmea.exe	stmea.exe
PID 2672 wrote to memory of 2376	2672	stmea.exe	stmea.exe
PID 2672 wrote to memory of 2376	2672	stmea.exe	stmea.exe
PID 2376 wrote to memory of 1876	2376	stmea.exe	stmea.exe
PID 2376 wrote to memory of 1876	2376	stmea.exe	stmea.exe
PID 2376 wrote to memory of 1876	2376	stmea.exe	stmea.exe
PID 2376 wrote to memory of 1876	2376	stmea.exe	stmea.exe
PID 1876 wrote to memory of 1100	1876	stmea.exe	stmea.exe
PID 1876 wrote to memory of 1100	1876	stmea.exe	stmea.exe
PID 1876 wrote to memory of 1100	1876	stmea.exe	stmea.exe
PID 1876 wrote to memory of 1100	1876	stmea.exe	stmea.exe
PID 1876 wrote to memory of 1100	1876	stmea.exe	stmea.exe
PID 1876 wrote to memory of 1100	1876	stmea.exe	stmea.exe
PID 1100 wrote to memory of 1960	1100	stmea.exe	stmea.exe
PID 1100 wrote to memory of 1960	1100	stmea.exe	stmea.exe
PID 1100 wrote to memory of 1960	1100	stmea.exe	stmea.exe
PID 1100 wrote to memory of 1960	1100	stmea.exe	stmea.exe
PID 1960 wrote to memory of 752	1960	stmea.exe	stmea.exe
PID 1960 wrote to memory of 752	1960	stmea.exe	stmea.exe
PID 1960 wrote to memory of 752	1960	stmea.exe	stmea.exe
PID 1960 wrote to memory of 752	1960	stmea.exe	stmea.exe
PID 1960 wrote to memory of 752	1960	stmea.exe	stmea.exe
PID 1960 wrote to memory of 752	1960	stmea.exe	stmea.exe
PID 752 wrote to memory of 2016	752	stmea.exe	stmea.exe
PID 752 wrote to memory of 2016	752	stmea.exe	stmea.exe
PID 752 wrote to memory of 2016	752	stmea.exe	stmea.exe
PID 752 wrote to memory of 2016	752	stmea.exe	stmea.exe
PID 2016 wrote to memory of 1556	2016	stmea.exe	stmea.exe
PID 2016 wrote to memory of 1556	2016	stmea.exe	stmea.exe
PID 2016 wrote to memory of 1556	2016	stmea.exe	stmea.exe
PID 2016 wrote to memory of 1556	2016	stmea.exe	stmea.exe
PID 2016 wrote to memory of 1556	2016	stmea.exe	stmea.exe
PID 2016 wrote to memory of 1556	2016	stmea.exe	stmea.exe
PID 1556 wrote to memory of 1752	1556	stmea.exe	stmea.exe
PID 1556 wrote to memory of 1752	1556	stmea.exe	stmea.exe
PID 1556 wrote to memory of 1752	1556	stmea.exe	stmea.exe
PID 1556 wrote to memory of 1752	1556	stmea.exe	stmea.exe
PID 1752 wrote to memory of 1624	1752	stmea.exe	stmea.exe
PID 1752 wrote to memory of 1624	1752	stmea.exe	stmea.exe
PID 1752 wrote to memory of 1624	1752	stmea.exe	stmea.exe
PID 1752 wrote to memory of 1624	1752	stmea.exe	stmea.exe

C:\Users\Admin\AppData\Local\Temp\f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 536 "C:\Users\Admin\AppData\Local\Temp\f7ccad9ff12aa38a3b2b9887485cad56_JaffaCakes118.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 524 "C:\Windows\SysWOW64\stmea.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 540 "C:\Windows\SysWOW64\stmea.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 536 "C:\Windows\SysWOW64\stmea.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 524 "C:\Windows\SysWOW64\stmea.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 524 "C:\Windows\SysWOW64\stmea.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1624

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 532 "C:\Windows\SysWOW64\stmea.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2984

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2844

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 536 "C:\Windows\SysWOW64\stmea.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:340

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:944

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 524 "C:\Windows\SysWOW64\stmea.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2256

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2940

C:\Windows\SysWOW64\stmea.exe
C:\Windows\system32\stmea.exe 524 "C:\Windows\SysWOW64\stmea.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:876

C:\Windows\SysWOW64\stmea.exe
C:\Windows\SysWOW64\stmea.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\stmea.exe
Filesize
294KB

MD5
f7ccad9ff12aa38a3b2b9887485cad56

SHA1
78d71be9e51d25754bd148b1ac168dbcb92c6184

SHA256
7fc428d3d81f070ddadaa04b22268f0c48513c07a6cb8bb981c5a0b53c7a5ee3

SHA512
8e6c629637260e76c802c219442d2de34bb08f3dab26a77376d725eb31c888e49bae58176197e2660d0f06a1806c13e7eebebadc5ae908be963c6aabca5438f1

Download Submit
memory/340-119-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/752-82-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/752-69-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/944-123-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/944-135-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1100-55-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1100-68-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1556-96-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1556-83-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1624-109-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1624-97-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1752-93-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/1876-51-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/1960-65-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/2016-79-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/2212-4-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/2228-7-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2228-29-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2228-3-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2228-6-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2228-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2228-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2316-149-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2376-42-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2376-54-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2460-26-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/2556-40-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2556-28-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2672-38-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/2844-122-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2844-110-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2940-136-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2940-148-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2984-106-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads