metasploit | 432b4e84ec739ebeac84485407f087223331eaef24c6c7b133c353c618ccec8b

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 17:44

Target

f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll
Size

9KB
MD5

f8772b9a80138cd39a71f4faac388e49
SHA1

407a90f3af90cb6bd8b8fa63990bd71409556da0
SHA256

432b4e84ec739ebeac84485407f087223331eaef24c6c7b133c353c618ccec8b
SHA512

86fa0352c0f14f9bbfeec86905e3c643a7e968a8a610b51c6a9229197d7d394c1c0f7b2d30467ea481f4d8b59315b891d7e419bf9dd785bda962d797e8c06fbf
SSDEEP

96:jQ3Zn/2CiXsLex50FaCRwIvvwF+k4s/DjiWjOr2a0cZYynqjfQaJotQPKu:c/tiXsLecRXvvrASWjOPYHjJotU

Score

10^/10

Family

metasploit

Version

windows/download_exec

http://192.168.1.104:8892/M4yb

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3852 wrote to memory of 3756	3852	rundll32.exe	rundll32.exe
PID 3852 wrote to memory of 3756	3852	rundll32.exe	rundll32.exe
PID 3852 wrote to memory of 3756	3852	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8772b9a80138cd39a71f4faac388e49_JaffaCakes118.dll,#1
  2⤵
  PID:3756

memory/3756-0-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download