metasploit | 45ae919666be18fbb9a86eba7731513b8ba187252392cf68f5846e925955f2c8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe
Size

383KB
MD5

fb4c111ddf3fdc6a5b7ffe7073816562
SHA1

3b027b3dc3357fddc43fd1c2ac5f75e8453c6712
SHA256

45ae919666be18fbb9a86eba7731513b8ba187252392cf68f5846e925955f2c8
SHA512

ecd3cae9f128cc8e43911a93b436c894cbfbc35bee431036aee6bebcd0f4930abc8bc846cde17ac0eb62f90d4418dbdc9317a845ee3a4a694e81596a252d0fc1
SSDEEP

6144:Kmrid57rT9V2kWI3G7smpC3bJ544hI0J4lZWp70BsoH8qEZ+C01k4pdvODymlhkY:Km2v7HT3stpOy/lZWkcJ+CqFODycaC

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 2 IoCs

Processes:

awcidr.exehtcf.exe

pid process

408 awcidr.exe
4116 htcf.exe

pid	process
408	awcidr.exe
4116	htcf.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe

description	pid	process	target process
PID 2880 wrote to memory of 408	2880	fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe	awcidr.exe
PID 2880 wrote to memory of 408	2880	fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe	awcidr.exe
PID 2880 wrote to memory of 408	2880	fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe	awcidr.exe
PID 2880 wrote to memory of 4116	2880	fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe	htcf.exe
PID 2880 wrote to memory of 4116	2880	fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe	htcf.exe
PID 2880 wrote to memory of 4116	2880	fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe	htcf.exe

C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb4c111ddf3fdc6a5b7ffe7073816562_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\awcidr.exe
C:\Users\Admin\AppData\Local\Temp\awcidr.exe
2⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Local\Temp\htcf.exe
C:\Users\Admin\AppData\Local\Temp\htcf.exe
2⤵
- Executes dropped EXE
PID:4116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\awcidr.exe
Filesize
328KB

MD5
1482cf184afd0e7f9c59c42382201b4a

SHA1
baff10fb5f766f6c49ad27288f7e221428f17c37

SHA256
37d470d9d2088b24a73b885f2fe6ce52eabec12919756a4c6d06e7ea5b6d70ef

SHA512
62ab5bd47695a3ee92a280ffe380487840c888d647e3a06bc45c909ae40dbdb8d688963342fa060f2ecfd9a1f922a8d2f471ea6fc5b586bcdb2ed33b603b1ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\htcf.exe
Filesize
52KB

MD5
6b0d03f641ee2a2401bef42da22fde1a

SHA1
a55c2a62c3d15f89673364fab8b820e1fe66262c

SHA256
1558d850b6f28eea5684a196966bcbf06aac0ac3abdb86b571355ca41f216481

SHA512
4a0fb4da35725b7657e8510bc8767f3695f2bb327c54a2202d68339f60e05675887d1afd9f506435f4bb9f200c6ef82c55b4cfb4eb9841aa3deaac3169a0ccf3

Download Submit
memory/408-8-0x0000000000600000-0x000000000060B000-memory.dmp

Filesize
44KB

Download
memory/408-9-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/408-13-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/408-17-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/408-18-0x00000000024D0000-0x0000000002787000-memory.dmp

Filesize
2.7MB

Download
memory/4116-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-11-0x0000000000590000-0x00000000005D2000-memory.dmp

Filesize
264KB

Download
memory/4116-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-20-0x0000000000590000-0x00000000005D2000-memory.dmp

Filesize
264KB

Download