metasploit | 6a01c65115ec62f2df8c56b144809be78d0682d80e239f24358503c72cf05b5f | Triage

Submit
Reports

Overview

overview

Static

static

3

fa449eb591...18.exe

windows7-x64

fa449eb591...18.exe

windows10-2004-x64

5

Sharing

General

Target

fa449eb5918266827fb35e3e71c46600_JaffaCakes118
Size

176KB
Sample

240419-pct5sscc8z
MD5

fa449eb5918266827fb35e3e71c46600
SHA1

d364433027c351a03d4d0fb8b3d91ada2613e7f2
SHA256

6a01c65115ec62f2df8c56b144809be78d0682d80e239f24358503c72cf05b5f
SHA512

104a440612b30d136ad6672765e11674ead933a5af7397a621d7c91cbbc84710a8f49725b96212c19a44314a8925a7039343ffd0446a44d382d713a4f93f1b5f
SSDEEP

3072:4fynmfCxlg33qXLfdeOerSxqOZ85SX3ahLntvLV6AdF98:wym/6bfdebSxprHa9PO

Score

10^/10

metasploit backdoor evasion persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fa449eb5918266827fb35e3e71c46600_JaffaCakes118.exe

Resource

win7-20240221-en

metasploit backdoor evasion persistence trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

fa449eb5918266827fb35e3e71c46600_JaffaCakes118.exe

Resource

win10v2004-20240412-en

windows10-2004-x64

3 signatures

150 seconds

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  fa449eb5918266827fb35e3e71c46600_JaffaCakes118
- Size
  
  176KB
- MD5
  
  fa449eb5918266827fb35e3e71c46600
- SHA1
  
  d364433027c351a03d4d0fb8b3d91ada2613e7f2
- SHA256
  
  6a01c65115ec62f2df8c56b144809be78d0682d80e239f24358503c72cf05b5f
- SHA512
  
  104a440612b30d136ad6672765e11674ead933a5af7397a621d7c91cbbc84710a8f49725b96212c19a44314a8925a7039343ffd0446a44d382d713a4f93f1b5f
- SSDEEP
  
  3072:4fynmfCxlg33qXLfdeOerSxqOZ85SX3ahLntvLV6AdF98:wym/6bfdebSxprHa9PO
Score

10^/10

metasploit backdoor evasion persistence trojan upx
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies firewall policy service
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

metasploitbackdoorevasionpersistencetrojanupx

behavioral2

© 2018-2024

Terms | Privacy