metasploit | d56d7a34bfafd4cb0ee8a63440bd77dc19a64fe9acb94f372b70d53f76327b03

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
Size

158KB
MD5

faeb8d4f45d421415cc765929307a38f
SHA1

8481beef0a651464d70f6f85c8e3fcd21afe1e4e
SHA256

d56d7a34bfafd4cb0ee8a63440bd77dc19a64fe9acb94f372b70d53f76327b03
SHA512

ffa36bbbaae069ac310aa5af351a74f75aa6fbfdc9af4bd5ff957e63552f9650b4c800ef9995847fa64f83db2566512b800cdfde0a0d650e5e0ae59b27106c5a
SSDEEP

3072:SpJDFUXhHxJPzCmyhV5SLI4Jf9xgZlGYN594LzsHJDu:SvDFUxHjbXyhCcgFaXVLeQHJ6

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
3064	winds.exe
2736	winds.exe
2428	winds.exe
2444	winds.exe
1680	winds.exe
2160	winds.exe
384	winds.exe
788	winds.exe
1716	winds.exe
856	winds.exe

Loads dropped DLL 40 IoCs

pid	Process
3012	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
3012	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
876	Process not Found
876	Process not Found
3064	winds.exe
876	Process not Found
876	Process not Found
3064	winds.exe
2736	winds.exe
2736	winds.exe
876	Process not Found
876	Process not Found
2428	winds.exe
2428	winds.exe
876	Process not Found
876	Process not Found
2444	winds.exe
876	Process not Found
876	Process not Found
2444	winds.exe
1680	winds.exe
1680	winds.exe
876	Process not Found
876	Process not Found
2160	winds.exe
2160	winds.exe
876	Process not Found
876	Process not Found
384	winds.exe
384	winds.exe
876	Process not Found
876	Process not Found
788	winds.exe
876	Process not Found
876	Process not Found
788	winds.exe
1716	winds.exe
876	Process not Found
876	Process not Found
1716	winds.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winds.exe	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3064	3012	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe	28
PID 3064 wrote to memory of 2736	3064	winds.exe	29
PID 3064 wrote to memory of 2736	3064	winds.exe	29
PID 3064 wrote to memory of 2736	3064	winds.exe	29
PID 3064 wrote to memory of 2736	3064	winds.exe	29
PID 2736 wrote to memory of 2428	2736	winds.exe	30
PID 2736 wrote to memory of 2428	2736	winds.exe	30
PID 2736 wrote to memory of 2428	2736	winds.exe	30
PID 2736 wrote to memory of 2428	2736	winds.exe	30
PID 2428 wrote to memory of 2444	2428	winds.exe	33
PID 2428 wrote to memory of 2444	2428	winds.exe	33
PID 2428 wrote to memory of 2444	2428	winds.exe	33
PID 2428 wrote to memory of 2444	2428	winds.exe	33
PID 2444 wrote to memory of 1680	2444	winds.exe	34
PID 2444 wrote to memory of 1680	2444	winds.exe	34
PID 2444 wrote to memory of 1680	2444	winds.exe	34
PID 2444 wrote to memory of 1680	2444	winds.exe	34
PID 1680 wrote to memory of 2160	1680	winds.exe	35
PID 1680 wrote to memory of 2160	1680	winds.exe	35
PID 1680 wrote to memory of 2160	1680	winds.exe	35
PID 1680 wrote to memory of 2160	1680	winds.exe	35
PID 2160 wrote to memory of 384	2160	winds.exe	36
PID 2160 wrote to memory of 384	2160	winds.exe	36
PID 2160 wrote to memory of 384	2160	winds.exe	36
PID 2160 wrote to memory of 384	2160	winds.exe	36
PID 384 wrote to memory of 788	384	winds.exe	37
PID 384 wrote to memory of 788	384	winds.exe	37
PID 384 wrote to memory of 788	384	winds.exe	37
PID 384 wrote to memory of 788	384	winds.exe	37
PID 788 wrote to memory of 1716	788	winds.exe	38
PID 788 wrote to memory of 1716	788	winds.exe	38
PID 788 wrote to memory of 1716	788	winds.exe	38
PID 788 wrote to memory of 1716	788	winds.exe	38
PID 1716 wrote to memory of 856	1716	winds.exe	39
PID 1716 wrote to memory of 856	1716	winds.exe	39
PID 1716 wrote to memory of 856	1716	winds.exe	39
PID 1716 wrote to memory of 856	1716	winds.exe	39

C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\winds.exe
  C:\Windows\system32\winds.exe 476 "C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\winds.exe
    C:\Windows\system32\winds.exe 528 "C:\Windows\SysWOW64\winds.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\winds.exe
      C:\Windows\system32\winds.exe 532 "C:\Windows\SysWOW64\winds.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 536 "C:\Windows\SysWOW64\winds.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 540 "C:\Windows\SysWOW64\winds.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 544 "C:\Windows\SysWOW64\winds.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 548 "C:\Windows\SysWOW64\winds.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 552 "C:\Windows\SysWOW64\winds.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 556 "C:\Windows\SysWOW64\winds.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 576 "C:\Windows\SysWOW64\winds.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winds.exe

Filesize
158KB

MD5
faeb8d4f45d421415cc765929307a38f

SHA1
8481beef0a651464d70f6f85c8e3fcd21afe1e4e

SHA256
d56d7a34bfafd4cb0ee8a63440bd77dc19a64fe9acb94f372b70d53f76327b03

SHA512
ffa36bbbaae069ac310aa5af351a74f75aa6fbfdc9af4bd5ff957e63552f9650b4c800ef9995847fa64f83db2566512b800cdfde0a0d650e5e0ae59b27106c5a

Download Submit
memory/384-64-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/384-66-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/788-74-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/788-72-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/856-91-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/856-89-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1680-50-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1680-48-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1716-80-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1716-88-0x00000000029B0000-0x0000000002AD0000-memory.dmp

Filesize
1.1MB

Download
memory/1716-82-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2160-56-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2160-58-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2428-32-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2428-34-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2444-40-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2444-42-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2736-24-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3012-14-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3012-0-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3012-11-0x00000000027E0000-0x0000000002900000-memory.dmp

Filesize
1.1MB

Download
memory/3064-23-0x0000000002930000-0x0000000002A50000-memory.dmp

Filesize
1.1MB

Download
memory/3064-12-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download