metasploit | d56d7a34bfafd4cb0ee8a63440bd77dc19a64fe9acb94f372b70d53f76327b03

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
Size

158KB
MD5

faeb8d4f45d421415cc765929307a38f
SHA1

8481beef0a651464d70f6f85c8e3fcd21afe1e4e
SHA256

d56d7a34bfafd4cb0ee8a63440bd77dc19a64fe9acb94f372b70d53f76327b03
SHA512

ffa36bbbaae069ac310aa5af351a74f75aa6fbfdc9af4bd5ff957e63552f9650b4c800ef9995847fa64f83db2566512b800cdfde0a0d650e5e0ae59b27106c5a
SSDEEP

3072:SpJDFUXhHxJPzCmyhV5SLI4Jf9xgZlGYN594LzsHJDu:SvDFUxHjbXyhCcgFaXVLeQHJ6

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
4972	winds.exe
4960	winds.exe
456	winds.exe
4780	winds.exe
4396	winds.exe
3168	winds.exe
4460	winds.exe
1260	winds.exe
632	winds.exe
4836	winds.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe
File opened for modification	C:\Windows\SysWOW64\winds.exe	winds.exe
File created	C:\Windows\SysWOW64\winds.exe	winds.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4972	316	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe	87
PID 316 wrote to memory of 4972	316	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe	87
PID 316 wrote to memory of 4972	316	faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe	87
PID 4972 wrote to memory of 4960	4972	winds.exe	99
PID 4972 wrote to memory of 4960	4972	winds.exe	99
PID 4972 wrote to memory of 4960	4972	winds.exe	99
PID 4960 wrote to memory of 456	4960	winds.exe	101
PID 4960 wrote to memory of 456	4960	winds.exe	101
PID 4960 wrote to memory of 456	4960	winds.exe	101
PID 456 wrote to memory of 4780	456	winds.exe	104
PID 456 wrote to memory of 4780	456	winds.exe	104
PID 456 wrote to memory of 4780	456	winds.exe	104
PID 4780 wrote to memory of 4396	4780	winds.exe	105
PID 4780 wrote to memory of 4396	4780	winds.exe	105
PID 4780 wrote to memory of 4396	4780	winds.exe	105
PID 4396 wrote to memory of 3168	4396	winds.exe	108
PID 4396 wrote to memory of 3168	4396	winds.exe	108
PID 4396 wrote to memory of 3168	4396	winds.exe	108
PID 3168 wrote to memory of 4460	3168	winds.exe	109
PID 3168 wrote to memory of 4460	3168	winds.exe	109
PID 3168 wrote to memory of 4460	3168	winds.exe	109
PID 4460 wrote to memory of 1260	4460	winds.exe	110
PID 4460 wrote to memory of 1260	4460	winds.exe	110
PID 4460 wrote to memory of 1260	4460	winds.exe	110
PID 1260 wrote to memory of 632	1260	winds.exe	113
PID 1260 wrote to memory of 632	1260	winds.exe	113
PID 1260 wrote to memory of 632	1260	winds.exe	113
PID 632 wrote to memory of 4836	632	winds.exe	118
PID 632 wrote to memory of 4836	632	winds.exe	118
PID 632 wrote to memory of 4836	632	winds.exe	118

C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\winds.exe
  C:\Windows\system32\winds.exe 1032 "C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\winds.exe
    C:\Windows\system32\winds.exe 1152 "C:\Windows\SysWOW64\winds.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\winds.exe
      C:\Windows\system32\winds.exe 1128 "C:\Windows\SysWOW64\winds.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:456
    - - C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 1124 "C:\Windows\SysWOW64\winds.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4780
      - C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 1136 "C:\Windows\SysWOW64\winds.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 1132 "C:\Windows\SysWOW64\winds.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 1144 "C:\Windows\SysWOW64\winds.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 1140 "C:\Windows\SysWOW64\winds.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 1148 "C:\Windows\SysWOW64\winds.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\winds.exe
        
        C:\Windows\system32\winds.exe 1164 "C:\Windows\SysWOW64\winds.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winds.exe

Filesize
158KB

MD5
faeb8d4f45d421415cc765929307a38f

SHA1
8481beef0a651464d70f6f85c8e3fcd21afe1e4e

SHA256
d56d7a34bfafd4cb0ee8a63440bd77dc19a64fe9acb94f372b70d53f76327b03

SHA512
ffa36bbbaae069ac310aa5af351a74f75aa6fbfdc9af4bd5ff957e63552f9650b4c800ef9995847fa64f83db2566512b800cdfde0a0d650e5e0ae59b27106c5a

Download Submit
memory/316-8-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/316-0-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/456-16-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/632-37-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/632-35-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1260-33-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3168-25-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3168-27-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4396-23-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4460-30-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4780-18-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4780-20-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4836-40-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4960-13-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4960-11-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4972-9-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4972-7-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads