metasploit | ff46c12456ecb9d60a0e3a3f1504d800471dc06c002287f36e41e03ad7d7ac70

General

Target

fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
Size

15KB
MD5

fc6bcd2d90675df3765fadb40c322c2c
SHA1

26f512df0afb819c8998a1a689c8d4714a825ff0
SHA256

ff46c12456ecb9d60a0e3a3f1504d800471dc06c002287f36e41e03ad7d7ac70
SHA512

b2569f7a6c5997d6222be3468aec53c8a4951e4648d5ceb25d70996fe33faf3d2a8ca8c490159764517e5d85f9aac09a048e3589566688e1e5ea1487a426196e
SSDEEP

192:I8PW8guKnghi2BR8k5PF+nbGG2dqsF7cXlNIFHWMzzwBTjfcor5lzsIWrXOLVWU4:JW84nglBRBl6bG584HUFLcWZs7C9RTS

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

mclean-43290.portmap.host:60886

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2700	2956	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
2820	2504	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
1272	2380	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
2276	1112	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
1668	2116	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
584	1520	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
1960	1208	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe

description	pid	process	target process
PID 2956 wrote to memory of 2504	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2956 wrote to memory of 2504	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2956 wrote to memory of 2504	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2956 wrote to memory of 2504	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2956 wrote to memory of 2700	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2956 wrote to memory of 2700	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2956 wrote to memory of 2700	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2956 wrote to memory of 2700	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2504 wrote to memory of 2380	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2504 wrote to memory of 2380	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2504 wrote to memory of 2380	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2504 wrote to memory of 2380	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2504 wrote to memory of 2820	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2504 wrote to memory of 2820	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2504 wrote to memory of 2820	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2504 wrote to memory of 2820	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2380 wrote to memory of 1112	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2380 wrote to memory of 1112	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2380 wrote to memory of 1112	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2380 wrote to memory of 1112	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2380 wrote to memory of 1272	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2380 wrote to memory of 1272	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2380 wrote to memory of 1272	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2380 wrote to memory of 1272	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1112 wrote to memory of 2116	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1112 wrote to memory of 2116	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1112 wrote to memory of 2116	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1112 wrote to memory of 2116	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1112 wrote to memory of 2276	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1112 wrote to memory of 2276	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1112 wrote to memory of 2276	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1112 wrote to memory of 2276	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2116 wrote to memory of 1520	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2116 wrote to memory of 1520	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2116 wrote to memory of 1520	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2116 wrote to memory of 1520	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2116 wrote to memory of 1668	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2116 wrote to memory of 1668	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2116 wrote to memory of 1668	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2116 wrote to memory of 1668	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1520 wrote to memory of 1208	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1520 wrote to memory of 1208	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1520 wrote to memory of 1208	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1520 wrote to memory of 1208	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1520 wrote to memory of 584	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1520 wrote to memory of 584	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1520 wrote to memory of 584	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1520 wrote to memory of 584	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1208 wrote to memory of 3052	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1208 wrote to memory of 3052	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1208 wrote to memory of 3052	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1208 wrote to memory of 3052	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1208 wrote to memory of 1960	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1208 wrote to memory of 1960	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1208 wrote to memory of 1960	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1208 wrote to memory of 1960	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1052
        8⤵
        Program crash
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1056
        7⤵
        Program crash
        
        PID:584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1052
        6⤵
        Program crash
        
        PID:1668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1048
        5⤵
        Program crash
        
        PID:2276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1052
      4⤵
      Program crash
      PID:1272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1048
    3⤵
    - Program crash
    PID:2820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1052
  2⤵
  - Program crash
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-17-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-12-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1208-29-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1208-24-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1520-25-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1520-20-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-16-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-21-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-13-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-8-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-9-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-5-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-0-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/2956-4-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-2-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2956-1-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-28-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing