metasploit | ff46c12456ecb9d60a0e3a3f1504d800471dc06c002287f36e41e03ad7d7ac70

General

Target

fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
Size

15KB
MD5

fc6bcd2d90675df3765fadb40c322c2c
SHA1

26f512df0afb819c8998a1a689c8d4714a825ff0
SHA256

ff46c12456ecb9d60a0e3a3f1504d800471dc06c002287f36e41e03ad7d7ac70
SHA512

b2569f7a6c5997d6222be3468aec53c8a4951e4648d5ceb25d70996fe33faf3d2a8ca8c490159764517e5d85f9aac09a048e3589566688e1e5ea1487a426196e
SSDEEP

192:I8PW8guKnghi2BR8k5PF+nbGG2dqsF7cXlNIFHWMzzwBTjfcor5lzsIWrXOLVWU4:JW84nglBRBl6bG584HUFLcWZs7C9RTS

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp_dns

C2

mclean-43290.portmap.host:60886

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2700	2956	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
2820	2504	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
1272	2380	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
2276	1112	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
1668	2116	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
584	1520	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
1960	1208	WerFault.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exefc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe

description	pid	process	target process
PID 2956 wrote to memory of 2504	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2956 wrote to memory of 2504	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2956 wrote to memory of 2504	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2956 wrote to memory of 2504	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2956 wrote to memory of 2700	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2956 wrote to memory of 2700	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2956 wrote to memory of 2700	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2956 wrote to memory of 2700	2956	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2504 wrote to memory of 2380	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2504 wrote to memory of 2380	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2504 wrote to memory of 2380	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2504 wrote to memory of 2380	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2504 wrote to memory of 2820	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2504 wrote to memory of 2820	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2504 wrote to memory of 2820	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2504 wrote to memory of 2820	2504	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2380 wrote to memory of 1112	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2380 wrote to memory of 1112	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2380 wrote to memory of 1112	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2380 wrote to memory of 1112	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2380 wrote to memory of 1272	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2380 wrote to memory of 1272	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2380 wrote to memory of 1272	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2380 wrote to memory of 1272	2380	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1112 wrote to memory of 2116	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1112 wrote to memory of 2116	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1112 wrote to memory of 2116	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1112 wrote to memory of 2116	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1112 wrote to memory of 2276	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1112 wrote to memory of 2276	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1112 wrote to memory of 2276	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1112 wrote to memory of 2276	1112	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2116 wrote to memory of 1520	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2116 wrote to memory of 1520	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2116 wrote to memory of 1520	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2116 wrote to memory of 1520	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 2116 wrote to memory of 1668	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2116 wrote to memory of 1668	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2116 wrote to memory of 1668	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 2116 wrote to memory of 1668	2116	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1520 wrote to memory of 1208	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1520 wrote to memory of 1208	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1520 wrote to memory of 1208	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1520 wrote to memory of 1208	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1520 wrote to memory of 584	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1520 wrote to memory of 584	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1520 wrote to memory of 584	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1520 wrote to memory of 584	1520	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1208 wrote to memory of 3052	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1208 wrote to memory of 3052	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1208 wrote to memory of 3052	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1208 wrote to memory of 3052	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
PID 1208 wrote to memory of 1960	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1208 wrote to memory of 1960	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1208 wrote to memory of 1960	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe
PID 1208 wrote to memory of 1960	1208	fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6bcd2d90675df3765fadb40c322c2c_JaffaCakes118.exe"
8⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1052
8⤵
- Program crash
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1056
7⤵
- Program crash
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1052
6⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1048
5⤵
- Program crash
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1052
4⤵
- Program crash
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1048
3⤵
- Program crash
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1052
2⤵
- Program crash
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-17-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-12-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1208-29-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1208-24-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1520-25-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1520-20-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-16-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-21-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-13-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-8-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-9-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-5-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-0-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/2956-4-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-2-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2956-1-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/3052-28-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing