metasploit | c698d40d6eddb2c9ce0d007151b58586b953e0fdb146841c0059b068505847b0

General

Target

fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe
Size

157KB
MD5

fd2463d1a867f44889f399c54ed346a9
SHA1

d416792bc2d08fb16f2f3ae52d37f068f811793e
SHA256

c698d40d6eddb2c9ce0d007151b58586b953e0fdb146841c0059b068505847b0
SHA512

4d241d28d24f10fbce9951044fa4f6083459e3bb2d02709c9d6f2c5b612d52156e2daf78c7408622b7633ea8143a29ea58fcf68c5bc57c811ab672c9078f82a3
SSDEEP

3072:JYAq+Bt0h0phE8M4qTvpmwEBn3Obl4kUGE84NXafY:JYtipO4qTvwwm0KD/eY

Score

10^/10

metasploit aspackv2 backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\tsqla.exe	aspack_v212_v242

Executes dropped EXE 10 IoCs

Processes:

tsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exe

pid process

2280 tsqla.exe
2592 tsqla.exe
2460 tsqla.exe
2512 tsqla.exe
2160 tsqla.exe
800 tsqla.exe
2324 tsqla.exe
2060 tsqla.exe
1284 tsqla.exe
1796 tsqla.exe

pid	process
2280	tsqla.exe
2592	tsqla.exe
2460	tsqla.exe
2512	tsqla.exe
2160	tsqla.exe
800	tsqla.exe
2324	tsqla.exe
2060	tsqla.exe
1284	tsqla.exe
1796	tsqla.exe

Loads dropped DLL 20 IoCs

Processes:

fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exe

pid	process
1808	fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe
1808	fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe
2280	tsqla.exe
2280	tsqla.exe
2592	tsqla.exe
2592	tsqla.exe
2460	tsqla.exe
2460	tsqla.exe
2512	tsqla.exe
2512	tsqla.exe
2160	tsqla.exe
2160	tsqla.exe
800	tsqla.exe
800	tsqla.exe
2324	tsqla.exe
2324	tsqla.exe
2060	tsqla.exe
2060	tsqla.exe
1284	tsqla.exe
1284	tsqla.exe

Drops file in System32 directory 22 IoCs

Processes:

tsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exefd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exetsqla.exetsqla.exetsqla.exetsqla.exe

description	ioc	process
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exetsqla.exe

description	pid	process	target process
PID 1808 wrote to memory of 2280	1808	fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe	tsqla.exe
PID 1808 wrote to memory of 2280	1808	fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe	tsqla.exe
PID 1808 wrote to memory of 2280	1808	fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe	tsqla.exe
PID 1808 wrote to memory of 2280	1808	fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe	tsqla.exe
PID 2280 wrote to memory of 2592	2280	tsqla.exe	tsqla.exe
PID 2280 wrote to memory of 2592	2280	tsqla.exe	tsqla.exe
PID 2280 wrote to memory of 2592	2280	tsqla.exe	tsqla.exe
PID 2280 wrote to memory of 2592	2280	tsqla.exe	tsqla.exe
PID 2592 wrote to memory of 2460	2592	tsqla.exe	tsqla.exe
PID 2592 wrote to memory of 2460	2592	tsqla.exe	tsqla.exe
PID 2592 wrote to memory of 2460	2592	tsqla.exe	tsqla.exe
PID 2592 wrote to memory of 2460	2592	tsqla.exe	tsqla.exe
PID 2460 wrote to memory of 2512	2460	tsqla.exe	tsqla.exe
PID 2460 wrote to memory of 2512	2460	tsqla.exe	tsqla.exe
PID 2460 wrote to memory of 2512	2460	tsqla.exe	tsqla.exe
PID 2460 wrote to memory of 2512	2460	tsqla.exe	tsqla.exe
PID 2512 wrote to memory of 2160	2512	tsqla.exe	tsqla.exe
PID 2512 wrote to memory of 2160	2512	tsqla.exe	tsqla.exe
PID 2512 wrote to memory of 2160	2512	tsqla.exe	tsqla.exe
PID 2512 wrote to memory of 2160	2512	tsqla.exe	tsqla.exe
PID 2160 wrote to memory of 800	2160	tsqla.exe	tsqla.exe
PID 2160 wrote to memory of 800	2160	tsqla.exe	tsqla.exe
PID 2160 wrote to memory of 800	2160	tsqla.exe	tsqla.exe
PID 2160 wrote to memory of 800	2160	tsqla.exe	tsqla.exe
PID 800 wrote to memory of 2324	800	tsqla.exe	tsqla.exe
PID 800 wrote to memory of 2324	800	tsqla.exe	tsqla.exe
PID 800 wrote to memory of 2324	800	tsqla.exe	tsqla.exe
PID 800 wrote to memory of 2324	800	tsqla.exe	tsqla.exe
PID 2324 wrote to memory of 2060	2324	tsqla.exe	tsqla.exe
PID 2324 wrote to memory of 2060	2324	tsqla.exe	tsqla.exe
PID 2324 wrote to memory of 2060	2324	tsqla.exe	tsqla.exe
PID 2324 wrote to memory of 2060	2324	tsqla.exe	tsqla.exe
PID 2060 wrote to memory of 1284	2060	tsqla.exe	tsqla.exe
PID 2060 wrote to memory of 1284	2060	tsqla.exe	tsqla.exe
PID 2060 wrote to memory of 1284	2060	tsqla.exe	tsqla.exe
PID 2060 wrote to memory of 1284	2060	tsqla.exe	tsqla.exe
PID 1284 wrote to memory of 1796	1284	tsqla.exe	tsqla.exe
PID 1284 wrote to memory of 1796	1284	tsqla.exe	tsqla.exe
PID 1284 wrote to memory of 1796	1284	tsqla.exe	tsqla.exe
PID 1284 wrote to memory of 1796	1284	tsqla.exe	tsqla.exe

C:\Users\Admin\AppData\Local\Temp\fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 500 "C:\Users\Admin\AppData\Local\Temp\fd2463d1a867f44889f399c54ed346a9_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 528 "C:\Windows\SysWOW64\tsqla.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 540 "C:\Windows\SysWOW64\tsqla.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 532 "C:\Windows\SysWOW64\tsqla.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 548 "C:\Windows\SysWOW64\tsqla.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 536 "C:\Windows\SysWOW64\tsqla.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 524 "C:\Windows\SysWOW64\tsqla.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 556 "C:\Windows\SysWOW64\tsqla.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 552 "C:\Windows\SysWOW64\tsqla.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\tsqla.exe
C:\Windows\system32\tsqla.exe 564 "C:\Windows\SysWOW64\tsqla.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1796

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\tsqla.exe
Filesize
157KB

MD5
fd2463d1a867f44889f399c54ed346a9

SHA1
d416792bc2d08fb16f2f3ae52d37f068f811793e

SHA256
c698d40d6eddb2c9ce0d007151b58586b953e0fdb146841c0059b068505847b0

SHA512
4d241d28d24f10fbce9951044fa4f6083459e3bb2d02709c9d6f2c5b612d52156e2daf78c7408622b7633ea8143a29ea58fcf68c5bc57c811ab672c9078f82a3

Download Submit
memory/800-37-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/1284-52-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/1796-57-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/1808-11-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/2060-47-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/2160-32-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/2280-12-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/2324-42-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/2460-22-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/2512-27-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download
memory/2592-17-0x0000000000400000-0x0000000000A12000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads