metasploit | 2d72ace2d765c9ff37bd1d1f2370153713beb3ca8e8194db7624bc54f3e32d4a

General

Target

fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
Size

57KB
MD5

fe00bff7669498b5844dd116f7f3b75a
SHA1

eabca6f8d0fcba1c214ac6ad9fbc7b3dee39d366
SHA256

2d72ace2d765c9ff37bd1d1f2370153713beb3ca8e8194db7624bc54f3e32d4a
SHA512

089fc880dd7b9626340b37cf6ce7b742179c41625362c054eae807585dfc74400689b56e83906bc902330b969cab1960b57acd619c771f03e8c80fc1fb279a7d
SSDEEP

768:uB5w5TqbKEG843lYw4iPlHVZWmw4iPlHVZWUMwSDwr095qgfkVW9XZxUDMFvDS:W5w5T8L8lB7PL27PLawYOYM6T9X/UDg

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

aadrive32.exeaadrive32.exe

pid process

3044 aadrive32.exe
2652 aadrive32.exe

pid	process
3044	aadrive32.exe
2652	aadrive32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exeaadrive32.exe

description	pid	process	target process
PID 2904 set thread context of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 3044 set thread context of 2652	3044	aadrive32.exe	aadrive32.exe

Drops file in Windows directory 3 IoCs

Processes:

fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exeaadrive32.exe

description	ioc	process
File created	C:\Windows\aadrive32.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
File opened for modification	C:\Windows\aadrive32.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
File created	C:\Windows\%windir%\lfffile32.log	aadrive32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe

pid process

1432 fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
1432 fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe

pid	process
1432	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
1432	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exefe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exeaadrive32.exe

description	pid	process	target process
PID 2904 wrote to memory of 2212	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	splwow64.exe
PID 2904 wrote to memory of 2212	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	splwow64.exe
PID 2904 wrote to memory of 2212	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	splwow64.exe
PID 2904 wrote to memory of 2212	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	splwow64.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 2904 wrote to memory of 1432	2904	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
PID 1432 wrote to memory of 3044	1432	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	aadrive32.exe
PID 1432 wrote to memory of 3044	1432	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	aadrive32.exe
PID 1432 wrote to memory of 3044	1432	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	aadrive32.exe
PID 1432 wrote to memory of 3044	1432	fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe
PID 3044 wrote to memory of 2652	3044	aadrive32.exe	aadrive32.exe

C:\Users\Admin\AppData\Local\Temp\fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe00bff7669498b5844dd116f7f3b75a_JaffaCakes118.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\aadrive32.exe
"C:\Windows\aadrive32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\aadrive32.exe
"C:\Windows\aadrive32.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\aadrive32.exe
Filesize
57KB

MD5
fe00bff7669498b5844dd116f7f3b75a

SHA1
eabca6f8d0fcba1c214ac6ad9fbc7b3dee39d366

SHA256
2d72ace2d765c9ff37bd1d1f2370153713beb3ca8e8194db7624bc54f3e32d4a

SHA512
089fc880dd7b9626340b37cf6ce7b742179c41625362c054eae807585dfc74400689b56e83906bc902330b969cab1960b57acd619c771f03e8c80fc1fb279a7d

Download Submit
memory/1432-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-6-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1432-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-42-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-44-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-46-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-50-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-51-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-52-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads