metasploit | e39af0ec5806f9667476d8d519cb1c8decc1a307fada663a67a5cd973180b4ed | Triage

Submit
Reports

Overview

overview

Static

static

7

fe9caffa1d...18.exe

windows7-x64

fe9caffa1d...18.exe

windows10-2004-x64

Sharing

General

Target

fe9caffa1d2374aabb3a26ff8897d387_JaffaCakes118
Size

177KB
Sample

240421-gs7rtsda43
MD5

fe9caffa1d2374aabb3a26ff8897d387
SHA1

1e206db58659d005e3a5bc666f2c5409fc671efe
SHA256

e39af0ec5806f9667476d8d519cb1c8decc1a307fada663a67a5cd973180b4ed
SHA512

8c02427428786a26fedffeb0a32dbef1035a005e7ffabbf7ff9a4f29c6eb2f4267a0f64d65b2897dce8ee587b8e0f37edb9ffc3064d163ea57e631ded953b8a3
SSDEEP

3072:1CqstM6xlOcA7w4xabrXL1yn8BG0a6Va2j6pZd2iYk9Hc3/nl6LAHkzI1U0gEA6F:ctMilOK4x27L1g2G0vVT6pZMzk96RAA

Score

10^/10

metasploit backdoor persistence trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

fe9caffa1d2374aabb3a26ff8897d387_JaffaCakes118.exe

Resource

win7-20240221-en

metasploit backdoor persistence trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

fe9caffa1d2374aabb3a26ff8897d387_JaffaCakes118.exe

Resource

win10v2004-20240412-en

metasploit backdoor persistence trojan upx

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  fe9caffa1d2374aabb3a26ff8897d387_JaffaCakes118
- Size
  
  177KB
- MD5
  
  fe9caffa1d2374aabb3a26ff8897d387
- SHA1
  
  1e206db58659d005e3a5bc666f2c5409fc671efe
- SHA256
  
  e39af0ec5806f9667476d8d519cb1c8decc1a307fada663a67a5cd973180b4ed
- SHA512
  
  8c02427428786a26fedffeb0a32dbef1035a005e7ffabbf7ff9a4f29c6eb2f4267a0f64d65b2897dce8ee587b8e0f37edb9ffc3064d163ea57e631ded953b8a3
- SSDEEP
  
  3072:1CqstM6xlOcA7w4xabrXL1yn8BG0a6Va2j6pZd2iYk9Hc3/nl6LAHkzI1U0gEA6F:ctMilOK4x27L1g2G0vVT6pZMzk96RAA
Score

10^/10

metasploit backdoor persistence trojan upx
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

metasploitbackdoorpersistencetrojanupx

behavioral2

metasploitbackdoorpersistencetrojanupx

© 2018-2024

Terms | Privacy