metasploit | 5650ade1fa0db87b3afb26bfc4838d3aafe0ed49df027db5cb89cbc116cfd920

General

Target

ff4052469c915086816181d508b461f5_JaffaCakes118.exe
Size

107KB
MD5

ff4052469c915086816181d508b461f5
SHA1

96c2b1560303836e83ad2a61fb41ef7bd27baa9c
SHA256

5650ade1fa0db87b3afb26bfc4838d3aafe0ed49df027db5cb89cbc116cfd920
SHA512

8f01e8a4226a060fe83e91dedb99f3480348eab57358f7301102e7ec9797130393d93ce431d665315ab71b51bf64311756c5eb32667be7b9731606cf40822456
SSDEEP

3072:4TInoF0+6Fkg9fErUgQpk6h54CN1foZejnD6:4TInx+OV9srUgl6hKCrfoZGD6

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ff4052469c915086816181d508b461f5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe"	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ff4052469c915086816181d508b461f5_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

jodrive32.exejodrive32.exe

pid process

1984 jodrive32.exe
2556 jodrive32.exe

pid	process
1984	jodrive32.exe
2556	jodrive32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ff4052469c915086816181d508b461f5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Config Setup = "C:\\Windows\\jodrive32.exe"	ff4052469c915086816181d508b461f5_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ff4052469c915086816181d508b461f5_JaffaCakes118.exejodrive32.exe

description	pid	process	target process
PID 2188 set thread context of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 1984 set thread context of 2556	1984	jodrive32.exe	jodrive32.exe

Drops file in Windows directory 3 IoCs

Processes:

ff4052469c915086816181d508b461f5_JaffaCakes118.exejodrive32.exe

description	ioc	process
File created	C:\Windows\jodrive32.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
File opened for modification	C:\Windows\jodrive32.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
File created	C:\Windows\%windir%\eilfiie32.log	jodrive32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ff4052469c915086816181d508b461f5_JaffaCakes118.exe

pid process

1708 ff4052469c915086816181d508b461f5_JaffaCakes118.exe
1708 ff4052469c915086816181d508b461f5_JaffaCakes118.exe

pid	process
1708	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
1708	ff4052469c915086816181d508b461f5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ff4052469c915086816181d508b461f5_JaffaCakes118.exeff4052469c915086816181d508b461f5_JaffaCakes118.exejodrive32.exe

description	pid	process	target process
PID 2188 wrote to memory of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 2188 wrote to memory of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 2188 wrote to memory of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 2188 wrote to memory of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 2188 wrote to memory of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 2188 wrote to memory of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 2188 wrote to memory of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 2188 wrote to memory of 1708	2188	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	ff4052469c915086816181d508b461f5_JaffaCakes118.exe
PID 1708 wrote to memory of 1984	1708	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	jodrive32.exe
PID 1708 wrote to memory of 1984	1708	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	jodrive32.exe
PID 1708 wrote to memory of 1984	1708	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	jodrive32.exe
PID 1708 wrote to memory of 1984	1708	ff4052469c915086816181d508b461f5_JaffaCakes118.exe	jodrive32.exe
PID 1984 wrote to memory of 2556	1984	jodrive32.exe	jodrive32.exe
PID 1984 wrote to memory of 2556	1984	jodrive32.exe	jodrive32.exe
PID 1984 wrote to memory of 2556	1984	jodrive32.exe	jodrive32.exe
PID 1984 wrote to memory of 2556	1984	jodrive32.exe	jodrive32.exe
PID 1984 wrote to memory of 2556	1984	jodrive32.exe	jodrive32.exe
PID 1984 wrote to memory of 2556	1984	jodrive32.exe	jodrive32.exe
PID 1984 wrote to memory of 2556	1984	jodrive32.exe	jodrive32.exe
PID 1984 wrote to memory of 2556	1984	jodrive32.exe	jodrive32.exe

C:\Users\Admin\AppData\Local\Temp\ff4052469c915086816181d508b461f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff4052469c915086816181d508b461f5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\ff4052469c915086816181d508b461f5_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\ff4052469c915086816181d508b461f5_JaffaCakes118.exe
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\jodrive32.exe
"C:\Windows\jodrive32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\jodrive32.exe
C:\Windows\jodrive32.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\jodrive32.exe
Filesize
107KB

MD5
ff4052469c915086816181d508b461f5

SHA1
96c2b1560303836e83ad2a61fb41ef7bd27baa9c

SHA256
5650ade1fa0db87b3afb26bfc4838d3aafe0ed49df027db5cb89cbc116cfd920

SHA512
8f01e8a4226a060fe83e91dedb99f3480348eab57358f7301102e7ec9797130393d93ce431d665315ab71b51bf64311756c5eb32667be7b9731606cf40822456

Download Submit
memory/1708-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-3-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1708-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1984-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2188-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-23-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-22-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-20-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-31-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2556-34-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads