metasploit | 036392b3db2f58b414fa99bd4ff3b6b9d6aaea749bd9da3bca93714268070091

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 10:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe
Size

4.6MB
MD5

0503c0bd8abd3259151442e3d38d6e0c
SHA1

21aff5d39bfea185cab98ded5ea2e12d2a44d642
SHA256

036392b3db2f58b414fa99bd4ff3b6b9d6aaea749bd9da3bca93714268070091
SHA512

db2e77e131a3acec84adb265f23df211f44032b37cdc9689c1d3fd232237d66b6cf81b3a84226571ef91d86d75ac8713e777b9cd83faf5fe5458276f2dca1567
SSDEEP

98304:/FHQcsibw8SPLeTtSQo598DERxrfExYza/FpJHFX5dFs0:NwcXMHLKyGtxVTZvb

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

177.89.155.49:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Loads dropped DLL 4 IoCs

pid	Process
2984	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe
2984	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe
2984	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe
2984	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	2984	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2984	3044	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2984	3044	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2984	3044	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe	28
PID 3044 wrote to memory of 2984	3044	0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0503c0bd8abd3259151442e3d38d6e0c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30442\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30442\_ctypes.pyd

Filesize
83KB

MD5
5d1bc1be2f02b4a2890e921af15190d2

SHA1
057c88438b40cd8e73554274171341244f107139

SHA256
97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

SHA512
9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30442\base_library.zip

Filesize
717KB

MD5
9460232d66d279c515a9dfcef2e2d71b

SHA1
59e5470400d63cfe50fa5a6c5adb3d5d7705b0ba

SHA256
0c13ae7abd93de350634ec23e30878f16d3bc1f3f576e5b0f2afa8eb792950e9

SHA512
cab7888ebbbca320f1b35cf4f929c9c8e4b42159bb956e9a6fe1c53d3a8b223c72f046abc1428bde7df3f03fe2ee891baeda9ee6c8d06f0c883eae8a8a53fbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30442\payload.exe.manifest

Filesize
1KB

MD5
ed6241fb41757376c1d0a4a05c956c59

SHA1
6f23ce706cd86f5c17bb0d7777d9191ce290d4b5

SHA256
dd1872942f311f5ab5a2dd50a2f01fd9c6b0af14457e7a5dc88c83c4a709fc35

SHA512
017be33c991a3071346642cb6c87c7e122d860d5f35da60d819f1f8e8ccc7461903cd31634b87575d8640bffaba73107b981594454fc22b12cdeb9a91253830f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30442\python34.dll

Filesize
2.6MB

MD5
3e08ac22ee703aca8f8dc6b713f235ac

SHA1
12746fc41a89cde1f4deb8db9928e14d5cc88e23

SHA256
99f7a30404242c88e13195639eb43e36e70ba3af32b26c65dca2a592596f18b6

SHA512
a2dfc29ec571b34310444a0373256a35483088c7925ea4d2222f6a10b72a2135b03baffc15dd1449832edb3580285ec3b93a5fa827adf097771d59ce6b265c33

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30442\Crypto.Cipher._AES.pyd

Filesize
29KB

MD5
3c4ab2e06feb6e4ca1b7a1244055671a

SHA1
a4c3c44b45248b7cf53881e6d8efa8d557e100a9

SHA256
c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

SHA512
7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

Download Submit
memory/2984-25-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2984-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3044-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads