metasploit | 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa

General

Target

0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe
Size

120KB
MD5

0d0320878946a73749111e6c94bf1525
SHA1

1e9b5c685640df11659aea7748d9bf3df70aadcf
SHA256

34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa
SHA512

fc695dd905213d7b623d33d2fa9302399897970f3b8705182fa50e771dad13dac5d5d302a508cdc4f3fdb37122999f2d492188667b92050fe49a29abff53a8b1
SSDEEP

3072:UXRbYXL8o0Quhon01KRTjKB4phUQbAnL0e2gF7wUg4GR:UXl6LcheTW+bZbwphOr

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

thinprobe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	thinprobe.exe

Deletes itself 1 IoCs

Processes:

thinprobe.exe

pid process

4572 thinprobe.exe
Executes dropped EXE 3 IoCs

Processes:

thinprobe.exethinprobe.exethinprobe.exe

pid process

4572 thinprobe.exe
4464 thinprobe.exe
440 thinprobe.exe
Loads dropped DLL 3 IoCs

Processes:

thinprobe.exethinprobe.exethinprobe.exe

pid process

4572 thinprobe.exe
4464 thinprobe.exe
440 thinprobe.exe
Drops file in Windows directory 1 IoCs

Processes:

thinprobe.exe

description ioc process

File opened for modification C:\Windows\pcawhere\config.ini thinprobe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4572	thinprobe.exe

pid	process
4572	thinprobe.exe
4464	thinprobe.exe
440	thinprobe.exe

pid	process
4572	thinprobe.exe
4464	thinprobe.exe
440	thinprobe.exe

description	ioc	process
File opened for modification	C:\Windows\pcawhere\config.ini	thinprobe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe
4404	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

thinprobe.exethinprobe.exe

description pid process

Token: SeDebugPrivilege 4572 thinprobe.exe
Token: SeDebugPrivilege 440 thinprobe.exe

description	pid	process
Token: SeDebugPrivilege	4572	thinprobe.exe
Token: SeDebugPrivilege	440	thinprobe.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0d0320878946a73749111e6c94bf1525_JaffaCakes118.exethinprobe.exethinprobe.exe

description	pid	process	target process
PID 3368 wrote to memory of 4572	3368	0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe	thinprobe.exe
PID 3368 wrote to memory of 4572	3368	0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe	thinprobe.exe
PID 3368 wrote to memory of 4572	3368	0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe	thinprobe.exe
PID 4572 wrote to memory of 4464	4572	thinprobe.exe	thinprobe.exe
PID 4572 wrote to memory of 4464	4572	thinprobe.exe	thinprobe.exe
PID 4572 wrote to memory of 4464	4572	thinprobe.exe	thinprobe.exe
PID 440 wrote to memory of 4404	440	thinprobe.exe	svchost.exe
PID 440 wrote to memory of 4404	440	thinprobe.exe	svchost.exe
PID 440 wrote to memory of 4404	440	thinprobe.exe	svchost.exe
PID 440 wrote to memory of 4404	440	thinprobe.exe	svchost.exe
PID 440 wrote to memory of 4404	440	thinprobe.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d0320878946a73749111e6c94bf1525_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Temp\7z76676D28\thinprobe.exe
C:\Users\Admin\AppData\Local\Temp\7z76676D28\thinprobe.exe
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\pcawhere\thinprobe.exe
"C:\Windows\pcawhere\thinprobe.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4464

C:\Windows\pcawhere\thinprobe.exe
C:\Windows\pcawhere\thinprobe.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\svchost.exe
-daemon
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z76676D28\ThinHostProbedll.dll
Filesize
42KB

MD5
bfb71e0efe5d9208aa9cbdfd4a85a52d

SHA1
ea487fbad911df1f51aa9332336847e2d5dd68bf

SHA256
c195afb7048664ea2a68fa11b5ebeca502ee5454b2364216d0002a3bfda7057d

SHA512
de7490b47939de9e634bea75400c0d820e4e62ee083020e18a48b66fff8ad307926778424fe315ca616878361babe6e6642272ce1eb9036b661c37cd5960bdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76676D28\thinprobe.exe
Filesize
69KB

MD5
65e6e6fffa769830d76ac4fae2433121

SHA1
ced1d78304c4b4dfeb357739859587744e7530da

SHA256
76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af

SHA512
8303a755fc5e4f7a3de9f6efde12243a75f90532384c002b5168ec88cd60b34b6024accdf916a91d625ca07bfdb07364c971b482c2ebb9c9a84c10409526808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z76676D28\thumb.db
Filesize
51KB

MD5
fe185cb4315658e561fd789181dfd1f3

SHA1
dc6468dd9ab1c73210990c55cca82111ed21e00d

SHA256
eb9f6f3fb6b70d1f49c1c92442a0f96e7583e757b035cb4343767cf9382eb354

SHA512
88347235e77553c976d5d45278d8d51d15815523fc57be73d21b6676ea9f296d16d6c96b6f81f1e3900c373717c589fa3c510ef8f6e33df72ea32ef036687382

Download Submit
C:\Windows\pcawhere\config.ini
Filesize
49B

MD5
1163d48321d9f9c9dcca133aa32bb53f

SHA1
768f039bab4f30b15571422cd839cf8e96ee4b1b

SHA256
0a30ad4a1e8e0c289db205b9d805dd40d68428c03cee5df67bb5eff41cd25ba5

SHA512
bd21e4bd4586b44f723dd12e31d535154263091faccbcc84f309f0021d5cef0c2138d3a385310c093917b0bde7de9e9f48dbecf9ece33d2c2a28ce32bcdd3bab

Download Submit
memory/440-35-0x0000000075260000-0x000000007526D000-memory.dmp

Filesize
52KB

Download
memory/440-47-0x0000000075260000-0x000000007526D000-memory.dmp

Filesize
52KB

Download
memory/440-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3368-20-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4404-41-0x0000000001100000-0x000000000110D000-memory.dmp

Filesize
52KB

Download
memory/4464-48-0x0000000075260000-0x000000007526D000-memory.dmp

Filesize
52KB

Download
memory/4464-26-0x0000000075260000-0x000000007526D000-memory.dmp

Filesize
52KB

Download
memory/4464-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4572-13-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4572-25-0x0000000075260000-0x000000007526D000-memory.dmp

Filesize
52KB

Download
memory/4572-17-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/4572-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4572-11-0x0000000075260000-0x000000007526D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads