metasploit | 4ac29f1bbaa3070b5bc30ec7c29abaa258f7e34434fc0239f0241013df22ccbf

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 19:39

Target

30b76944bb425839c64348014df8280a_JaffaCakes118.dll
Size

116KB
MD5

30b76944bb425839c64348014df8280a
SHA1

43332486a42e6d6270bb475c258f99840af4b2b7
SHA256

4ac29f1bbaa3070b5bc30ec7c29abaa258f7e34434fc0239f0241013df22ccbf
SHA512

5cce0ccc7fa82ed2a00aa6a0e782a5630d63b7bcd682b5f4e6133c4d54c90489df1ded2e6bc95c37c9a5ed0d5eec5a42bb4bbefebd30970716aca6e7e6088e0a
SSDEEP

1536:GBdqoM5n+pEq6MwuLz4UqQjUsWCcdA60pB7wW7BvrrVPeOvMnDkEpTTUo:GB1pSMwuxqUiA60pB7tZrrV2HThT5

Score

10^/10

Family

metasploit

Version

encoder/shikata_ga_nai

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3040 wrote to memory of 3052	3040	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 3052	3040	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 3052	3040	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 3052	3040	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 3052	3040	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 3052	3040	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 3052	3040	rundll32.exe	rundll32.exe
PID 3052 wrote to memory of 1152	3052	rundll32.exe	svchost.exe
PID 3052 wrote to memory of 1152	3052	rundll32.exe	svchost.exe
PID 3052 wrote to memory of 1152	3052	rundll32.exe	svchost.exe
PID 3052 wrote to memory of 1152	3052	rundll32.exe	svchost.exe
PID 3052 wrote to memory of 1152	3052	rundll32.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30b76944bb425839c64348014df8280a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30b76944bb425839c64348014df8280a_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

memory/1152-4-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/3052-0-0x0000000060000000-0x000000006000A000-memory.dmp

Filesize
40KB

Download