metasploit | 84ca876bbd78325680eb98498b1bd85786bd140b53650a00e2d87213920e057f

General

Target

495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
Size

400KB
MD5

495bcf192b3dae922860d12930895d4e
SHA1

238114adc53bc8b558228923fb9be157bd73a516
SHA256

84ca876bbd78325680eb98498b1bd85786bd140b53650a00e2d87213920e057f
SHA512

b391e4d29e27042b941632536a4b6b2bcf018f63460bce6fcc850ba19bc1d804a4cfa9ef8724406b0738214bb90845f697a81955864a6b30291682e56b3ca748
SSDEEP

6144:yjxJbwaxzExxnpifB2FccqNHlabtRFA1gQj/+zMtm61F:yjxNwaxIxIGccqNH6tnA1gQj/h

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

Processes:

taskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exe

pid	process
2712	taskmrg.exe
2636	taskmrg.exe
2992	taskmrg.exe
2360	taskmrg.exe
2744	taskmrg.exe
764	taskmrg.exe
472	taskmrg.exe
2140	taskmrg.exe
2388	taskmrg.exe
2276	taskmrg.exe

Loads dropped DLL 20 IoCs

Processes:

495bcf192b3dae922860d12930895d4e_JaffaCakes118.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exe

pid	process
2220	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
2220	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
2712	taskmrg.exe
2712	taskmrg.exe
2636	taskmrg.exe
2636	taskmrg.exe
2992	taskmrg.exe
2992	taskmrg.exe
2360	taskmrg.exe
2360	taskmrg.exe
2744	taskmrg.exe
2744	taskmrg.exe
764	taskmrg.exe
764	taskmrg.exe
472	taskmrg.exe
472	taskmrg.exe
2140	taskmrg.exe
2140	taskmrg.exe
2388	taskmrg.exe
2388	taskmrg.exe

Drops file in System32 directory 22 IoCs

Processes:

taskmrg.exe495bcf192b3dae922860d12930895d4e_JaffaCakes118.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

495bcf192b3dae922860d12930895d4e_JaffaCakes118.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exe

description	pid	process	target process
PID 2220 wrote to memory of 2712	2220	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe	taskmrg.exe
PID 2220 wrote to memory of 2712	2220	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe	taskmrg.exe
PID 2220 wrote to memory of 2712	2220	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe	taskmrg.exe
PID 2220 wrote to memory of 2712	2220	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe	taskmrg.exe
PID 2712 wrote to memory of 2636	2712	taskmrg.exe	taskmrg.exe
PID 2712 wrote to memory of 2636	2712	taskmrg.exe	taskmrg.exe
PID 2712 wrote to memory of 2636	2712	taskmrg.exe	taskmrg.exe
PID 2712 wrote to memory of 2636	2712	taskmrg.exe	taskmrg.exe
PID 2636 wrote to memory of 2992	2636	taskmrg.exe	taskmrg.exe
PID 2636 wrote to memory of 2992	2636	taskmrg.exe	taskmrg.exe
PID 2636 wrote to memory of 2992	2636	taskmrg.exe	taskmrg.exe
PID 2636 wrote to memory of 2992	2636	taskmrg.exe	taskmrg.exe
PID 2992 wrote to memory of 2360	2992	taskmrg.exe	taskmrg.exe
PID 2992 wrote to memory of 2360	2992	taskmrg.exe	taskmrg.exe
PID 2992 wrote to memory of 2360	2992	taskmrg.exe	taskmrg.exe
PID 2992 wrote to memory of 2360	2992	taskmrg.exe	taskmrg.exe
PID 2360 wrote to memory of 2744	2360	taskmrg.exe	taskmrg.exe
PID 2360 wrote to memory of 2744	2360	taskmrg.exe	taskmrg.exe
PID 2360 wrote to memory of 2744	2360	taskmrg.exe	taskmrg.exe
PID 2360 wrote to memory of 2744	2360	taskmrg.exe	taskmrg.exe
PID 2744 wrote to memory of 764	2744	taskmrg.exe	taskmrg.exe
PID 2744 wrote to memory of 764	2744	taskmrg.exe	taskmrg.exe
PID 2744 wrote to memory of 764	2744	taskmrg.exe	taskmrg.exe
PID 2744 wrote to memory of 764	2744	taskmrg.exe	taskmrg.exe
PID 764 wrote to memory of 472	764	taskmrg.exe	taskmrg.exe
PID 764 wrote to memory of 472	764	taskmrg.exe	taskmrg.exe
PID 764 wrote to memory of 472	764	taskmrg.exe	taskmrg.exe
PID 764 wrote to memory of 472	764	taskmrg.exe	taskmrg.exe
PID 472 wrote to memory of 2140	472	taskmrg.exe	taskmrg.exe
PID 472 wrote to memory of 2140	472	taskmrg.exe	taskmrg.exe
PID 472 wrote to memory of 2140	472	taskmrg.exe	taskmrg.exe
PID 472 wrote to memory of 2140	472	taskmrg.exe	taskmrg.exe
PID 2140 wrote to memory of 2388	2140	taskmrg.exe	taskmrg.exe
PID 2140 wrote to memory of 2388	2140	taskmrg.exe	taskmrg.exe
PID 2140 wrote to memory of 2388	2140	taskmrg.exe	taskmrg.exe
PID 2140 wrote to memory of 2388	2140	taskmrg.exe	taskmrg.exe
PID 2388 wrote to memory of 2276	2388	taskmrg.exe	taskmrg.exe
PID 2388 wrote to memory of 2276	2388	taskmrg.exe	taskmrg.exe
PID 2388 wrote to memory of 2276	2388	taskmrg.exe	taskmrg.exe
PID 2388 wrote to memory of 2276	2388	taskmrg.exe	taskmrg.exe

C:\Users\Admin\AppData\Local\Temp\495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 468 "C:\Users\Admin\AppData\Local\Temp\495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 532 "C:\Windows\SysWOW64\taskmrg.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 528 "C:\Windows\SysWOW64\taskmrg.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 548 "C:\Windows\SysWOW64\taskmrg.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 536 "C:\Windows\SysWOW64\taskmrg.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 544 "C:\Windows\SysWOW64\taskmrg.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 540 "C:\Windows\SysWOW64\taskmrg.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 556 "C:\Windows\SysWOW64\taskmrg.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 564 "C:\Windows\SysWOW64\taskmrg.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 552 "C:\Windows\SysWOW64\taskmrg.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\taskmrg.exe
Filesize
400KB

MD5
495bcf192b3dae922860d12930895d4e

SHA1
238114adc53bc8b558228923fb9be157bd73a516

SHA256
84ca876bbd78325680eb98498b1bd85786bd140b53650a00e2d87213920e057f

SHA512
b391e4d29e27042b941632536a4b6b2bcf018f63460bce6fcc850ba19bc1d804a4cfa9ef8724406b0738214bb90845f697a81955864a6b30291682e56b3ca748

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads