metasploit | 84ca876bbd78325680eb98498b1bd85786bd140b53650a00e2d87213920e057f

General

Target

495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
Size

400KB
MD5

495bcf192b3dae922860d12930895d4e
SHA1

238114adc53bc8b558228923fb9be157bd73a516
SHA256

84ca876bbd78325680eb98498b1bd85786bd140b53650a00e2d87213920e057f
SHA512

b391e4d29e27042b941632536a4b6b2bcf018f63460bce6fcc850ba19bc1d804a4cfa9ef8724406b0738214bb90845f697a81955864a6b30291682e56b3ca748
SSDEEP

6144:yjxJbwaxzExxnpifB2FccqNHlabtRFA1gQj/+zMtm61F:yjxNwaxIxIGccqNH6tnA1gQj/h

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

Processes:

taskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exe

pid	process
3536	taskmrg.exe
3496	taskmrg.exe
2480	taskmrg.exe
3504	taskmrg.exe
4760	taskmrg.exe
3492	taskmrg.exe
732	taskmrg.exe
3128	taskmrg.exe
3976	taskmrg.exe
3652	taskmrg.exe

Drops file in System32 directory 22 IoCs

Processes:

taskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exe495bcf192b3dae922860d12930895d4e_JaffaCakes118.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File opened for modification	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe
File created	C:\Windows\SysWOW64\taskmrg.exe	taskmrg.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

495bcf192b3dae922860d12930895d4e_JaffaCakes118.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exetaskmrg.exe

description	pid	process	target process
PID 2272 wrote to memory of 3536	2272	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe	taskmrg.exe
PID 2272 wrote to memory of 3536	2272	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe	taskmrg.exe
PID 2272 wrote to memory of 3536	2272	495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe	taskmrg.exe
PID 3536 wrote to memory of 3496	3536	taskmrg.exe	taskmrg.exe
PID 3536 wrote to memory of 3496	3536	taskmrg.exe	taskmrg.exe
PID 3536 wrote to memory of 3496	3536	taskmrg.exe	taskmrg.exe
PID 3496 wrote to memory of 2480	3496	taskmrg.exe	taskmrg.exe
PID 3496 wrote to memory of 2480	3496	taskmrg.exe	taskmrg.exe
PID 3496 wrote to memory of 2480	3496	taskmrg.exe	taskmrg.exe
PID 2480 wrote to memory of 3504	2480	taskmrg.exe	taskmrg.exe
PID 2480 wrote to memory of 3504	2480	taskmrg.exe	taskmrg.exe
PID 2480 wrote to memory of 3504	2480	taskmrg.exe	taskmrg.exe
PID 3504 wrote to memory of 4760	3504	taskmrg.exe	taskmrg.exe
PID 3504 wrote to memory of 4760	3504	taskmrg.exe	taskmrg.exe
PID 3504 wrote to memory of 4760	3504	taskmrg.exe	taskmrg.exe
PID 4760 wrote to memory of 3492	4760	taskmrg.exe	taskmrg.exe
PID 4760 wrote to memory of 3492	4760	taskmrg.exe	taskmrg.exe
PID 4760 wrote to memory of 3492	4760	taskmrg.exe	taskmrg.exe
PID 3492 wrote to memory of 732	3492	taskmrg.exe	taskmrg.exe
PID 3492 wrote to memory of 732	3492	taskmrg.exe	taskmrg.exe
PID 3492 wrote to memory of 732	3492	taskmrg.exe	taskmrg.exe
PID 732 wrote to memory of 3128	732	taskmrg.exe	taskmrg.exe
PID 732 wrote to memory of 3128	732	taskmrg.exe	taskmrg.exe
PID 732 wrote to memory of 3128	732	taskmrg.exe	taskmrg.exe
PID 3128 wrote to memory of 3976	3128	taskmrg.exe	taskmrg.exe
PID 3128 wrote to memory of 3976	3128	taskmrg.exe	taskmrg.exe
PID 3128 wrote to memory of 3976	3128	taskmrg.exe	taskmrg.exe
PID 3976 wrote to memory of 3652	3976	taskmrg.exe	taskmrg.exe
PID 3976 wrote to memory of 3652	3976	taskmrg.exe	taskmrg.exe
PID 3976 wrote to memory of 3652	3976	taskmrg.exe	taskmrg.exe

C:\Users\Admin\AppData\Local\Temp\495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1120 "C:\Users\Admin\AppData\Local\Temp\495bcf192b3dae922860d12930895d4e_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1156 "C:\Windows\SysWOW64\taskmrg.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1096 "C:\Windows\SysWOW64\taskmrg.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1128 "C:\Windows\SysWOW64\taskmrg.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1132 "C:\Windows\SysWOW64\taskmrg.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1136 "C:\Windows\SysWOW64\taskmrg.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1140 "C:\Windows\SysWOW64\taskmrg.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1092 "C:\Windows\SysWOW64\taskmrg.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1148 "C:\Windows\SysWOW64\taskmrg.exe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\taskmrg.exe
C:\Windows\system32\taskmrg.exe 1152 "C:\Windows\SysWOW64\taskmrg.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\taskmrg.exe
Filesize
400KB

MD5
495bcf192b3dae922860d12930895d4e

SHA1
238114adc53bc8b558228923fb9be157bd73a516

SHA256
84ca876bbd78325680eb98498b1bd85786bd140b53650a00e2d87213920e057f

SHA512
b391e4d29e27042b941632536a4b6b2bcf018f63460bce6fcc850ba19bc1d804a4cfa9ef8724406b0738214bb90845f697a81955864a6b30291682e56b3ca748

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads