metasploit | 14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379

General

Target

577eab90797f2804a44cce6241eb9c22_JaffaCakes118.docm
Size

51KB
MD5

577eab90797f2804a44cce6241eb9c22
SHA1

6bee48fb567b6f0acc2cd129741f0351b961c89f
SHA256

14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379
SHA512

e5a5140424c5dcfccd2dafc34bdf2232dd2d046dd933f47053b9278ccf1f67e3a61110da0c81c9f419a42a0a4538c97c5dba1b8a6dba800d0186b69a07d9770c
SSDEEP

1536:91Edx5uQyrwP6mYyv+bUD/iXo6666hjIM9988m4vXTf:9qdx5byUP8mtD/+okhyTf

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://191.101.42.179:8080/HxJOy7n0CJvydvN3qZ2FLgqSDe-upNDe0J0Ts0S_QVE3U8qmdyykRSnD6T_HvD7La8DNmDu0GFUno6sSH6E1kyH1KFLrK-sU2mx6mwqnG4gBWa7BSH61LeWes6_ip9ijxEIdPAmYbrc9mOjG3ohA4KJrSn_hMCCfI9Pc_7hBhp

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

txqTrPLp.exe

pid process

4848 txqTrPLp.exe

pid	process
4848	txqTrPLp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1244 WINWORD.EXE
1244 WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE

pid	process
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1244 wrote to memory of 4848	1244	WINWORD.EXE	txqTrPLp.exe
PID 1244 wrote to memory of 4848	1244	WINWORD.EXE	txqTrPLp.exe
PID 1244 wrote to memory of 4848	1244	WINWORD.EXE	txqTrPLp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\577eab90797f2804a44cce6241eb9c22_JaffaCakes118.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\txqTrPLp.exe
C:\Users\Admin\txqTrPLp.exe
2⤵
- Executes dropped EXE
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD9DFD.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\txqTrPLp.exe
Filesize
4KB

MD5
4788af93cfbfc6fa40602c34205e8f78

SHA1
27846a108f37d617ea2b062673a7cddb62ea1a71

SHA256
212f19c7162e353259d30000502c8bc7b938f26398596beaff56dbf2577f8307

SHA512
3c70a46284006805ab14d99b834c1192a31ebe4912312e6d4a9b6db5d608d5603c8210e47c5eefc85ebf9d1e648aff53043f0d64d64c66fe58482df9b6d27746

Download Submit
memory/1244-17-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-574-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/1244-0-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/1244-5-0x00007FFA8B0ED000-0x00007FFA8B0EE000-memory.dmp

Filesize
4KB

Download
memory/1244-6-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-7-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-9-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-8-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-2-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/1244-12-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-11-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-13-0x00007FFA48DD0000-0x00007FFA48DE0000-memory.dmp

Filesize
64KB

Download
memory/1244-16-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-21-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-20-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-19-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-22-0x00007FFA48DD0000-0x00007FFA48DE0000-memory.dmp

Filesize
64KB

Download
memory/1244-18-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-10-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-4-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/1244-1-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/1244-43-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-42-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-44-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-52-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-14-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-577-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-15-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-121-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-3-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/1244-540-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-542-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-543-0x00007FFA8B050000-0x00007FFA8B245000-memory.dmp

Filesize
2.0MB

Download
memory/1244-573-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/1244-576-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/1244-575-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmp

Filesize
64KB

Download
memory/4848-61-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4848-55-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads