metasploit | 4543a6366a7a6b8a5e393d505b50cbddcf4b5248a021750904fe92c87986cc47

General

Target

56d604f2e739f8daef926c6205b499f1_JaffaCakes118.ps1
Size

2KB
MD5

56d604f2e739f8daef926c6205b499f1
SHA1

175fb8f1d97a95f9fb3361fc1a6e7a22b8920556
SHA256

4543a6366a7a6b8a5e393d505b50cbddcf4b5248a021750904fe92c87986cc47
SHA512

c09cdc9ea7970e631a75d939232f168753527c730880e55874446c4f48452cc61f6de72480be7979cd4c95054448412209d126650fcd93f80c9ce0c2be352b0b

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.119.167:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2104 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2104 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

2760 dw20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2104 powershell.exe

pid	process
2104	powershell.exe

pid	process
2104	powershell.exe

pid	process
2760	dw20.exe

description	pid	process
Token: SeDebugPrivilege	2104	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 2104 wrote to memory of 2712	2104	powershell.exe	csc.exe
PID 2104 wrote to memory of 2712	2104	powershell.exe	csc.exe
PID 2104 wrote to memory of 2712	2104	powershell.exe	csc.exe
PID 2712 wrote to memory of 2700	2712	csc.exe	cvtres.exe
PID 2712 wrote to memory of 2700	2712	csc.exe	cvtres.exe
PID 2712 wrote to memory of 2700	2712	csc.exe	cvtres.exe
PID 2104 wrote to memory of 2760	2104	powershell.exe	dw20.exe
PID 2104 wrote to memory of 2760	2104	powershell.exe	dw20.exe
PID 2104 wrote to memory of 2760	2104	powershell.exe	dw20.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\56d604f2e739f8daef926c6205b499f1_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjc9pldn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3728.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3727.tmp"
3⤵
PID:2700

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 964
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2760

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3728.tmp
Filesize
1KB

MD5
1e75a7983d15e04d14800d87d89a7a14

SHA1
975b80178810a50b6da539204483ff89ac72185d

SHA256
217e8396ffa7bca4cf8e2a5feca8726819697ccd84a58a164f0af7959f4be349

SHA512
ceedc6d3d583b75e40c495d61dc319b5c905c20a1935213410e7d1e26e247c0da7c401e1159ef64983d0e387b4d806dca25bb3069696437064ae9a80bd432ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjc9pldn.dll
Filesize
3KB

MD5
7c3211446ee5b365910e2fa49561679f

SHA1
ac8f33047ef35b6b0d0acf9a32dea1e3863af857

SHA256
7fa9267631d5c95ff7649b36af001d1066029037536fbc1e5d58e4c25a4b44c4

SHA512
a45df3e800164e9bb6a41fd7d8452b6b460ca496dbd14d6eb34919fc519ed39fce0ab16a362d728ca9ca3834de06025325f0b00e5afcc3595936330291bc3c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjc9pldn.pdb
Filesize
7KB

MD5
a6f10814e0bf030c707be60f9244f936

SHA1
fac39ba0516ecd7ab1e0bce48addac01d4250456

SHA256
4d91fe4c7b01e9ad99b75f4ce12efa311fb1b8988fd7b5f32c09ab194f8e763b

SHA512
ba5d7d292088ea41cc4eacae96fbe1f34b5f097dd581997376afe897b0b8a3c1df186d45ae26a99ddcf30a069806ae932f8ed9628495f22b86a3c5935ea23606

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3727.tmp
Filesize
652B

MD5
3a45eb882bc0262102d12b299a823d62

SHA1
0482a503b081707c09f1bac6ef61e2f23a84c972

SHA256
19d3694b29a5fd62a3f2385d4f2a2693405a56ce7c68f5f40adb8609b77b2ff9

SHA512
8439422f33b941bf28b468abd772031e8613188b7107451658ed35e028c18c7de43e6e3002326c96ae534ff6cbb2346696e78f821c5ea442e722051644d6151f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kjc9pldn.0.cs
Filesize
565B

MD5
7ab331daccdacd5ff29c8e23b747b040

SHA1
7140f35b363576f33e646222a01fcddb27cab866

SHA256
4ab92bb2f2582b002f3f3e9d7f92ebe2ab2b53527da0e25caddfdfba7f6a3190

SHA512
3e6fa140d5e606c784e8f29f83c6346d5fc1bf11e86fefb9482ec8be967b3a5d18864fdb45be02c4f04b0502b9218783be1b755b4c88e50b0f6b685bbdaff395

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kjc9pldn.cmdline
Filesize
309B

MD5
da8b16703a6a99681cd0b3996b72b1fc

SHA1
bfdea942544698311e72ce0375f331e96c466213

SHA256
5f7763398739848127e73f85686778c21cef8907bf1272b54cb70b78d3800d0f

SHA512
d732cf295a868b9fedfd15f7597bf03d45546fc2274666b97e20362c45aa4a827c97185c43cf8b24041d386408b33634769568e4c4171fea9264639ed8db4abe

Download Submit
memory/2104-8-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-9-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-4-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

Filesize
4KB

Download
memory/2104-7-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-6-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2104-5-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2104-25-0x000000001B7C0000-0x000000001B7C8000-memory.dmp

Filesize
32KB

Download
memory/2104-28-0x000000001B7E0000-0x000000001B7E1000-memory.dmp

Filesize
4KB

Download
memory/2104-29-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-30-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

Filesize
4KB

Download
memory/2712-20-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-23-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing