metasploit | 8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d

General

Target

68d9b2bda86ac6ce7dbfd3ee9fd12508_JaffaCakes118.ps1
Size

2KB
MD5

68d9b2bda86ac6ce7dbfd3ee9fd12508
SHA1

89ecae4065f2f2d7bdd3e910da4bddcd350afbcf
SHA256

8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d
SHA512

b62d41e49a2b87ad9c9fb18a02891833c08499a05099e964a6ba75c2cfffc46369d611462f6b1dec3b93ed17f2c3c015f909127738b773c77770d80a0029e79c

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://45.77.23.209:8080/jquery-3.3.1.slim.min.js

Attributes

headers Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: cdn.bootcss.com Referer: http://cdn.bootcss.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

22 3604 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

812 powershell.exe
3604 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

812 powershell.exe
812 powershell.exe
3604 powershell.exe
3604 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 812 powershell.exe
Token: SeDebugPrivilege 3604 powershell.exe

flow	pid	process
22	3604	powershell.exe

pid	process
812	powershell.exe
3604	powershell.exe

pid	process
812	powershell.exe
812	powershell.exe
3604	powershell.exe
3604	powershell.exe

description	pid	process
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.exepowershell.execsc.exe

description	pid	process	target process
PID 812 wrote to memory of 3604	812	powershell.exe	powershell.exe
PID 812 wrote to memory of 3604	812	powershell.exe	powershell.exe
PID 812 wrote to memory of 3604	812	powershell.exe	powershell.exe
PID 3604 wrote to memory of 1168	3604	powershell.exe	csc.exe
PID 3604 wrote to memory of 1168	3604	powershell.exe	csc.exe
PID 3604 wrote to memory of 1168	3604	powershell.exe	csc.exe
PID 1168 wrote to memory of 5068	1168	csc.exe	cvtres.exe
PID 1168 wrote to memory of 5068	1168	csc.exe	cvtres.exe
PID 1168 wrote to memory of 5068	1168	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\68d9b2bda86ac6ce7dbfd3ee9fd12508_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymi3d1jh\ymi3d1jh.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F54.tmp" "c:\Users\Admin\AppData\Local\Temp\ymi3d1jh\CSC9077F8FD72BD4F038593449CA0A8DA48.TMP"
4⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F54.tmp
Filesize
1KB

MD5
a1309016a4770d1c60b4a1a6b2f1aaea

SHA1
d4b64cc80b3d38f166604d9c2dfc6f91c35c5a6e

SHA256
41b8660441d3b66656788ea01e738ec8bf637ea11d2de0b7a4c857d9b2330742

SHA512
067f2bcdc0a3076d615158d266ff57f3da88f400a050826c447eb6ecd0160f22b74017c7268a2d74cf97c6c76e0449e75ce1b6f4c53a7c5435ae47f96c457743

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlliyvbx.3xb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymi3d1jh\ymi3d1jh.dll
Filesize
3KB

MD5
6ce6e51c41ddba4b67e9db81fb45de5a

SHA1
3ff15c73742d44cf866caf7e9158bb76919e2f87

SHA256
73ce268868ebc38886bff74dd36ce9c1031dd2b60cc1dda65c25eaa93e60997f

SHA512
67c67783c518fd2cda1f4e14c3410dc13df33085dc8c9dfcc46f947bdecbc2c1462b321528283b40b6dd1a2d51331391fe990cccdb04707833abb6b0fcd62279

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymi3d1jh\CSC9077F8FD72BD4F038593449CA0A8DA48.TMP
Filesize
652B

MD5
da60f7e315a470aeee173049470c5b09

SHA1
98649470a488f32afc6353ef0b50c4489e5a2d7c

SHA256
b4b5b28f4944ca100874e186d540a16b3c3e91467cc86d0ef0d6abf36654e8f1

SHA512
1dac3594aaeb886cb5c24d1962743959a275072a3b18c9032fad417b833a57195dd23ebbf92103ba918acabb166cc6057c4a717c78663e9205fb6d82ff84a477

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymi3d1jh\ymi3d1jh.0.cs
Filesize
769B

MD5
e9229c2b2f7494c86966a0c45419f53e

SHA1
8cc6e18d196930758675891d9c9761b0812e8451

SHA256
02436cabe1b2c68359a333b522304c53b2a721123f935991e6f6684d1fab1def

SHA512
2f1a42a5c0de45f412e13cad05b836d05d80aeb7bc89e723edc8c495d65e4d9fb3d2748fefe19cb9857cbefdb175a02f9b7ea4dd9afb729550694360d332219b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymi3d1jh\ymi3d1jh.cmdline
Filesize
324B

MD5
bc80ca832b5a523c0e72ef363c5ec372

SHA1
7f0a17841926266b7a02259cce0587142c271575

SHA256
584646c8ff0dff7dd1e5bc60d6db08a727911df0db5bfc91b37c4988c39950aa

SHA512
6d908fc82d4148333c4026e1db01649fd5d1948714732e0bb7dc6274c609f590d1115108a060d6390849afe7a4f6becd5aee1912daec2b87fdd93fe1c42e89b2

Download Submit
memory/812-12-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/812-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

Filesize
8KB

Download
memory/812-62-0x0000022F3FDD0000-0x0000022F3FDE0000-memory.dmp

Filesize
64KB

Download
memory/812-56-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

Filesize
8KB

Download
memory/812-55-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/812-65-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/812-14-0x0000022F40970000-0x0000022F40B7A000-memory.dmp

Filesize
2.0MB

Download
memory/812-13-0x0000022F405E0000-0x0000022F40756000-memory.dmp

Filesize
1.5MB

Download
memory/812-11-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/812-10-0x0000022F40150000-0x0000022F40172000-memory.dmp

Filesize
136KB

Download
memory/3604-16-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/3604-51-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/3604-36-0x0000000006440000-0x000000000645A000-memory.dmp

Filesize
104KB

Download
memory/3604-34-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/3604-33-0x0000000005E70000-0x0000000005E8E000-memory.dmp

Filesize
120KB

Download
memory/3604-32-0x00000000057B0000-0x0000000005B04000-memory.dmp

Filesize
3.3MB

Download
memory/3604-22-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/3604-21-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/3604-49-0x0000000006520000-0x0000000006528000-memory.dmp

Filesize
32KB

Download
memory/3604-35-0x0000000006CD0000-0x000000000734A000-memory.dmp

Filesize
6.5MB

Download
memory/3604-20-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/3604-19-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3604-18-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/3604-57-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/3604-58-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3604-61-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3604-17-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3604-15-0x00000000047B0000-0x00000000047E6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing