metasploit | 508d6f893f07538458fdf64e07d02789280217efbf7144ddce62aad2bf90cdc2

General

Target

1.jar
Size

48KB
MD5

82592ebfde7fe301ee9a3bd14e79ea71
SHA1

07363274a24c63eb10325989cc377435587e8ed5
SHA256

508d6f893f07538458fdf64e07d02789280217efbf7144ddce62aad2bf90cdc2
SHA512

a399ce77952bb5e4c11c855c820b1803b9ca663c18f3eb5ed5238875fa710db6924e0b734d98d871c27a23a3bfa7d2ce0c6b8e58643ae6225a28998f29fa440a
SSDEEP

1536:YarSmry9uv651pAW91i0Q3B6bpLx74oxv:YarSJ9uvmsW91i0ecbz74Q

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://74.48.220.31:8632/DcTIHAkb/1Q9Al5hrrEDE4cXgoQm6Fg0czya0_1TO2gj2SNkyRMJ-nPV-2Q7lwYfx0yo1Em6ftP82BkL9xndf87LveJ-VVrDZ6OgJgN6b-niS5pLy52oQopR7348MLx5xDu2aNijLl-gsz7J9RcbgJnkc8J_5tuTtHXpWJRhnKwdZw9UP7M-qScr-52RnEiK

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

zNxICWLP.exe

pid process

2452 zNxICWLP.exe

pid	process
2452	zNxICWLP.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

java.exejava.exejava.exe

description	pid	process	target process
PID 2272 wrote to memory of 2564	2272	java.exe	java.exe
PID 2272 wrote to memory of 2564	2272	java.exe	java.exe
PID 2272 wrote to memory of 2564	2272	java.exe	java.exe
PID 2564 wrote to memory of 2576	2564	java.exe	java.exe
PID 2564 wrote to memory of 2576	2564	java.exe	java.exe
PID 2564 wrote to memory of 2576	2564	java.exe	java.exe
PID 2576 wrote to memory of 2452	2576	java.exe	zNxICWLP.exe
PID 2576 wrote to memory of 2452	2576	java.exe	zNxICWLP.exe
PID 2576 wrote to memory of 2452	2576	java.exe	zNxICWLP.exe
PID 2576 wrote to memory of 2452	2576	java.exe	zNxICWLP.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn4086140395569055857.tmp.dir metasploit.Payload
2⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn4962602422807101034.tmp.dir metasploit.Payload
3⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\~spawn3626791245550091311.tmp.dir\zNxICWLP.exe
C:\Users\Admin\AppData\Local\Temp\~spawn3626791245550091311.tmp.dir\zNxICWLP.exe
4⤵
- Executes dropped EXE
PID:2452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~spawn3626791245550091311.tmp.dir\zNxICWLP.exe
Filesize
72KB

MD5
8ae8af22e928115215835a6ac0c3558f

SHA1
94d50ae882570f3dc170888cc63401c4578c1856

SHA256
e2c54b54fabaaa2203ca11de66f55df067d977d4abc04ed8311f1fda5bb89801

SHA512
ec8f8be773646306a93131cc81de41276c2780738ae870c374da817dec98f6351d90918f84b683e6526c0b6ab6ec206b8ef518708cc801b37e6ec1ea154272eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn4086140395569055857.tmp.dir\metasploit.dat
Filesize
151B

MD5
14236e75576e2bf553c869d9cd0e2b5d

SHA1
a318c406ddb0d8938e2778aa616df885f130973d

SHA256
b3033e1803009e85f569fe9002647313e74c16cd47dc78819c2e10326e218d21

SHA512
eac2103173e5bbae8881a6c1fbff69b2a3c1ff0aa40bce6b0c9cf1c8e5c1479e19ecca20a9ccd90146001a2d57104bf843ee2ee63e6df60ee26c880c9428c02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn4086140395569055857.tmp.dir\metasploit\Payload.class
Filesize
8KB

MD5
e0efce91393df3801df3790996946fb1

SHA1
e72ae1cb75b65b46687a44122f609604a88f1134

SHA256
f2d768ccb588b5bb61d18769b04c2adcc92ec17ca00032808a1aad8235820c0b

SHA512
f8a10b4a88f978f8afa820e626b2d417764477889c7bf6de805fab2cf62ea9d553132e7083fb33929b0b8974c4a7a72720b20d154d7022100c15e0b53e2f784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn4962602422807101034.tmp.dir\metasploit.dat
Filesize
151B

MD5
8669709de6a11fa101a68e1be3160907

SHA1
590a635c6fe810a86ccdec46fa22bf64a5be80f5

SHA256
8405dd5c9e558609cadc3cc110646b75fbe1a4eafde3a85749b05fa0210a3858

SHA512
98a2787afe9fb6a89e50818e3dc0f93249932fd19f5d203685e14cdfb4a16f8d110b85cacc17358aa144ac72a01cca9c18f8dcb394d7a8336a180d29342b502a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\83aa4cc77f591dfc2374580bbd95f6ba_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/2272-2-0x0000000002630000-0x00000000028A0000-memory.dmp

Filesize
2.4MB

Download
memory/2272-52-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2272-53-0x0000000002630000-0x00000000028A0000-memory.dmp

Filesize
2.4MB

Download
memory/2452-46-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2564-19-0x0000000002600000-0x0000000002870000-memory.dmp

Filesize
2.4MB

Download
memory/2564-49-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2564-50-0x0000000002600000-0x0000000002870000-memory.dmp

Filesize
2.4MB

Download
memory/2576-32-0x00000000026B0000-0x0000000002920000-memory.dmp

Filesize
2.4MB

Download
memory/2576-45-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2576-47-0x00000000026B0000-0x0000000002920000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing