metasploit | 508d6f893f07538458fdf64e07d02789280217efbf7144ddce62aad2bf90cdc2

General

Target

1.jar
Size

48KB
MD5

82592ebfde7fe301ee9a3bd14e79ea71
SHA1

07363274a24c63eb10325989cc377435587e8ed5
SHA256

508d6f893f07538458fdf64e07d02789280217efbf7144ddce62aad2bf90cdc2
SHA512

a399ce77952bb5e4c11c855c820b1803b9ca663c18f3eb5ed5238875fa710db6924e0b734d98d871c27a23a3bfa7d2ce0c6b8e58643ae6225a28998f29fa440a
SSDEEP

1536:YarSmry9uv651pAW91i0Q3B6bpLx74oxv:YarSJ9uvmsW91i0ecbz74Q

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://74.48.220.31:8632/DcTIHAkb/1Q9Al5hrrEDE4cXgoQm6Fg0czya0_1TO2gj2SNkyRMJ-nPV-2Q7lwYfx0yo1Em6ftP82BkL9xndf87LveJ-VVrDZ6OgJgN6b-niS5pLy52oQopR7348MLx5xDu2aNijLl-gsz7J9RcbgJnkc8J_5tuTtHXpWJRhnKwdZw9UP7M-qScr-52RnEiK

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

zNxICWLP.exe

pid process

4528 zNxICWLP.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3656 icacls.exe

pid	process
4528	zNxICWLP.exe

pid	process
3656	icacls.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

java.exejava.exejava.exe

description	pid	process	target process
PID 4092 wrote to memory of 3656	4092	java.exe	icacls.exe
PID 4092 wrote to memory of 3656	4092	java.exe	icacls.exe
PID 4092 wrote to memory of 5088	4092	java.exe	java.exe
PID 4092 wrote to memory of 5088	4092	java.exe	java.exe
PID 5088 wrote to memory of 4940	5088	java.exe	java.exe
PID 5088 wrote to memory of 4940	5088	java.exe	java.exe
PID 4940 wrote to memory of 4528	4940	java.exe	zNxICWLP.exe
PID 4940 wrote to memory of 4528	4940	java.exe	zNxICWLP.exe
PID 4940 wrote to memory of 4528	4940	java.exe	zNxICWLP.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:3656

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn62463778132253767.tmp.dir metasploit.Payload
2⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn8002907063451268695.tmp.dir metasploit.Payload
3⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\~spawn659622527208658630.tmp.dir\zNxICWLP.exe
C:\Users\Admin\AppData\Local\Temp\~spawn659622527208658630.tmp.dir\zNxICWLP.exe
4⤵
- Executes dropped EXE
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
dab7d6b4d3e741a431dafa3960a13355

SHA1
fcb372f3aa02b54eee4a4e5942a7c39163ef3484

SHA256
4028a4fad61bedae7d89700cbdc47560bc7a292b161e72c50af8d5cc7aa7b7f0

SHA512
10f7c5248fc647b131eb3595f89a7c10745d2af6a3b9ba537724ce5c175748a4679b7c0b26f8a48d8c25c5e4bb2bfc62d6cf23e57f41a686f336b71e418f2eed

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
7a1abb0dc8b5abf718856d2aa0f9a1c1

SHA1
49153477ed385a79f89f389fb5da5a8adce85bb7

SHA256
3b84ed1494857e1bddcb227934077d473196cc02ea05d9219b751b76581deae0

SHA512
ba8307507f95e6382329d88b01391c19187d16d888b0e98ba067c64e516cfdddf0500b7556a67e88bba6d2ba88b89b0551172950bb63f15ac79cff5cad698f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn62463778132253767.tmp.dir\metasploit.dat
Filesize
150B

MD5
19e9d0b283dcdc071eaca05823dbd213

SHA1
ab9a0a8a10a8f6a4a29be4d597bc90a36ffa3469

SHA256
e7630922f9616d8c5b53ae3ee73375142edf27b5feaf4294b5afa4ad95f9e008

SHA512
208ce02f5ab689e9ecb7954971ca586c78a037ea147ad78cf3eb258e7150ab526e2ec59b31843bad9e012f44e2e106493808114213a86daffcdd51ef6efc6d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn62463778132253767.tmp.dir\metasploit\Payload.class
Filesize
8KB

MD5
e0efce91393df3801df3790996946fb1

SHA1
e72ae1cb75b65b46687a44122f609604a88f1134

SHA256
f2d768ccb588b5bb61d18769b04c2adcc92ec17ca00032808a1aad8235820c0b

SHA512
f8a10b4a88f978f8afa820e626b2d417764477889c7bf6de805fab2cf62ea9d553132e7083fb33929b0b8974c4a7a72720b20d154d7022100c15e0b53e2f784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn659622527208658630.tmp.dir\zNxICWLP.exe
Filesize
72KB

MD5
8ae8af22e928115215835a6ac0c3558f

SHA1
94d50ae882570f3dc170888cc63401c4578c1856

SHA256
e2c54b54fabaaa2203ca11de66f55df067d977d4abc04ed8311f1fda5bb89801

SHA512
ec8f8be773646306a93131cc81de41276c2780738ae870c374da817dec98f6351d90918f84b683e6526c0b6ab6ec206b8ef518708cc801b37e6ec1ea154272eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn8002907063451268695.tmp.dir\metasploit.dat
Filesize
150B

MD5
b2ff005d164a40eae3b8a4409dacb89b

SHA1
6b60b059f0d122a4f976f680c2f7ed3424f5e8ba

SHA256
744936acf64f53376ef65f4de7924dfec158c169ee66959af3a5010f525fa43a

SHA512
9a69024ed7a01d30c3de20950929d48a5a15d2b1f11938203d14a1d492c266d58442841f84b0381f77060bb985d803c08f781419625ec6886859ca3bcc1f0169

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\83aa4cc77f591dfc2374580bbd95f6ba_a47c70d8-7adc-4ad7-994f-644a8c84c176
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/4092-22-0x000002B6CBA50000-0x000002B6CBA51000-memory.dmp

Filesize
4KB

Download
memory/4092-2-0x000002B6CD220000-0x000002B6CD490000-memory.dmp

Filesize
2.4MB

Download
memory/4092-60-0x000002B6CBA50000-0x000002B6CBA51000-memory.dmp

Filesize
4KB

Download
memory/4092-61-0x000002B6CD220000-0x000002B6CD490000-memory.dmp

Filesize
2.4MB

Download
memory/4940-36-0x0000024953450000-0x00000249536C0000-memory.dmp

Filesize
2.4MB

Download
memory/4940-51-0x0000024951A70000-0x0000024951A71000-memory.dmp

Filesize
4KB

Download
memory/4940-53-0x0000024953450000-0x00000249536C0000-memory.dmp

Filesize
2.4MB

Download
memory/5088-19-0x0000018DE1D00000-0x0000018DE1F70000-memory.dmp

Filesize
2.4MB

Download
memory/5088-54-0x0000018DE04F0000-0x0000018DE04F1000-memory.dmp

Filesize
4KB

Download
memory/5088-57-0x0000018DE04F0000-0x0000018DE04F1000-memory.dmp

Filesize
4KB

Download
memory/5088-58-0x0000018DE1D00000-0x0000018DE1F70000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing