metasploit | 5c1d901f04a966c1b3017696a6541143e1948d2373603b39efaf8d192408b435

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d819dea19ee3bb68e4fc270ef6137c_JaffaCakes118.dll
Size

16KB
MD5

81d819dea19ee3bb68e4fc270ef6137c
SHA1

7e878ab341636f6cd2ef5800979e2c2810dacff0
SHA256

5c1d901f04a966c1b3017696a6541143e1948d2373603b39efaf8d192408b435
SHA512

01673a25cd2acf376636ce9825f83b8c4792d7449985d25ed3ddcbae9451acfcf7e01cf798eb06b334df57c1b190a4c2d2aeb84523fc228492c64dea0f997a9a
SSDEEP

192:5d9slT64N6d7aIbEaS5pqYMYXai9jOXbI+VNJypif7vF6Unb2/VS5shxu:5dRFEaoq7kjILVNJXp6Unb205s

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_winhttp

https://1.tcp.cpolar.cn:20784/GzpeqbOPBJcyoTOgbc2pJwb-QePe0oW4h0_9IqjDapTaaAnz-tG_XqBmtRXdGdwpolYMmLYDcD1JqqbjMJ-rnOqoI1k3PzExMmzFdIl6vs7R3_4QKrHEp26utMSXhwBYOu

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

46 372 rundll32.exe
55 372 rundll32.exe
69 372 rundll32.exe
70 372 rundll32.exe
71 372 rundll32.exe

flow	pid	process
46	372	rundll32.exe
55	372	rundll32.exe
69	372	rundll32.exe
70	372	rundll32.exe
71	372	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1796 wrote to memory of 372	1796	rundll32.exe	rundll32.exe
PID 1796 wrote to memory of 372	1796	rundll32.exe	rundll32.exe
PID 1796 wrote to memory of 372	1796	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\81d819dea19ee3bb68e4fc270ef6137c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\81d819dea19ee3bb68e4fc270ef6137c_JaffaCakes118.dll,#1
2⤵
- Blocklisted process makes network request
PID:372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-0-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download