metasploit | 8397f0112310c6a16da004369168fadda34f2a4b29dcfcfee9879f6e90ed7e33

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe
Size

847KB
MD5

20ebc724a3af95649d9cdc131a96f6fe
SHA1

19fd3ca19e952b2b732196420855416781a6fc5c
SHA256

8397f0112310c6a16da004369168fadda34f2a4b29dcfcfee9879f6e90ed7e33
SHA512

49dd8f8f41cfdd1c962de4f5c608a41e61f70d7bc733d459ed55a5f104bfd155dd60fee15fdae9b6f3f040cc028cc1b748b07ddbb8195f0acb9384fcdfb67699
SSDEEP

24576:B6EqkCEBNkqQ5Cv+uSlubgSHKAq4d0mVOdQS0q:BvqMNFmH4sVgdnO

Score

10^/10

metasploit backdoor execution persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

120.138.22.77:3333

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2120	ikatrunner.exe
2576	ikat.exe
2648	cmd.exe
2664	localcmd_executor.exe
2572	startbar.exe
2564	cmd.exe

Loads dropped DLL 14 IoCs

pid	Process
2936	20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe
2936	20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe
2936	20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe
2936	20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe
2120	ikatrunner.exe
2120	ikatrunner.exe
2120	ikatrunner.exe
2120	ikatrunner.exe
2120	ikatrunner.exe
2120	ikatrunner.exe
2120	ikatrunner.exe
2120	ikatrunner.exe
2664	localcmd_executor.exe
2664	localcmd_executor.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2948	sc.exe
2704	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2572	startbar.exe
2572	startbar.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2120	2936	20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe	28
PID 2936 wrote to memory of 2120	2936	20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe	28
PID 2936 wrote to memory of 2120	2936	20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe	28
PID 2936 wrote to memory of 2120	2936	20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2576	2120	ikatrunner.exe	30
PID 2120 wrote to memory of 2576	2120	ikatrunner.exe	30
PID 2120 wrote to memory of 2576	2120	ikatrunner.exe	30
PID 2120 wrote to memory of 2576	2120	ikatrunner.exe	30
PID 2120 wrote to memory of 2648	2120	ikatrunner.exe	31
PID 2120 wrote to memory of 2648	2120	ikatrunner.exe	31
PID 2120 wrote to memory of 2648	2120	ikatrunner.exe	31
PID 2120 wrote to memory of 2648	2120	ikatrunner.exe	31
PID 2120 wrote to memory of 2664	2120	ikatrunner.exe	32
PID 2120 wrote to memory of 2664	2120	ikatrunner.exe	32
PID 2120 wrote to memory of 2664	2120	ikatrunner.exe	32
PID 2120 wrote to memory of 2664	2120	ikatrunner.exe	32
PID 2120 wrote to memory of 2572	2120	ikatrunner.exe	33
PID 2120 wrote to memory of 2572	2120	ikatrunner.exe	33
PID 2120 wrote to memory of 2572	2120	ikatrunner.exe	33
PID 2120 wrote to memory of 2572	2120	ikatrunner.exe	33
PID 2664 wrote to memory of 2564	2664	localcmd_executor.exe	34
PID 2664 wrote to memory of 2564	2664	localcmd_executor.exe	34
PID 2664 wrote to memory of 2564	2664	localcmd_executor.exe	34
PID 2664 wrote to memory of 2564	2664	localcmd_executor.exe	34
PID 2664 wrote to memory of 2948	2664	localcmd_executor.exe	36
PID 2664 wrote to memory of 2948	2664	localcmd_executor.exe	36
PID 2664 wrote to memory of 2948	2664	localcmd_executor.exe	36
PID 2664 wrote to memory of 2948	2664	localcmd_executor.exe	36
PID 2664 wrote to memory of 2704	2664	localcmd_executor.exe	38
PID 2664 wrote to memory of 2704	2664	localcmd_executor.exe	38
PID 2664 wrote to memory of 2704	2664	localcmd_executor.exe	38
PID 2664 wrote to memory of 2704	2664	localcmd_executor.exe	38
PID 2508 wrote to memory of 2568	2508	cmd.exe	41
PID 2508 wrote to memory of 2568	2508	cmd.exe	41
PID 2508 wrote to memory of 2568	2508	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20ebc724a3af95649d9cdc131a96f6fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\ikatrunner.exe
  "C:\Users\Admin\AppData\Local\Temp\ikatrunner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\ikat.exe
    ikat.exe
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    cmd.exe
    3⤵
    - Executes dropped EXE
    PID:2648
- - C:\Users\Admin\AppData\Local\Temp\localcmd_executor.exe
    localcmd_executor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      PID:2564
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create testsvc binpath= "cmd /K start" type= own type= interact
      4⤵
      Launches sc.exe
      PID:2948
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start testsvc
      4⤵
      Launches sc.exe
      PID:2704
- - C:\Users\Admin\AppData\Local\Temp\startbar.exe
    startbar.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:2572

C:\Windows\system32\cmd.exe
cmd /K start
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\files

Filesize
54B

MD5
5c19ec4f4d62c62d61be2c4a80b0720b

SHA1
3e994c6aecc660952c357b2426a907b47d746f5a

SHA256
4a20cb65e7eb5f3e6242bc05db429aa53c110043ccc2243e7d9c4e1ed2b3b889

SHA512
2beefe38792460478ea1c4b10597681d9a86ce0bb085ecda5b26e137bbc40c5696b3b13b2f2b6d1cf7bf5b1b634ae630e71af86f05054dee72be6d2e20c7fd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikat.exe

Filesize
72KB

MD5
9aff21a108b7992e0d705101eba3d0a3

SHA1
dd6a35e7ff23ddcb7b90660ec6c44a0b3f38418e

SHA256
cd272f45e70f892462a17d2737232a857511a05d98d4bcbe447082741f0103ca

SHA512
b290e5d865708cd7c56feba59cbba3bb20a78f76f1de74090d21d2dc4f610a5bab5f1b5e30aa27c7f7a44b2daaeb78713dc9eb0e218d76d364830ec5fdb32d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\localcmd_executor.exe

Filesize
4KB

MD5
c63bd8e8e9e077b63cda19636c2719b3

SHA1
b4ce8c7afd0d52ea37be54d9f6249420d6bf896b

SHA256
f3c2f95af749eb30ed388aefdc20f5d4b2d9f5079aca879376255cd0cf883b3a

SHA512
1bac56e668562457d5df016acfced153fefe6563668daa2ed1a553601a9959dab7bd49bca181e1c857044fe12dbee5ba4870c2ce9894ec99c8d2f68ca29c8783

Download Submit
C:\Users\Admin\AppData\Local\Temp\startbar.exe

Filesize
4KB

MD5
d5ab5005b4f7362dcff20bbc20a0e927

SHA1
0cac59b80b5427a8780168e1b85c540efffaf74f

SHA256
0abf06b3da09e56b89b5ebb9f9fdedb07b77ec8a2c391148ed8567e0b56630cb

SHA512
75ef05cf77758fa5d845cea96e52ca63894d8c41df149fbd0bda628a5f630b32cc05ebc87c3296fd8d0f1d100210b7f7f16af5d4ea2683dc52469eb9c4fc4033

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
381KB

MD5
2d8564452c151717b145417261ab6a17

SHA1
e5e009860104cf20ed3d126f6f092f780fac5293

SHA256
7e678393c11e2bf98a9cf3d81c39e90abb2dcb9dc53cd8453dff8ec9d5928f5d

SHA512
1040f592278e9447c5bbc3c0c14f273d2a2ede967c7826732810b2a67a6afb40294c9db0f4149c66294f47bdbe05dbbf228ceab30d815b28426c765948f03ad3

Download Submit
\Users\Admin\AppData\Local\Temp\ikatrunner.exe

Filesize
516KB

MD5
8da9e2edc96cb09f13c7a5536000ba1a

SHA1
4c0ab94709dd83f7df2e5cde1f1210352c331ef3

SHA256
7a2688a2030b92296aeb4f0b96dcf96e87fd063af2e6e7a457bb4a3edb01be59

SHA512
16627e4474d9fd147099bfa2358218016936e56824e82d9c8483d1f11ae477c6b0a94070ff1a00f99422738963f692b0f5c585ec6f277171de24f1be3b58949c

Download Submit
memory/2576-37-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download