metasploit | 084194ce6ef1f3f35c7c6d0c35e2a8b9e06748d3f5c5eadf8738e9b0f6ed44b2

Analysis

max time kernel
137s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe
Size

234KB
MD5

29f5b6249ea1d3d6a61696a6b2682283
SHA1

3f606faba4473fce6cf087afab2b8396b250ad37
SHA256

084194ce6ef1f3f35c7c6d0c35e2a8b9e06748d3f5c5eadf8738e9b0f6ed44b2
SHA512

59c2793b6a43b46d61a8ed4042a96720fb97447ad1eae0225af56083f0d0e07a6949b25b184be37657440a7d1f67a0a96b8fd9f1f46c1f17d773f44926deca34
SSDEEP

6144:+0/H/DlA06gE/atruYM2OHFozMSQBIx91fo3AN:+e7O0RbFuxMMSGIpmI

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
2768	sms.exe
2312	sms.exe
2640	sms.exe
2452	sms.exe
2904	sms.exe
2620	sms.exe
1372	sms.exe
1056	sms.exe
2172	sms.exe
2932	sms.exe

Loads dropped DLL 10 IoCs

pid	Process
2708	29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe
2768	sms.exe
2312	sms.exe
2640	sms.exe
2452	sms.exe
2904	sms.exe
2620	sms.exe
1372	sms.exe
1056	sms.exe
2172	sms.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe
File opened for modification	C:\Windows\SysWOW64\sms.exe	sms.exe
File created	C:\Windows\SysWOW64\sms.exe	sms.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2768	2708	29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2768	2708	29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2768	2708	29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2768	2708	29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe	30
PID 2768 wrote to memory of 2312	2768	sms.exe	31
PID 2768 wrote to memory of 2312	2768	sms.exe	31
PID 2768 wrote to memory of 2312	2768	sms.exe	31
PID 2768 wrote to memory of 2312	2768	sms.exe	31
PID 2312 wrote to memory of 2640	2312	sms.exe	32
PID 2312 wrote to memory of 2640	2312	sms.exe	32
PID 2312 wrote to memory of 2640	2312	sms.exe	32
PID 2312 wrote to memory of 2640	2312	sms.exe	32
PID 2640 wrote to memory of 2452	2640	sms.exe	33
PID 2640 wrote to memory of 2452	2640	sms.exe	33
PID 2640 wrote to memory of 2452	2640	sms.exe	33
PID 2640 wrote to memory of 2452	2640	sms.exe	33
PID 2452 wrote to memory of 2904	2452	sms.exe	34
PID 2452 wrote to memory of 2904	2452	sms.exe	34
PID 2452 wrote to memory of 2904	2452	sms.exe	34
PID 2452 wrote to memory of 2904	2452	sms.exe	34
PID 2904 wrote to memory of 2620	2904	sms.exe	35
PID 2904 wrote to memory of 2620	2904	sms.exe	35
PID 2904 wrote to memory of 2620	2904	sms.exe	35
PID 2904 wrote to memory of 2620	2904	sms.exe	35
PID 2620 wrote to memory of 1372	2620	sms.exe	36
PID 2620 wrote to memory of 1372	2620	sms.exe	36
PID 2620 wrote to memory of 1372	2620	sms.exe	36
PID 2620 wrote to memory of 1372	2620	sms.exe	36
PID 1372 wrote to memory of 1056	1372	sms.exe	37
PID 1372 wrote to memory of 1056	1372	sms.exe	37
PID 1372 wrote to memory of 1056	1372	sms.exe	37
PID 1372 wrote to memory of 1056	1372	sms.exe	37
PID 1056 wrote to memory of 2172	1056	sms.exe	38
PID 1056 wrote to memory of 2172	1056	sms.exe	38
PID 1056 wrote to memory of 2172	1056	sms.exe	38
PID 1056 wrote to memory of 2172	1056	sms.exe	38
PID 2172 wrote to memory of 2932	2172	sms.exe	39
PID 2172 wrote to memory of 2932	2172	sms.exe	39
PID 2172 wrote to memory of 2932	2172	sms.exe	39
PID 2172 wrote to memory of 2932	2172	sms.exe	39

C:\Users\Admin\AppData\Local\Temp\29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\sms.exe
  C:\Windows\system32\sms.exe 488 "C:\Users\Admin\AppData\Local\Temp\29f5b6249ea1d3d6a61696a6b2682283_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\sms.exe
    C:\Windows\system32\sms.exe 544 "C:\Windows\SysWOW64\sms.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\sms.exe
      C:\Windows\system32\sms.exe 540 "C:\Windows\SysWOW64\sms.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\sms.exe
        
        C:\Windows\system32\sms.exe 552 "C:\Windows\SysWOW64\sms.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\SysWOW64\sms.exe
        
        C:\Windows\system32\sms.exe 560 "C:\Windows\SysWOW64\sms.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\sms.exe
        
        C:\Windows\system32\sms.exe 568 "C:\Windows\SysWOW64\sms.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\sms.exe
        
        C:\Windows\system32\sms.exe 584 "C:\Windows\SysWOW64\sms.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\sms.exe
        
        C:\Windows\system32\sms.exe 564 "C:\Windows\SysWOW64\sms.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\sms.exe
        
        C:\Windows\system32\sms.exe 556 "C:\Windows\SysWOW64\sms.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\sms.exe
        
        C:\Windows\system32\sms.exe 580 "C:\Windows\SysWOW64\sms.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sms.exe

Filesize
234KB

MD5
29f5b6249ea1d3d6a61696a6b2682283

SHA1
3f606faba4473fce6cf087afab2b8396b250ad37

SHA256
084194ce6ef1f3f35c7c6d0c35e2a8b9e06748d3f5c5eadf8738e9b0f6ed44b2

SHA512
59c2793b6a43b46d61a8ed4042a96720fb97447ad1eae0225af56083f0d0e07a6949b25b184be37657440a7d1f67a0a96b8fd9f1f46c1f17d773f44926deca34

Download Submit
memory/2312-17-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2312-25-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2312-18-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2640-23-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2640-22-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2640-24-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2640-28-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2708-14-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2708-2-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2708-1-0x0000000000577000-0x0000000000579000-memory.dmp

Filesize
8KB

Download
memory/2708-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2768-11-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2768-12-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2768-10-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download
memory/2768-19-0x0000000000400000-0x0000000000578E37-memory.dmp

Filesize
1.5MB

Download