metasploit | 408e5dc79d1093cd03d4402d09ef9a0ae79699c84a952487eecca8700f6cce8d

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 03:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2acdbd2d660d948e6bd07a7e83e12ebd_JaffaCakes118.exe
Size

132KB
MD5

2acdbd2d660d948e6bd07a7e83e12ebd
SHA1

013534a38e260c57d94d76542654e1aa6ffb8b1a
SHA256

408e5dc79d1093cd03d4402d09ef9a0ae79699c84a952487eecca8700f6cce8d
SHA512

279e6e2274de67838b3e44eb9fcc9acd43cd54a2601b9474bd3fd47f8bed5648810ea2ecb241cd23b90838a5f4dc4f2078b73a0baaffcaf4ccb1bc80e0ffff4e
SSDEEP

3072:kGu9BlfzWIbXWm+w0J75i32eRCXzNWnvPyUDT5pLwHEx:k/0uozfqvK8T/w6

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/download_exec

http://81.56.114.32:80/oCTV

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
4364	INSTAL~3.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2acdbd2d660d948e6bd07a7e83e12ebd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4364	2392	2acdbd2d660d948e6bd07a7e83e12ebd_JaffaCakes118.exe	91
PID 2392 wrote to memory of 4364	2392	2acdbd2d660d948e6bd07a7e83e12ebd_JaffaCakes118.exe	91
PID 2392 wrote to memory of 4364	2392	2acdbd2d660d948e6bd07a7e83e12ebd_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\2acdbd2d660d948e6bd07a7e83e12ebd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2acdbd2d660d948e6bd07a7e83e12ebd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~3.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~3.EXE
  2⤵
  - Executes dropped EXE
  PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,16032378445269040051,10701855434060315937,262144 --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:8
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~3.EXE

Filesize
72KB

MD5
8be515658444489511b58c99b7970c17

SHA1
2604ac1806ed15a7044b39f1fd30d2668e3f0470

SHA256
3a669550eec748a14f5039cb14a18cd54b3c02d2b5c39287e7ee67bebccef481

SHA512
6dbb308113e7e8637b30d06251e3ad50ff70700685deafff3f27c65b0276a33a78e4d95b235aa1b7497c9d9c1dfd0687052d429492366e1146bb655ffe43eea7

Download Submit
memory/4364-7-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads