metasploit | d606e5af4caf19322f88398771249b30f36279dc1fd075606691ff53ee34f3a6

Analysis

max time kernel
138s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe
Size

442KB
MD5

64f7dc9fa39c751c0bc3817e8b3784d8
SHA1

e28fd6b598a86cc73c538e9a72192fe97f4ebbf3
SHA256

d606e5af4caf19322f88398771249b30f36279dc1fd075606691ff53ee34f3a6
SHA512

11dbd73b501b2d6efe006b8ea3025fee67c6dc256a639c443e961f7081e3905ffede0579f7dc5fc9d902dee0249045f6bd99a04f3ad4298bed8ae7a9b213c46e
SSDEEP

12288:0Z6WGeHjMhL9Mqsfgxg+SqHlCXQVdSp7SW:+rGeHjMTMfgnS4w10W

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 11 IoCs

pid	Process
1828	HelpMe.exe
1248	winapi32.exe
2892	winapi32.exe
2776	winapi32.exe
2324	winapi32.exe
2504	winapi32.exe
2976	winapi32.exe
2044	winapi32.exe
2168	winapi32.exe
2076	winapi32.exe
3052	winapi32.exe

Loads dropped DLL 22 IoCs

pid	Process
1724	64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe
1724	64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe
1828	HelpMe.exe
1828	HelpMe.exe
1248	winapi32.exe
1248	winapi32.exe
2892	winapi32.exe
2892	winapi32.exe
2776	winapi32.exe
2776	winapi32.exe
2324	winapi32.exe
2324	winapi32.exe
2504	winapi32.exe
2504	winapi32.exe
2976	winapi32.exe
2976	winapi32.exe
2044	winapi32.exe
2044	winapi32.exe
2168	winapi32.exe
2168	winapi32.exe
2076	winapi32.exe
2076	winapi32.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winapi32.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File opened for modification	C:\Windows\SysWOW64\winapi32.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe
File created	C:\Windows\SysWOW64\winapi32.exe	winapi32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1724	64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1828	1724	64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1828	1724	64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1828	1724	64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe	30
PID 1724 wrote to memory of 1828	1724	64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe	30
PID 1828 wrote to memory of 1248	1828	HelpMe.exe	31
PID 1828 wrote to memory of 1248	1828	HelpMe.exe	31
PID 1828 wrote to memory of 1248	1828	HelpMe.exe	31
PID 1828 wrote to memory of 1248	1828	HelpMe.exe	31
PID 1248 wrote to memory of 2892	1248	winapi32.exe	33
PID 1248 wrote to memory of 2892	1248	winapi32.exe	33
PID 1248 wrote to memory of 2892	1248	winapi32.exe	33
PID 1248 wrote to memory of 2892	1248	winapi32.exe	33
PID 2892 wrote to memory of 2776	2892	winapi32.exe	34
PID 2892 wrote to memory of 2776	2892	winapi32.exe	34
PID 2892 wrote to memory of 2776	2892	winapi32.exe	34
PID 2892 wrote to memory of 2776	2892	winapi32.exe	34
PID 2776 wrote to memory of 2324	2776	winapi32.exe	35
PID 2776 wrote to memory of 2324	2776	winapi32.exe	35
PID 2776 wrote to memory of 2324	2776	winapi32.exe	35
PID 2776 wrote to memory of 2324	2776	winapi32.exe	35
PID 2324 wrote to memory of 2504	2324	winapi32.exe	36
PID 2324 wrote to memory of 2504	2324	winapi32.exe	36
PID 2324 wrote to memory of 2504	2324	winapi32.exe	36
PID 2324 wrote to memory of 2504	2324	winapi32.exe	36
PID 2504 wrote to memory of 2976	2504	winapi32.exe	37
PID 2504 wrote to memory of 2976	2504	winapi32.exe	37
PID 2504 wrote to memory of 2976	2504	winapi32.exe	37
PID 2504 wrote to memory of 2976	2504	winapi32.exe	37
PID 2976 wrote to memory of 2044	2976	winapi32.exe	38
PID 2976 wrote to memory of 2044	2976	winapi32.exe	38
PID 2976 wrote to memory of 2044	2976	winapi32.exe	38
PID 2976 wrote to memory of 2044	2976	winapi32.exe	38
PID 2044 wrote to memory of 2168	2044	winapi32.exe	39
PID 2044 wrote to memory of 2168	2044	winapi32.exe	39
PID 2044 wrote to memory of 2168	2044	winapi32.exe	39
PID 2044 wrote to memory of 2168	2044	winapi32.exe	39
PID 2168 wrote to memory of 2076	2168	winapi32.exe	40
PID 2168 wrote to memory of 2076	2168	winapi32.exe	40
PID 2168 wrote to memory of 2076	2168	winapi32.exe	40
PID 2168 wrote to memory of 2076	2168	winapi32.exe	40
PID 2076 wrote to memory of 3052	2076	winapi32.exe	41
PID 2076 wrote to memory of 3052	2076	winapi32.exe	41
PID 2076 wrote to memory of 3052	2076	winapi32.exe	41
PID 2076 wrote to memory of 3052	2076	winapi32.exe	41

C:\Users\Admin\AppData\Local\Temp\64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64f7dc9fa39c751c0bc3817e8b3784d8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\winapi32.exe
    C:\Windows\system32\winapi32.exe 468 "C:\Windows\SysWOW64\HelpMe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\winapi32.exe
      C:\Windows\system32\winapi32.exe 528 "C:\Windows\SysWOW64\winapi32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\winapi32.exe
        
        C:\Windows\system32\winapi32.exe 536 "C:\Windows\SysWOW64\winapi32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\winapi32.exe
        
        C:\Windows\system32\winapi32.exe 520 "C:\Windows\SysWOW64\winapi32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\winapi32.exe
        
        C:\Windows\system32\winapi32.exe 544 "C:\Windows\SysWOW64\winapi32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\winapi32.exe
        
        C:\Windows\system32\winapi32.exe 524 "C:\Windows\SysWOW64\winapi32.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\winapi32.exe
        
        C:\Windows\system32\winapi32.exe 548 "C:\Windows\SysWOW64\winapi32.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\winapi32.exe
        
        C:\Windows\system32\winapi32.exe 532 "C:\Windows\SysWOW64\winapi32.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\winapi32.exe
        
        C:\Windows\system32\winapi32.exe 540 "C:\Windows\SysWOW64\winapi32.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\winapi32.exe
        
        C:\Windows\system32\winapi32.exe 568 "C:\Windows\SysWOW64\winapi32.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\HelpMe.exe

Filesize
318KB

MD5
35d2df1277f0e5c49efc235bb86be381

SHA1
cd56d17c6763ab8ba4acdb570385f18eece1bc2b

SHA256
ace9a7462ba1a5c46e6c31ecf412bb5904eb9ea845dbffe6675626e6df0eda43

SHA512
4ad67c6b203a1a9ec4b9d95d83195f81ba70df17b6ef4ff2a40bc907405b033ac00a458cda00c49dbe1e534194652f3142ee95ebf6904b3f5b6d83199c6bf8a9

Download Submit