metasploit | 9882dbeab876628893092123d1bf54377780f84cf55fe28fcf1e703fd2ceb3af

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe
Size

259KB
MD5

70a8038d189039d79e851fdad6e1b021
SHA1

44f08b14b5e24e1152887a0355378b33619d80da
SHA256

9882dbeab876628893092123d1bf54377780f84cf55fe28fcf1e703fd2ceb3af
SHA512

d5a0204b968b0e93c1328b461486daaf5cf0e1ce19edc64b7de73c7ae92147f5714ea5a5c00b4616da15ec0a3a495c69c2f352acced0f3484b9d0fd6d82e9b5c
SSDEEP

6144:H0BbAErDlFiPN4dW1TknVkuYfveJKpQDAk/6YjuZbcGo/nM:uvrDaoCmVkuYOJKp+fpOYzPM

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 20 IoCs

pid	Process
3752	msq23.exe
3416	msq23.exe
2224	msq23.exe
1132	msq23.exe
2588	msq23.exe
5040	msq23.exe
3752	msq23.exe
3900	msq23.exe
3048	msq23.exe
860	msq23.exe
4624	msq23.exe
1264	msq23.exe
4584	msq23.exe
3564	msq23.exe
3808	msq23.exe
4048	msq23.exe
736	msq23.exe
3584	msq23.exe
3424	msq23.exe
2588	msq23.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 3752 set thread context of 3416	3752	msq23.exe	86
PID 2224 set thread context of 1132	2224	msq23.exe	99
PID 2588 set thread context of 5040	2588	msq23.exe	102
PID 3752 set thread context of 3900	3752	msq23.exe	106
PID 3048 set thread context of 860	3048	msq23.exe	108
PID 4624 set thread context of 1264	4624	msq23.exe	111
PID 4584 set thread context of 3564	4584	msq23.exe	113
PID 3808 set thread context of 4048	3808	msq23.exe	123
PID 736 set thread context of 3584	736	msq23.exe	125
PID 3424 set thread context of 2588	3424	msq23.exe	130

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 2428 wrote to memory of 4432	2428	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	84
PID 4432 wrote to memory of 3752	4432	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	85
PID 4432 wrote to memory of 3752	4432	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	85
PID 4432 wrote to memory of 3752	4432	70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe	85
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3752 wrote to memory of 3416	3752	msq23.exe	86
PID 3416 wrote to memory of 2224	3416	msq23.exe	98
PID 3416 wrote to memory of 2224	3416	msq23.exe	98
PID 3416 wrote to memory of 2224	3416	msq23.exe	98
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 2224 wrote to memory of 1132	2224	msq23.exe	99
PID 1132 wrote to memory of 2588	1132	msq23.exe	101
PID 1132 wrote to memory of 2588	1132	msq23.exe	101
PID 1132 wrote to memory of 2588	1132	msq23.exe	101
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 2588 wrote to memory of 5040	2588	msq23.exe	102
PID 5040 wrote to memory of 3752	5040	msq23.exe	105
PID 5040 wrote to memory of 3752	5040	msq23.exe	105
PID 5040 wrote to memory of 3752	5040	msq23.exe	105
PID 3752 wrote to memory of 3900	3752	msq23.exe	106
PID 3752 wrote to memory of 3900	3752	msq23.exe	106
PID 3752 wrote to memory of 3900	3752	msq23.exe	106
PID 3752 wrote to memory of 3900	3752	msq23.exe	106
PID 3752 wrote to memory of 3900	3752	msq23.exe	106
PID 3752 wrote to memory of 3900	3752	msq23.exe	106
PID 3752 wrote to memory of 3900	3752	msq23.exe	106
PID 3752 wrote to memory of 3900	3752	msq23.exe	106

C:\Users\Admin\AppData\Local\Temp\70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\msq23.exe
    C:\Windows\system32\msq23.exe 1000 "C:\Users\Admin\AppData\Local\Temp\70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\msq23.exe
      C:\Windows\system32\msq23.exe 1000 "C:\Users\Admin\AppData\Local\Temp\70a8038d189039d79e851fdad6e1b021_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1152 "C:\Windows\SysWOW64\msq23.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1152 "C:\Windows\SysWOW64\msq23.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1112 "C:\Windows\SysWOW64\msq23.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1112 "C:\Windows\SysWOW64\msq23.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1124 "C:\Windows\SysWOW64\msq23.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1124 "C:\Windows\SysWOW64\msq23.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1124 "C:\Windows\SysWOW64\msq23.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1124 "C:\Windows\SysWOW64\msq23.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1120 "C:\Windows\SysWOW64\msq23.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1120 "C:\Windows\SysWOW64\msq23.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1120 "C:\Windows\SysWOW64\msq23.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1120 "C:\Windows\SysWOW64\msq23.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1080 "C:\Windows\SysWOW64\msq23.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1080 "C:\Windows\SysWOW64\msq23.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1116 "C:\Windows\SysWOW64\msq23.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1116 "C:\Windows\SysWOW64\msq23.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1120 "C:\Windows\SysWOW64\msq23.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 1120 "C:\Windows\SysWOW64\msq23.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msq23.exe

Filesize
259KB

MD5
70a8038d189039d79e851fdad6e1b021

SHA1
44f08b14b5e24e1152887a0355378b33619d80da

SHA256
9882dbeab876628893092123d1bf54377780f84cf55fe28fcf1e703fd2ceb3af

SHA512
d5a0204b968b0e93c1328b461486daaf5cf0e1ce19edc64b7de73c7ae92147f5714ea5a5c00b4616da15ec0a3a495c69c2f352acced0f3484b9d0fd6d82e9b5c

Download Submit
memory/1132-44-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2224-41-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2428-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2588-56-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3416-27-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3416-29-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3752-71-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3752-28-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3900-74-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4432-1-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4432-16-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4432-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4432-8-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4432-2-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4432-3-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4432-4-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4432-6-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/5040-59-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download