metasploit | 68b4617df580e51f78ceec845a7834229f2fb3739e0f71c3cbc0aadb0920cc4b

General

Target

d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe
Size

68KB
MD5

d6161d729217cd2a6983ef32a8020631
SHA1

c8056ebe061fcc8a9e1d819ce6c6337a6d13ce5f
SHA256

68b4617df580e51f78ceec845a7834229f2fb3739e0f71c3cbc0aadb0920cc4b
SHA512

246f3808d12db5f0e6c6a742adcf7953e45879a2c6970016bfdaca4cdb61f60ecfaede142e9bb4517990e46bfaf9a2f373f699c4d738563ae1f082da580c40be
SSDEEP

1536:4jrnJ1KXI4dI2bZtXH3aYRwr30Fpb+4D5K3TPVX:4iXI49bZhH3bCcpS4g

Score

10^/10

metasploit backdoor defense_evasion discovery persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
1552	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2348	servises.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe
2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\servises.exe"	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\servises.exe"	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	servises.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe
Token: SeShutdownPrivilege	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe
Token: SeDebugPrivilege	2348	servises.exe
Token: SeShutdownPrivilege	2348	servises.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2348	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2348	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2348	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2348	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe	31
PID 2316 wrote to memory of 1552	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe	32
PID 2316 wrote to memory of 1552	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe	32
PID 2316 wrote to memory of 1552	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe	32
PID 2316 wrote to memory of 1552	2316	d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6161d729217cd2a6983ef32a8020631_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\servises.exe
  C:\Users\Admin\AppData\Local\Temp\servises.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\D6161D~1.EXE" >> NUL
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\servises.exe

Filesize
68KB

MD5
d6161d729217cd2a6983ef32a8020631

SHA1
c8056ebe061fcc8a9e1d819ce6c6337a6d13ce5f

SHA256
68b4617df580e51f78ceec845a7834229f2fb3739e0f71c3cbc0aadb0920cc4b

SHA512
246f3808d12db5f0e6c6a742adcf7953e45879a2c6970016bfdaca4cdb61f60ecfaede142e9bb4517990e46bfaf9a2f373f699c4d738563ae1f082da580c40be

Download Submit
memory/2316-3-0x0000000000400000-0x000000000042E0C0-memory.dmp

Filesize
184KB

Download
memory/2316-2-0x0000000000426000-0x000000000042E000-memory.dmp

Filesize
32KB

Download
memory/2316-1-0x0000000000400000-0x000000000042E0C0-memory.dmp

Filesize
184KB

Download
memory/2316-0-0x0000000000400000-0x000000000042E0C0-memory.dmp

Filesize
184KB

Download
memory/2316-4-0x0000000000400000-0x000000000042E0C0-memory.dmp

Filesize
184KB

Download
memory/2316-8-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2316-16-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2316-15-0x0000000000400000-0x000000000042E0C0-memory.dmp

Filesize
184KB

Download
memory/2316-13-0x0000000000426000-0x000000000042E000-memory.dmp

Filesize
32KB

Download
memory/2348-19-0x0000000000400000-0x000000000042E0C0-memory.dmp

Filesize
184KB

Download
memory/2348-24-0x0000000000400000-0x000000000042E0C0-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads