metasploit | b590489f91ba11b4b304f3282293b932442da2614bf86ebeed08f9e299cb89d3

General

Target

d7c146ebd5bffffd702a38bf891196ab_JaffaCakes118.jar
Size

50KB
MD5

d7c146ebd5bffffd702a38bf891196ab
SHA1

f717579e1eb878fafe60525564a6dea3ff22922d
SHA256

b590489f91ba11b4b304f3282293b932442da2614bf86ebeed08f9e299cb89d3
SHA512

4e0bfc56aae13cf28553c4fd500539f1f38892c7ebcbaf898bb88f6f668e1c5b9ab91399d669fa1b011a991e9d68d9334f431712d3c9b92ad18b368e04bf0bc6
SSDEEP

768:BDzyqV/kcfpGdqjZQLHmFyOdpuzTZROCQ0VqXJUod3AME/JQ6zlzUtsJ/Blvx:JV/kcfpsgZQLHzGp+ZIFMqXJU4ApTJnZ

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

208.118.237.54:53

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
1984	nJRxgsIi.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.118.237.54

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nJRxgsIi.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2052	4060	java.exe	87
PID 4060 wrote to memory of 2052	4060	java.exe	87
PID 2052 wrote to memory of 3112	2052	java.exe	89
PID 2052 wrote to memory of 3112	2052	java.exe	89
PID 3112 wrote to memory of 1984	3112	java.exe	91
PID 3112 wrote to memory of 1984	3112	java.exe	91
PID 3112 wrote to memory of 1984	3112	java.exe	91

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\d7c146ebd5bffffd702a38bf891196ab_JaffaCakes118.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn2687134139925715625.tmp.dir metasploit.Payload
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\~spawn8082888014579673637.tmp.dir metasploit.Payload
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\~spawn214472803898254708.tmp.dir\nJRxgsIi.exe
      C:\Users\Admin\AppData\Local\Temp\~spawn214472803898254708.tmp.dir\nJRxgsIi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
71abccb84fa5539de44c07d273b58283

SHA1
e11bd395c7f7e461a1c28d600971bebeff5fdf30

SHA256
ebc564caf0ca9f2b4bc18438a2273226dc6810c206a2a13aeb135df9618dbaf5

SHA512
e4b7211ce094ec72a48309d17442fb2eb19ab90efa3bbcc454ee9832dbc9b1827e33f337ab7d68fd62f16bfc260010a2c97951b8fe9d56d6b8d557592258b40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn214472803898254708.tmp.dir\nJRxgsIi.exe

Filesize
72KB

MD5
bcbce9df19d17c3a48a2a1b034d26e35

SHA1
f60b4551dd224edee1147719d89a6b0e507b7c98

SHA256
dcd08be5c93a3c2e061a9de0f15e5269218806bd8fb7224ea54e6a4da544311f

SHA512
4d61e86d8807f5ad14bdb701159a779fa83d4281d653af0db602803dab14172f4ab048db3a6a5f87f04aaeb6fefe73ab845a30ef2eb9cec7ce4a41dc4a8e1cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn2687134139925715625.tmp.dir\metasploit.dat

Filesize
150B

MD5
4d715fc409d806062ef585e56a2df0a7

SHA1
884948808e7d387429014a8b60543ef6d742793e

SHA256
ab3b42706c4dc045ca0e6db5fe3526f3f3567ad497185ac194a7e05b76a11ed0

SHA512
87f269084728f22f0a8a44606a1e7f32670071b2e8dcd44172db6ae6a48b08a835dd6bca25a357eaf59de480f2db4ef3ec13726bc3647325387bec96501bf555

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn2687134139925715625.tmp.dir\metasploit\Payload.class

Filesize
8KB

MD5
9cebcda545a470cdb23a53245d3c781b

SHA1
de4557947d87b7ef80537704d26c706b0d0c8d2c

SHA256
563704ac1abfd9e4f3d7648f07385d3b4acfe10cd5b972b81dc750a0fa9eea52

SHA512
b720e6947cbfdf62f29f19a3ae1ac4247741ca8f98f8e587bea43b3663ab62f9949e84ab98c2e90349d6f9d8da1ab5d5646a22b12aebdeb389b1540a46628150

Download Submit
C:\Users\Admin\AppData\Local\Temp\~spawn8082888014579673637.tmp.dir\metasploit.dat

Filesize
150B

MD5
d87c65ec559cd708389b6fbfcbddd52e

SHA1
b2ce8a97c15d55bb8116bf1fcc94cf8fa69762df

SHA256
7ef85e06b399ab65b9a8a16076b891d5e65b392bad8bdc32282967dc786fd3a1

SHA512
149e08d58b191802ae97566eca10b559f53bbba58c6601bb41cf7caf6b945a35161162318e2b08fa9263ce77a7b4c7f4c9ab8205e44eedce7571368a81f51b48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\83aa4cc77f591dfc2374580bbd95f6ba_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/2052-18-0x00000176DC430000-0x00000176DC6A0000-memory.dmp

Filesize
2.4MB

Download
memory/2052-57-0x00000176DC430000-0x00000176DC6A0000-memory.dmp

Filesize
2.4MB

Download
memory/2052-56-0x00000176DC410000-0x00000176DC411000-memory.dmp

Filesize
4KB

Download
memory/2052-54-0x00000176DC410000-0x00000176DC411000-memory.dmp

Filesize
4KB

Download
memory/3112-51-0x0000022629810000-0x0000022629811000-memory.dmp

Filesize
4KB

Download
memory/3112-53-0x000002262B000000-0x000002262B270000-memory.dmp

Filesize
2.4MB

Download
memory/3112-35-0x000002262B000000-0x000002262B270000-memory.dmp

Filesize
2.4MB

Download
memory/4060-2-0x0000028FE0A60000-0x0000028FE0CD0000-memory.dmp

Filesize
2.4MB

Download
memory/4060-38-0x0000028FDF0D0000-0x0000028FDF0D1000-memory.dmp

Filesize
4KB

Download
memory/4060-59-0x0000028FDF0D0000-0x0000028FDF0D1000-memory.dmp

Filesize
4KB

Download
memory/4060-60-0x0000028FE0A60000-0x0000028FE0CD0000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads