metasploit | 406d0a6ebc2a0293dc7674de4b359bab7a2454381d5e3c1514d6b93c840dee0f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe
Size

3.3MB
MD5

d8b1c6dcd3e6768fc9127ae58f43918f
SHA1

e72f04654790756ee35717dc22fd9ec6feba5808
SHA256

406d0a6ebc2a0293dc7674de4b359bab7a2454381d5e3c1514d6b93c840dee0f
SHA512

836bef0dabe7b8d98a57acbe67cf70602a70e14351e7f90e8abf2000c579a6273b7263a4363961f363a7c01e4911c6a0c39deec2d7aed95f49e4f45d5193c453
SSDEEP

98304:tQMZyVyGHAeBALgXYRYxKbxabdDkmDduupMes+0kyJ:2BlaPRYXkmIesuy

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Loads dropped DLL 3 IoCs

pid	Process
2736	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe
2736	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe
2736	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2736	2708	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2736	2708	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2736	2708	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2736	2708	d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d8b1c6dcd3e6768fc9127ae58f43918f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27082\666.exe.manifest

Filesize
1007B

MD5
0102cad75f0583a01eb7adb676b394bf

SHA1
5776b00ed889c33c019753ba421708ab029340f7

SHA256
bcc2b29c5a279d03d384a6643041b97d5f21d79d444def31d4ad05c2ab178ed7

SHA512
a8759e0e09e3bccfb19395b0a3ed1933191e8b5746450b2521d316f9159ff06071a1c64d0a8e04fd5057e79570d9dff906238138d6a1a9c886554a1f739304e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27082\MSVCR90.dll

Filesize
638KB

MD5
5bc75d03abf8ebaf9c5ea4e354dfb840

SHA1
bea3d2c0a9150a112322b506814ebd965da4de4c

SHA256
92281334cf905c35e7c93dd526b5c199ea9823cd52922f55f14e3008f98cd4e1

SHA512
c34d647319b7257e3d3adc1fef45e1a88b49e005b90bcb5c5e2ed0b6cf0d54bfeb22b74f3ad2482fdba0eeb6660e94ce74327165778aec3f86ca8b33632df179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27082\python27.dll

Filesize
2.5MB

MD5
c8c4685509f1375666b03206457d4e9f

SHA1
d18a6ae41fd195818bcc6f667e22eb66be28947d

SHA256
42343c316e7aac408e6066ba93bcbdddb00940bdf901d9aed28111ca5d96279e

SHA512
4e06496b25d4447b048c6b4c936b573304689804ca522179cef7de41e4a4546fba546ebf0b7d08d67d82a025e04485a407a0fadfda94ab7d1f38025bbdafaba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27~1\_ctypes.pyd

Filesize
89KB

MD5
9e6c48ec9508423d0ce6b6e4d4a10d90

SHA1
82548d0cfcd99bc11ecee670dc0c1c9538aa6ade

SHA256
b700441351b3a24a1ec392376984d3d95a541ea548c77f0df55d7af579ea9c1a

SHA512
37fc511610e5ab06a78f276bf0f4b7335a37d40fdf0158f674ecf1b029fe3298e0667230d3f8840258b8e5413108e1e6aeaaff090b3cca6eef007ca5a1f8d926

Download Submit
memory/2736-18-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2736-19-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download