metasploit | 4eb8f41983ee7f2d4c4fbc0c522015d83af600665f7202d20bab6b2fb00c88bc

General

Target

dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe
Size

626KB
MD5

dd47cdc584c1934835e2f8d3ebd55c49
SHA1

43fc40273dd033b2e391e6eda38f49437d477887
SHA256

4eb8f41983ee7f2d4c4fbc0c522015d83af600665f7202d20bab6b2fb00c88bc
SHA512

f776bccc9cf0dfe83caeb509835ed5884d137148bccad1d5454df6f9b90e4e6b0488c3b79432c1ff4ca333d1f4dc773d63f1813b61ea16211a3789cf0b2fc05c
SSDEEP

12288:KBitsaJiKq+IvmAU8e5i88xsTmOg+LuxMTWNm868Oa2hcEiP/3IWVJ/ux9cb0G:KntKq+JF8Ei88yTmr+LuxMW6E/7

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.1.253:65535

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/992-0-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral2/memory/992-2-0x0000000000400000-0x0000000000503000-memory.dmp	upx
behavioral2/memory/992-12-0x0000000000400000-0x0000000000503000-memory.dmp	upx

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 404	992	dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe	84
PID 992 wrote to memory of 404	992	dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe	84
PID 992 wrote to memory of 404	992	dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe	84
PID 404 wrote to memory of 4776	404	cmd.exe	85
PID 404 wrote to memory of 4776	404	cmd.exe	85
PID 404 wrote to memory of 4776	404	cmd.exe	85
PID 4776 wrote to memory of 1564	4776	net.exe	86
PID 4776 wrote to memory of 1564	4776	net.exe	86
PID 4776 wrote to memory of 1564	4776	net.exe	86
PID 992 wrote to memory of 2444	992	dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe	87
PID 992 wrote to memory of 2444	992	dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe	87
PID 992 wrote to memory of 2444	992	dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe	87
PID 2444 wrote to memory of 3516	2444	cmd.exe	88
PID 2444 wrote to memory of 3516	2444	cmd.exe	88
PID 2444 wrote to memory of 3516	2444	cmd.exe	88
PID 3516 wrote to memory of 5068	3516	net.exe	89
PID 3516 wrote to memory of 5068	3516	net.exe	89
PID 3516 wrote to memory of 5068	3516	net.exe	89

C:\Users\Admin\AppData\Local\Temp\dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd47cdc584c1934835e2f8d3ebd55c49_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net user /add pako antifa
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\net.exe
    net user /add pako antifa
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user /add pako antifa
      4⤵
      System Location Discovery: System Language Discovery
      PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup administrators pako /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators pako /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators pako /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Privilege Escalation

Account Manipulation

1

T1098

Defense Evasion

Credential Access

Discovery

Permission Groups Discovery

1

T1069

Local Groups

1

T1069.001

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/992-2-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/992-12-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing