metasploit | 439616d95562533c1a605c03e7a9e89365d386fe5d0f20ac60ebfb054b6d1c2c

General

Target

dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe
Size

2.2MB
MD5

dc2b0342367f39aa1cc4b26788aa0d87
SHA1

842450ef62e58afff3b53acff4651d113431c32f
SHA256

439616d95562533c1a605c03e7a9e89365d386fe5d0f20ac60ebfb054b6d1c2c
SHA512

1a72d8d98b6c9cac23b42b5817afac911cf34b914eadc7d7b53ee4ff760a1a7fb1e5de95786a8f95b3c06c3bbcbd9d82a3bf48fada0f08729404951b93e741f9
SSDEEP

49152:KqIBwxHE3gfNI6UrjBx+3TYPr/rfw/sFqwBFoyQO8N9VUpSJTHQMPa4:KqIBwxH+gezlx+jKr/bLowBFTQOC9Hu

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WINDOWS 7 LOADER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WINDOWS 7 LOADER.EXE

Executes dropped EXE 3 IoCs

pid	Process
1888	DT.EXE
2064	DT.EXE
3056	WINDOWS 7 LOADER.EXE

Loads dropped DLL 3 IoCs

pid	Process
1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe
1888	DT.EXE
1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-24-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2064-23-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2064-22-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2064-20-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2064-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2064-10-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2064-25-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x00030000000178b0-30.dat	upx
behavioral1/memory/3056-35-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/3056-37-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/3056-71-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/3056-78-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 2064	1888	DT.EXE	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS 7 LOADER.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2064	DT.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	DT.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1888	1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe	30
PID 1872 wrote to memory of 1888	1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe	30
PID 1872 wrote to memory of 1888	1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe	30
PID 1872 wrote to memory of 1888	1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe	30
PID 1888 wrote to memory of 2064	1888	DT.EXE	31
PID 1888 wrote to memory of 2064	1888	DT.EXE	31
PID 1888 wrote to memory of 2064	1888	DT.EXE	31
PID 1888 wrote to memory of 2064	1888	DT.EXE	31
PID 1888 wrote to memory of 2064	1888	DT.EXE	31
PID 1888 wrote to memory of 2064	1888	DT.EXE	31
PID 1888 wrote to memory of 2064	1888	DT.EXE	31
PID 1888 wrote to memory of 2064	1888	DT.EXE	31
PID 1872 wrote to memory of 3056	1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe	32
PID 1872 wrote to memory of 3056	1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe	32
PID 1872 wrote to memory of 3056	1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe	32
PID 1872 wrote to memory of 3056	1872	dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc2b0342367f39aa1cc4b26788aa0d87_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\DT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DT.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\DT.EXE
    "C:\Users\Admin\AppData\Local\Temp\DT.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- C:\Users\Admin\AppData\Local\Temp\WINDOWS 7 LOADER.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINDOWS 7 LOADER.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DT.EXE

Filesize
124KB

MD5
1b4f9f5dbd75b62b84db4c92f5ec4dac

SHA1
907fec59c5bce0e134cb03c7bb3289ce70c9c490

SHA256
e53199377c55fcfabb611f01f62b656b6e27da7fa96e20bdb73cdb591b8c11fb

SHA512
0de5a72d8a04c869288ffb6dce9c38f5cef6ad74d1f48a9876035862c7861470eb0a657decf8c7c8906ba096a60357b6f5932c2b1658991804a275bed6023b7a

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS 7 LOADER.EXE

Filesize
2.1MB

MD5
cef98b5060e3d729fc1b461a96c2ce13

SHA1
8a75c52bde516344436708bfd670ca18e45b2a1a

SHA256
79ee0cad9b0e361222ac6c21aeb9056f415340149c49e91c27fac3311a3932a2

SHA512
eade526b5663ae0b1349b570030b40ad69214477899d04e0602e5550548540646d68e3f7bea92e7be8e9ad140ebd016fd74dfb60c7daa22bdb58caaffbe2555c

Download Submit
memory/1872-33-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1872-26-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2064-22-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2064-23-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2064-20-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2064-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2064-10-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2064-25-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2064-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2064-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3056-35-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3056-37-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3056-54-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/3056-46-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/3056-38-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/3056-62-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/3056-71-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/3056-78-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing