metasploit | 9c005d1b3ad1d066b48cd6c31d77984730431c68bef00f7fd2837d791091150d

Analysis

max time kernel
148s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe
Size

151KB
MD5

dc59a3a35a064bd33f7f3495e9930969
SHA1

d25906ddb9f861ecc70e77cb6a95cf78016c2832
SHA256

9c005d1b3ad1d066b48cd6c31d77984730431c68bef00f7fd2837d791091150d
SHA512

9a0d6a29c10e3932760cbbd9306744150e538486e6d9c959d08d11ba92a810324f73ad7b7df6a174aeb1bee8a753790e1b082b31fd3dc71e8696f39864effe24
SSDEEP

3072:eYAq+Bt0h0phE8M4qTvpmwEBn3Obl4kUGE84NXaf:eYtipO4qTvwwm0KD/e

Score

10^/10

metasploit aspackv2 backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00230000000186b7-4.dat	aspack_v212_v242

Executes dropped EXE 10 IoCs

pid	Process
1980	tsqla.exe
2864	tsqla.exe
2764	tsqla.exe
2172	tsqla.exe
2036	tsqla.exe
1256	tsqla.exe
2232	tsqla.exe
3020	tsqla.exe
2376	tsqla.exe
928	tsqla.exe

Loads dropped DLL 20 IoCs

pid	Process
3044	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe
3044	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe
1980	tsqla.exe
1980	tsqla.exe
2864	tsqla.exe
2864	tsqla.exe
2764	tsqla.exe
2764	tsqla.exe
2172	tsqla.exe
2172	tsqla.exe
2036	tsqla.exe
2036	tsqla.exe
1256	tsqla.exe
1256	tsqla.exe
2232	tsqla.exe
2232	tsqla.exe
3020	tsqla.exe
3020	tsqla.exe
2376	tsqla.exe
2376	tsqla.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe
File opened for modification	C:\Windows\SysWOW64\tsqla.exe	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tsqla.exe	tsqla.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsqla.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1980	3044	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1980	3044	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1980	3044	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1980	3044	dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe	29
PID 1980 wrote to memory of 2864	1980	tsqla.exe	30
PID 1980 wrote to memory of 2864	1980	tsqla.exe	30
PID 1980 wrote to memory of 2864	1980	tsqla.exe	30
PID 1980 wrote to memory of 2864	1980	tsqla.exe	30
PID 2864 wrote to memory of 2764	2864	tsqla.exe	31
PID 2864 wrote to memory of 2764	2864	tsqla.exe	31
PID 2864 wrote to memory of 2764	2864	tsqla.exe	31
PID 2864 wrote to memory of 2764	2864	tsqla.exe	31
PID 2764 wrote to memory of 2172	2764	tsqla.exe	32
PID 2764 wrote to memory of 2172	2764	tsqla.exe	32
PID 2764 wrote to memory of 2172	2764	tsqla.exe	32
PID 2764 wrote to memory of 2172	2764	tsqla.exe	32
PID 2172 wrote to memory of 2036	2172	tsqla.exe	33
PID 2172 wrote to memory of 2036	2172	tsqla.exe	33
PID 2172 wrote to memory of 2036	2172	tsqla.exe	33
PID 2172 wrote to memory of 2036	2172	tsqla.exe	33
PID 2036 wrote to memory of 1256	2036	tsqla.exe	34
PID 2036 wrote to memory of 1256	2036	tsqla.exe	34
PID 2036 wrote to memory of 1256	2036	tsqla.exe	34
PID 2036 wrote to memory of 1256	2036	tsqla.exe	34
PID 1256 wrote to memory of 2232	1256	tsqla.exe	35
PID 1256 wrote to memory of 2232	1256	tsqla.exe	35
PID 1256 wrote to memory of 2232	1256	tsqla.exe	35
PID 1256 wrote to memory of 2232	1256	tsqla.exe	35
PID 2232 wrote to memory of 3020	2232	tsqla.exe	36
PID 2232 wrote to memory of 3020	2232	tsqla.exe	36
PID 2232 wrote to memory of 3020	2232	tsqla.exe	36
PID 2232 wrote to memory of 3020	2232	tsqla.exe	36
PID 3020 wrote to memory of 2376	3020	tsqla.exe	37
PID 3020 wrote to memory of 2376	3020	tsqla.exe	37
PID 3020 wrote to memory of 2376	3020	tsqla.exe	37
PID 3020 wrote to memory of 2376	3020	tsqla.exe	37
PID 2376 wrote to memory of 928	2376	tsqla.exe	38
PID 2376 wrote to memory of 928	2376	tsqla.exe	38
PID 2376 wrote to memory of 928	2376	tsqla.exe	38
PID 2376 wrote to memory of 928	2376	tsqla.exe	38

C:\Users\Admin\AppData\Local\Temp\dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\tsqla.exe
  C:\Windows\system32\tsqla.exe 480 "C:\Users\Admin\AppData\Local\Temp\dc59a3a35a064bd33f7f3495e9930969_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\tsqla.exe
    C:\Windows\system32\tsqla.exe 528 "C:\Windows\SysWOW64\tsqla.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\tsqla.exe
      C:\Windows\system32\tsqla.exe 532 "C:\Windows\SysWOW64\tsqla.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\tsqla.exe
        
        C:\Windows\system32\tsqla.exe 540 "C:\Windows\SysWOW64\tsqla.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\tsqla.exe
        
        C:\Windows\system32\tsqla.exe 536 "C:\Windows\SysWOW64\tsqla.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\tsqla.exe
        
        C:\Windows\system32\tsqla.exe 544 "C:\Windows\SysWOW64\tsqla.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\tsqla.exe
        
        C:\Windows\system32\tsqla.exe 556 "C:\Windows\SysWOW64\tsqla.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\tsqla.exe
        
        C:\Windows\system32\tsqla.exe 552 "C:\Windows\SysWOW64\tsqla.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\tsqla.exe
        
        C:\Windows\system32\tsqla.exe 560 "C:\Windows\SysWOW64\tsqla.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\tsqla.exe
        
        C:\Windows\system32\tsqla.exe 564 "C:\Windows\SysWOW64\tsqla.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\tsqla.exe

Filesize
151KB

MD5
dc59a3a35a064bd33f7f3495e9930969

SHA1
d25906ddb9f861ecc70e77cb6a95cf78016c2832

SHA256
9c005d1b3ad1d066b48cd6c31d77984730431c68bef00f7fd2837d791091150d

SHA512
9a0d6a29c10e3932760cbbd9306744150e538486e6d9c959d08d11ba92a810324f73ad7b7df6a174aeb1bee8a753790e1b082b31fd3dc71e8696f39864effe24

Download Submit
memory/928-70-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/1256-50-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/1980-20-0x0000000002EE0000-0x000000000350A000-memory.dmp

Filesize
6.2MB

Download
memory/1980-12-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/1980-16-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2036-44-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2036-42-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2172-36-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2172-37-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2232-55-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2376-65-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2764-30-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2764-34-0x0000000002F00000-0x000000000352A000-memory.dmp

Filesize
6.2MB

Download
memory/2764-28-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2864-21-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/2864-23-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/3020-60-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/3044-0-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/3044-15-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/3044-11-0x0000000002EE0000-0x000000000350A000-memory.dmp

Filesize
6.2MB

Download