metasploit | dfc1f0eb43631662b45b2a1b58a889e70fcb61887efc7c3afe263a59f91147cb

General

Target

dce7bd0ed581233f2dfd1e94755bb161_JaffaCakes118.doc
Size

36KB
MD5

dce7bd0ed581233f2dfd1e94755bb161
SHA1

6ee43521544f00fa0a8eacb977b159e87fed3d6b
SHA256

dfc1f0eb43631662b45b2a1b58a889e70fcb61887efc7c3afe263a59f91147cb
SHA512

5bac652cd6b683f4e935d1b92254983b2a91ffc51c652c7a88185f32a26c3e1628a211ca07d25af10f4bd5d7716c7ee5e8476dfd875fee8f9fbe7a048228af8d
SSDEEP

192:4NslLZEvA+6/6rrILd/Kf3HO8tA1DkF4FnSyL/MAj2PJlPWQLM6rEr+nwOOQ2IFL:98iSUR/8dAh/5SxdW+wRSF0jk1tutY

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

10.140.58.160:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2196	2496	DW20.EXE	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DW20.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwwin.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2496	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2496	WINWORD.EXE
2496	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2496	WINWORD.EXE
2496	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2196	2496	WINWORD.EXE	30
PID 2496 wrote to memory of 2196	2496	WINWORD.EXE	30
PID 2496 wrote to memory of 2196	2496	WINWORD.EXE	30
PID 2496 wrote to memory of 2196	2496	WINWORD.EXE	30
PID 2496 wrote to memory of 2196	2496	WINWORD.EXE	30
PID 2496 wrote to memory of 2196	2496	WINWORD.EXE	30
PID 2496 wrote to memory of 2196	2496	WINWORD.EXE	30
PID 2196 wrote to memory of 2092	2196	DW20.EXE	31
PID 2196 wrote to memory of 2092	2196	DW20.EXE	31
PID 2196 wrote to memory of 2092	2196	DW20.EXE	31
PID 2196 wrote to memory of 2092	2196	DW20.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dce7bd0ed581233f2dfd1e94755bb161_JaffaCakes118.doc"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1236
  2⤵
  - Process spawned suspicious child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1236
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259435200.cvr

Filesize
1KB

MD5
a48d99fed78db3e9c0276a214e1335ac

SHA1
6292e4873330b28686c233df4830e22e0705fab9

SHA256
04bdd0792960d25eb05ff386350f5890627e7d1c898d82f8cc919e4a82f75170

SHA512
24d35d2d5ebab9dcea422d37c7e350bc3e6122991b30c18b1c6a4264bf7702f797acefbf97e840adc4fdfe14a6c512db6d49c1e9b1a162044edddd246dfdfa88

Download Submit
memory/2496-11-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-31-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-13-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-17-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-12-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-19-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-20-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-18-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-16-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-10-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-5-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-2-0x0000000070ECD000-0x0000000070ED8000-memory.dmp

Filesize
44KB

Download
memory/2496-14-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-9-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-7-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-6-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-4-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-22-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-23-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2496-26-0x0000000070ECD000-0x0000000070ED8000-memory.dmp

Filesize
44KB

Download
memory/2496-27-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/2496-0-0x000000002F081000-0x000000002F082000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing