metasploit | ff76d34bace404e490aefcc36d341fc63555c0a2f874362be80be7a23ee2f227

General

Target

e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
Size

1.7MB
MD5

e2d4c198cf489e724a91f76f9e3fb00e
SHA1

8661cd99b2fa107d8124cee1740934de248d47bd
SHA256

ff76d34bace404e490aefcc36d341fc63555c0a2f874362be80be7a23ee2f227
SHA512

10d282e99e7c2f24ee9bbfe0acd8feba70384c1892de70046eba1084f4a15cfbbe4d64b0f263cecffdbf3c12c97922b783ddb05052894c41d1f3878731490ef9
SSDEEP

49152:7WKfCRdWutR4D3A1A+hQ88aZQS+asUd91Evw:yKfm4AheMZx+aseKw

Score

10^/10

metasploit backdoor discovery evasion persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe"	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe"	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2852	regedit.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2260	2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2260	2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2260	2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2260	2520	e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2852	2260	cmd.exe	31
PID 2260 wrote to memory of 2852	2260	cmd.exe	31
PID 2260 wrote to memory of 2852	2260	cmd.exe	31
PID 2260 wrote to memory of 2852	2260	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\a.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
e6d8af5aed642209c88269bf56af50ae

SHA1
633d40da997074dc0ed10938ebc49a3aeb3a7fc8

SHA256
550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec

SHA512
6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/2520-120-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-116-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-117-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-118-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-119-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-1-0x0000000000401000-0x0000000000422000-memory.dmp

Filesize
132KB

Download
memory/2520-122-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-123-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-124-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-125-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-126-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-127-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-128-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-129-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download
memory/2520-130-0x0000000000400000-0x00000000006C8000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads