metasploit | de615be1170b2dcd3693bad48e969c66e9068209aa06aff543daa81ea69945ec

Analysis

max time kernel
148s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe
Size

121KB
MD5

e4793601cffb3ba161163909ea2de0af
SHA1

b7ff4bb12452f08d81c224dd0c3567166af0c6b9
SHA256

de615be1170b2dcd3693bad48e969c66e9068209aa06aff543daa81ea69945ec
SHA512

d148fdb8c0d6fa95aaaf3a7c7c6e575cffa74ef90c180e6480aa513def607535bffb88204d5c65d94effefeacb529c4b34794cc7c66ee405afa91228e830c30a
SSDEEP

3072:Ns0uSyTn8AwXzcYeY69t8KEAIKelkMkLLSHmI:O0udz8dDd6VEA+6MwuHn

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
976	upgradei.exe
232	upgradei.exe
2196	upgradei.exe
2960	upgradei.exe
1332	upgradei.exe
2364	upgradei.exe
4436	upgradei.exe
1596	upgradei.exe
4164	upgradei.exe
4716	upgradei.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe
File opened for modification	C:\Windows\SysWOW64\upgradei.exe	e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\upgradei.exe	upgradei.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
524	e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe
976	upgradei.exe
232	upgradei.exe
2196	upgradei.exe
2960	upgradei.exe
1332	upgradei.exe
2364	upgradei.exe
4436	upgradei.exe
1596	upgradei.exe
4164	upgradei.exe
4716	upgradei.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgradei.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 976	524	e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe	83
PID 524 wrote to memory of 976	524	e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe	83
PID 524 wrote to memory of 976	524	e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe	83
PID 976 wrote to memory of 232	976	upgradei.exe	91
PID 976 wrote to memory of 232	976	upgradei.exe	91
PID 976 wrote to memory of 232	976	upgradei.exe	91
PID 232 wrote to memory of 2196	232	upgradei.exe	93
PID 232 wrote to memory of 2196	232	upgradei.exe	93
PID 232 wrote to memory of 2196	232	upgradei.exe	93
PID 2196 wrote to memory of 2960	2196	upgradei.exe	95
PID 2196 wrote to memory of 2960	2196	upgradei.exe	95
PID 2196 wrote to memory of 2960	2196	upgradei.exe	95
PID 2960 wrote to memory of 1332	2960	upgradei.exe	96
PID 2960 wrote to memory of 1332	2960	upgradei.exe	96
PID 2960 wrote to memory of 1332	2960	upgradei.exe	96
PID 1332 wrote to memory of 2364	1332	upgradei.exe	97
PID 1332 wrote to memory of 2364	1332	upgradei.exe	97
PID 1332 wrote to memory of 2364	1332	upgradei.exe	97
PID 2364 wrote to memory of 4436	2364	upgradei.exe	98
PID 2364 wrote to memory of 4436	2364	upgradei.exe	98
PID 2364 wrote to memory of 4436	2364	upgradei.exe	98
PID 4436 wrote to memory of 1596	4436	upgradei.exe	99
PID 4436 wrote to memory of 1596	4436	upgradei.exe	99
PID 4436 wrote to memory of 1596	4436	upgradei.exe	99
PID 1596 wrote to memory of 4164	1596	upgradei.exe	100
PID 1596 wrote to memory of 4164	1596	upgradei.exe	100
PID 1596 wrote to memory of 4164	1596	upgradei.exe	100
PID 4164 wrote to memory of 4716	4164	upgradei.exe	101
PID 4164 wrote to memory of 4716	4164	upgradei.exe	101
PID 4164 wrote to memory of 4716	4164	upgradei.exe	101

C:\Users\Admin\AppData\Local\Temp\e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\SysWOW64\upgradei.exe
  C:\Windows\system32\upgradei.exe 1032 "C:\Users\Admin\AppData\Local\Temp\e4793601cffb3ba161163909ea2de0af_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\upgradei.exe
    C:\Windows\system32\upgradei.exe 1152 "C:\Windows\SysWOW64\upgradei.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\SysWOW64\upgradei.exe
      C:\Windows\system32\upgradei.exe 1124 "C:\Windows\SysWOW64\upgradei.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\SysWOW64\upgradei.exe
        
        C:\Windows\system32\upgradei.exe 1132 "C:\Windows\SysWOW64\upgradei.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\upgradei.exe
        
        C:\Windows\system32\upgradei.exe 1128 "C:\Windows\SysWOW64\upgradei.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\upgradei.exe
        
        C:\Windows\system32\upgradei.exe 1140 "C:\Windows\SysWOW64\upgradei.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\upgradei.exe
        
        C:\Windows\system32\upgradei.exe 1144 "C:\Windows\SysWOW64\upgradei.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\upgradei.exe
        
        C:\Windows\system32\upgradei.exe 1148 "C:\Windows\SysWOW64\upgradei.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\upgradei.exe
        
        C:\Windows\system32\upgradei.exe 1136 "C:\Windows\SysWOW64\upgradei.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\upgradei.exe
        
        C:\Windows\system32\upgradei.exe 1156 "C:\Windows\SysWOW64\upgradei.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\upgradei.exe

Filesize
121KB

MD5
e4793601cffb3ba161163909ea2de0af

SHA1
b7ff4bb12452f08d81c224dd0c3567166af0c6b9

SHA256
de615be1170b2dcd3693bad48e969c66e9068209aa06aff543daa81ea69945ec

SHA512
d148fdb8c0d6fa95aaaf3a7c7c6e575cffa74ef90c180e6480aa513def607535bffb88204d5c65d94effefeacb529c4b34794cc7c66ee405afa91228e830c30a

Download Submit
memory/232-10-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/524-6-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/976-7-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1332-19-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1596-28-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2196-13-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2364-22-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2960-16-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4164-31-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4436-25-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4716-34-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download