metasploit | 582e1f591cac39d4158a1e772176b9ec3bf9a6c9bf7e9d39b96724c63954e6dd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe
Size

150KB
MD5

e5748b60eb6eb72882c02ff6fd119983
SHA1

7945e34394f20de08471cc616beecd015131e9cb
SHA256

582e1f591cac39d4158a1e772176b9ec3bf9a6c9bf7e9d39b96724c63954e6dd
SHA512

5a219f69c45e23ff072a70fa5e5d413eccb85e728161f09eceb7f59790a169583fe3eaead1689c130e817426b97d2abef5eceea2b3b16654234f44de28c01161
SSDEEP

3072:HJQj/azF8FdRMZfoN62wLN6csHVOcoDJYoOxfvtM0k+4zPu4JMkLPpSLd:HJQGad+foNHmoXV8JgM7+4zLJMoPod

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
4344	wificonfig.exe
5068	wificonfig.exe
2132	wificonfig.exe
4752	wificonfig.exe
2388	wificonfig.exe
1688	wificonfig.exe
2820	wificonfig.exe
4216	wificonfig.exe
2240	wificonfig.exe
3480	wificonfig.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File created	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe
File opened for modification	C:\Windows\SysWOW64\wificonfig.exe	wificonfig.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wificonfig.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 4344	4756	e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe	82
PID 4756 wrote to memory of 4344	4756	e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe	82
PID 4756 wrote to memory of 4344	4756	e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe	82
PID 4344 wrote to memory of 5068	4344	wificonfig.exe	90
PID 4344 wrote to memory of 5068	4344	wificonfig.exe	90
PID 4344 wrote to memory of 5068	4344	wificonfig.exe	90
PID 5068 wrote to memory of 2132	5068	wificonfig.exe	92
PID 5068 wrote to memory of 2132	5068	wificonfig.exe	92
PID 5068 wrote to memory of 2132	5068	wificonfig.exe	92
PID 2132 wrote to memory of 4752	2132	wificonfig.exe	94
PID 2132 wrote to memory of 4752	2132	wificonfig.exe	94
PID 2132 wrote to memory of 4752	2132	wificonfig.exe	94
PID 4752 wrote to memory of 2388	4752	wificonfig.exe	95
PID 4752 wrote to memory of 2388	4752	wificonfig.exe	95
PID 4752 wrote to memory of 2388	4752	wificonfig.exe	95
PID 2388 wrote to memory of 1688	2388	wificonfig.exe	96
PID 2388 wrote to memory of 1688	2388	wificonfig.exe	96
PID 2388 wrote to memory of 1688	2388	wificonfig.exe	96
PID 1688 wrote to memory of 2820	1688	wificonfig.exe	97
PID 1688 wrote to memory of 2820	1688	wificonfig.exe	97
PID 1688 wrote to memory of 2820	1688	wificonfig.exe	97
PID 2820 wrote to memory of 4216	2820	wificonfig.exe	98
PID 2820 wrote to memory of 4216	2820	wificonfig.exe	98
PID 2820 wrote to memory of 4216	2820	wificonfig.exe	98
PID 4216 wrote to memory of 2240	4216	wificonfig.exe	99
PID 4216 wrote to memory of 2240	4216	wificonfig.exe	99
PID 4216 wrote to memory of 2240	4216	wificonfig.exe	99
PID 2240 wrote to memory of 3480	2240	wificonfig.exe	100
PID 2240 wrote to memory of 3480	2240	wificonfig.exe	100
PID 2240 wrote to memory of 3480	2240	wificonfig.exe	100

C:\Users\Admin\AppData\Local\Temp\e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\wificonfig.exe
  C:\Windows\system32\wificonfig.exe 1188 "C:\Users\Admin\AppData\Local\Temp\e5748b60eb6eb72882c02ff6fd119983_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\SysWOW64\wificonfig.exe
    C:\Windows\system32\wificonfig.exe 1148 "C:\Windows\SysWOW64\wificonfig.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\wificonfig.exe
      C:\Windows\system32\wificonfig.exe 1092 "C:\Windows\SysWOW64\wificonfig.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\wificonfig.exe
        
        C:\Windows\system32\wificonfig.exe 1128 "C:\Windows\SysWOW64\wificonfig.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\wificonfig.exe
        
        C:\Windows\system32\wificonfig.exe 1124 "C:\Windows\SysWOW64\wificonfig.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\wificonfig.exe
        
        C:\Windows\system32\wificonfig.exe 1136 "C:\Windows\SysWOW64\wificonfig.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\wificonfig.exe
        
        C:\Windows\system32\wificonfig.exe 1120 "C:\Windows\SysWOW64\wificonfig.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\wificonfig.exe
        
        C:\Windows\system32\wificonfig.exe 1140 "C:\Windows\SysWOW64\wificonfig.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\wificonfig.exe
        
        C:\Windows\system32\wificonfig.exe 1104 "C:\Windows\SysWOW64\wificonfig.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\wificonfig.exe
        
        C:\Windows\system32\wificonfig.exe 1152 "C:\Windows\SysWOW64\wificonfig.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wificonfig.exe

Filesize
150KB

MD5
e5748b60eb6eb72882c02ff6fd119983

SHA1
7945e34394f20de08471cc616beecd015131e9cb

SHA256
582e1f591cac39d4158a1e772176b9ec3bf9a6c9bf7e9d39b96724c63954e6dd

SHA512
5a219f69c45e23ff072a70fa5e5d413eccb85e728161f09eceb7f59790a169583fe3eaead1689c130e817426b97d2abef5eceea2b3b16654234f44de28c01161

Download Submit
memory/1688-51-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/2132-32-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/2132-30-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/2240-69-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/2388-45-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/2820-57-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/3480-75-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/4216-63-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/4344-14-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4344-16-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/4752-39-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/4756-0-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/4756-15-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/4756-4-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4756-1-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/4756-3-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/5068-24-0x0000000000400000-0x00000000004CD5A1-memory.dmp

Filesize
821KB

Download
memory/5068-22-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download