metasploit | 5170180a716eaf47159bf537707410dfb75dc5e78fbc79e6697f393e2d7a208c

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/09/2024, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
Size

816KB
MD5

e725fdbb26a61f9f037406969f2618de
SHA1

8c07c84296c35fd93ba0499856f12ee45128cf18
SHA256

5170180a716eaf47159bf537707410dfb75dc5e78fbc79e6697f393e2d7a208c
SHA512

0972faba8e0a230382ac3ac0fc832e658dece7b2f1774238e2e7525eb86fd4032fc7805844bca427fd6237c8b2502980cc58522aa236d91f05a9d5b15db9117a
SSDEEP

3072:hWe51vVRpJMFkstvxxrHA7ZFx+UMFQowJKfpThp+38uEEDUOIg:9st7rHA7xbMeLKDpKwpg

Score

10^/10

metasploit backdoor discovery macro trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://104.248.41.209:80/ZXq9

Attributes

headers User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2656	2464	rundll32.exe	30

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	2656	rundll32.exe
12	2656	rundll32.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00080000000120f9-5.dat

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2464	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2464	WINWORD.EXE
2464	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2464	2332	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2464	2332	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2464	2332	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2464	2332	e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe	30
PID 2464 wrote to memory of 2200	2464	WINWORD.EXE	31
PID 2464 wrote to memory of 2200	2464	WINWORD.EXE	31
PID 2464 wrote to memory of 2200	2464	WINWORD.EXE	31
PID 2464 wrote to memory of 2200	2464	WINWORD.EXE	31
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32
PID 2464 wrote to memory of 2656	2464	WINWORD.EXE	32

C:\Users\Admin\AppData\Local\Temp\e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e725fdbb26a61f9f037406969f2618de_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\fundraiser_protected.docm"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\\SysWOW64\\rundll32.exe
    3⤵
    - Process spawned unexpected child process
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
c68c1ea6765df558405c22ece0d77ede

SHA1
d969ad70abebf965889918c4afc09dea2b2d78e0

SHA256
cffebff44095cf08e9815e1af7620cf56a938dc8bc49bd0e3572dafa7f43e7dc

SHA512
acec91a94dfd80227cfe733b60ff74035418d3abbb9d61f042c15b049c0ce559bd40fa7be81c85873c321f9ae78fd04f3bdeccbd9fd4ccf555d209044e760916

Download Submit
C:\Users\Admin\Documents\fundraiser_protected.docm

Filesize
791KB

MD5
154dd13d7480c3586911fe3295f1c169

SHA1
15266197d1ce2d261b60ce986e45ce62fccf6833

SHA256
efbe0e787cd9676ed0500cb736038db5bf2d78fcf63d53f3fa7414447ce5fe40

SHA512
07cdddf00a09302ea1e17c315d3af62dd93da7e8f70c892d71aecbd7cfb3ecb84882810e3ca8104c46b2e57d92ee42352b232bf2ff9bf4ee29cadfc2427d7f43

Download Submit
memory/2332-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2464-22-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-4-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/2464-24-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-26-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-23-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-3-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2464-25-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-21-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-29-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-28-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-27-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2464-2-0x000000002FA11000-0x000000002FA12000-memory.dmp

Filesize
4KB

Download
memory/2464-1635-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/2656-74-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-60-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-78-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-76-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-82-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-72-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-70-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-68-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-66-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-64-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-62-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-80-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-58-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-56-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-54-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-52-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-50-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-48-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-40-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-38-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-36-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-34-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-84-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2656-86-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download