metasploit | de2ce7cc8dcd6b72c327e8357b6a79405643bfe309dbaf7aee6e443b0c29e0b2 | Triage

Sharing

General

Target

ee7ad97ff666f7dc075d8ab8fa872a13_JaffaCakes118
Size

651KB
Sample

240920-1lvngazejj
MD5

ee7ad97ff666f7dc075d8ab8fa872a13
SHA1

274a5e901753a7666038f4edf16b7e6ab79d715e
SHA256

de2ce7cc8dcd6b72c327e8357b6a79405643bfe309dbaf7aee6e443b0c29e0b2
SHA512

435030e0981a235d8239f254b8b4941e38e8e47a215e29c9afa6a705c8539669be9b32017c03716ad5954a5d8eace10a97213916556391f3a41935ecaef4894b
SSDEEP

12288:/rigeFAg0mNM/cu/TXEl0z40I7tDH4kZmWN35iHUBe/pqLkpuzOSj:/kF2uMU6TU040+mWl0HUBe/ALnbj

Score

10^/10

metasploit backdoor discovery evasion persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  ee7ad97ff666f7dc075d8ab8fa872a13_JaffaCakes118
- Size
  
  651KB
- MD5
  
  ee7ad97ff666f7dc075d8ab8fa872a13
- SHA1
  
  274a5e901753a7666038f4edf16b7e6ab79d715e
- SHA256
  
  de2ce7cc8dcd6b72c327e8357b6a79405643bfe309dbaf7aee6e443b0c29e0b2
- SHA512
  
  435030e0981a235d8239f254b8b4941e38e8e47a215e29c9afa6a705c8539669be9b32017c03716ad5954a5d8eace10a97213916556391f3a41935ecaef4894b
- SSDEEP
  
  12288:/rigeFAg0mNM/cu/TXEl0z40I7tDH4kZmWN35iHUBe/pqLkpuzOSj:/kF2uMU6TU040+mWl0HUBe/ALnbj
Score

10^/10

metasploit backdoor discovery evasion persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

metasploitbackdoordiscoveryevasionpersistencetrojan

behavioral2

discoveryevasion