metasploit | b0e184242cd2daafaf9f756b2140b0ea432ea733d66fdb03f1a0018ed28170e1

Analysis

max time kernel
147s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 02:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
Size

852KB
MD5

ecb3fb6cabac7484f84184105ab4ad03
SHA1

4e01872b5afdc16d1b18e1f650cbefa67d9ffbc5
SHA256

b0e184242cd2daafaf9f756b2140b0ea432ea733d66fdb03f1a0018ed28170e1
SHA512

4c46d96745e1a0e23ec3b6b8edc1c1808e5a8ca91de7e636d91bf11849dd74c862aad6e9dba1de031e3b4087cb007782accf781c6672d81bc3b5f8f232914d7b
SSDEEP

12288:HE+NLeE1PYEPZ0Vy3F4fjElBjIq2KKn/Hz6I:k+xPZ0VQoglFIlNV

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
2252	scvhost.exe
2880	scvhost.exe
1672	scvhost.exe
2248	scvhost.exe
3044	scvhost.exe
2960	scvhost.exe
540	scvhost.exe
1436	scvhost.exe
2352	scvhost.exe
2356	scvhost.exe

Loads dropped DLL 20 IoCs

pid	Process
1328	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
1328	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
2252	scvhost.exe
2252	scvhost.exe
2880	scvhost.exe
2880	scvhost.exe
1672	scvhost.exe
1672	scvhost.exe
2248	scvhost.exe
2248	scvhost.exe
3044	scvhost.exe
3044	scvhost.exe
2960	scvhost.exe
2960	scvhost.exe
540	scvhost.exe
540	scvhost.exe
1436	scvhost.exe
1436	scvhost.exe
2352	scvhost.exe
2352	scvhost.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2252	1328	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2252	1328	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2252	1328	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2252	1328	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2880	2252	scvhost.exe	31
PID 2252 wrote to memory of 2880	2252	scvhost.exe	31
PID 2252 wrote to memory of 2880	2252	scvhost.exe	31
PID 2252 wrote to memory of 2880	2252	scvhost.exe	31
PID 2880 wrote to memory of 1672	2880	scvhost.exe	32
PID 2880 wrote to memory of 1672	2880	scvhost.exe	32
PID 2880 wrote to memory of 1672	2880	scvhost.exe	32
PID 2880 wrote to memory of 1672	2880	scvhost.exe	32
PID 1672 wrote to memory of 2248	1672	scvhost.exe	33
PID 1672 wrote to memory of 2248	1672	scvhost.exe	33
PID 1672 wrote to memory of 2248	1672	scvhost.exe	33
PID 1672 wrote to memory of 2248	1672	scvhost.exe	33
PID 2248 wrote to memory of 3044	2248	scvhost.exe	34
PID 2248 wrote to memory of 3044	2248	scvhost.exe	34
PID 2248 wrote to memory of 3044	2248	scvhost.exe	34
PID 2248 wrote to memory of 3044	2248	scvhost.exe	34
PID 3044 wrote to memory of 2960	3044	scvhost.exe	35
PID 3044 wrote to memory of 2960	3044	scvhost.exe	35
PID 3044 wrote to memory of 2960	3044	scvhost.exe	35
PID 3044 wrote to memory of 2960	3044	scvhost.exe	35
PID 2960 wrote to memory of 540	2960	scvhost.exe	36
PID 2960 wrote to memory of 540	2960	scvhost.exe	36
PID 2960 wrote to memory of 540	2960	scvhost.exe	36
PID 2960 wrote to memory of 540	2960	scvhost.exe	36
PID 540 wrote to memory of 1436	540	scvhost.exe	37
PID 540 wrote to memory of 1436	540	scvhost.exe	37
PID 540 wrote to memory of 1436	540	scvhost.exe	37
PID 540 wrote to memory of 1436	540	scvhost.exe	37
PID 1436 wrote to memory of 2352	1436	scvhost.exe	38
PID 1436 wrote to memory of 2352	1436	scvhost.exe	38
PID 1436 wrote to memory of 2352	1436	scvhost.exe	38
PID 1436 wrote to memory of 2352	1436	scvhost.exe	38
PID 2352 wrote to memory of 2356	2352	scvhost.exe	39
PID 2352 wrote to memory of 2356	2352	scvhost.exe	39
PID 2352 wrote to memory of 2356	2352	scvhost.exe	39
PID 2352 wrote to memory of 2356	2352	scvhost.exe	39

C:\Users\Admin\AppData\Local\Temp\ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\scvhost.exe
  C:\Windows\system32\scvhost.exe 476 "C:\Users\Admin\AppData\Local\Temp\ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\scvhost.exe
    C:\Windows\system32\scvhost.exe 536 "C:\Windows\SysWOW64\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\scvhost.exe
      C:\Windows\system32\scvhost.exe 528 "C:\Windows\SysWOW64\scvhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 544 "C:\Windows\SysWOW64\scvhost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 540 "C:\Windows\SysWOW64\scvhost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 556 "C:\Windows\SysWOW64\scvhost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 532 "C:\Windows\SysWOW64\scvhost.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 572 "C:\Windows\SysWOW64\scvhost.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 548 "C:\Windows\SysWOW64\scvhost.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 552 "C:\Windows\SysWOW64\scvhost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\scvhost.exe

Filesize
852KB

MD5
ecb3fb6cabac7484f84184105ab4ad03

SHA1
4e01872b5afdc16d1b18e1f650cbefa67d9ffbc5

SHA256
b0e184242cd2daafaf9f756b2140b0ea432ea733d66fdb03f1a0018ed28170e1

SHA512
4c46d96745e1a0e23ec3b6b8edc1c1808e5a8ca91de7e636d91bf11849dd74c862aad6e9dba1de031e3b4087cb007782accf781c6672d81bc3b5f8f232914d7b

Download Submit
memory/540-42-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1328-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1328-11-0x00000000028D0000-0x00000000029A5000-memory.dmp

Filesize
852KB

Download
memory/1328-10-0x00000000028D0000-0x00000000029A5000-memory.dmp

Filesize
852KB

Download
memory/1328-15-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1436-46-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1672-25-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2248-29-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2252-16-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2252-13-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2352-50-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2356-54-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2880-21-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2880-20-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2960-38-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2960-37-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3044-33-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download