metasploit | b0e184242cd2daafaf9f756b2140b0ea432ea733d66fdb03f1a0018ed28170e1

Analysis

max time kernel
147s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
Size

852KB
MD5

ecb3fb6cabac7484f84184105ab4ad03
SHA1

4e01872b5afdc16d1b18e1f650cbefa67d9ffbc5
SHA256

b0e184242cd2daafaf9f756b2140b0ea432ea733d66fdb03f1a0018ed28170e1
SHA512

4c46d96745e1a0e23ec3b6b8edc1c1808e5a8ca91de7e636d91bf11849dd74c862aad6e9dba1de031e3b4087cb007782accf781c6672d81bc3b5f8f232914d7b
SSDEEP

12288:HE+NLeE1PYEPZ0Vy3F4fjElBjIq2KKn/Hz6I:k+xPZ0VQoglFIlNV

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
1960	scvhost.exe
3044	scvhost.exe
2504	scvhost.exe
5072	scvhost.exe
4300	scvhost.exe
456	scvhost.exe
1252	scvhost.exe
4696	scvhost.exe
4368	scvhost.exe
4076	scvhost.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1960	3064	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe	82
PID 3064 wrote to memory of 1960	3064	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe	82
PID 3064 wrote to memory of 1960	3064	ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe	82
PID 1960 wrote to memory of 3044	1960	scvhost.exe	90
PID 1960 wrote to memory of 3044	1960	scvhost.exe	90
PID 1960 wrote to memory of 3044	1960	scvhost.exe	90
PID 3044 wrote to memory of 2504	3044	scvhost.exe	92
PID 3044 wrote to memory of 2504	3044	scvhost.exe	92
PID 3044 wrote to memory of 2504	3044	scvhost.exe	92
PID 2504 wrote to memory of 5072	2504	scvhost.exe	94
PID 2504 wrote to memory of 5072	2504	scvhost.exe	94
PID 2504 wrote to memory of 5072	2504	scvhost.exe	94
PID 5072 wrote to memory of 4300	5072	scvhost.exe	95
PID 5072 wrote to memory of 4300	5072	scvhost.exe	95
PID 5072 wrote to memory of 4300	5072	scvhost.exe	95
PID 4300 wrote to memory of 456	4300	scvhost.exe	96
PID 4300 wrote to memory of 456	4300	scvhost.exe	96
PID 4300 wrote to memory of 456	4300	scvhost.exe	96
PID 456 wrote to memory of 1252	456	scvhost.exe	97
PID 456 wrote to memory of 1252	456	scvhost.exe	97
PID 456 wrote to memory of 1252	456	scvhost.exe	97
PID 1252 wrote to memory of 4696	1252	scvhost.exe	98
PID 1252 wrote to memory of 4696	1252	scvhost.exe	98
PID 1252 wrote to memory of 4696	1252	scvhost.exe	98
PID 4696 wrote to memory of 4368	4696	scvhost.exe	99
PID 4696 wrote to memory of 4368	4696	scvhost.exe	99
PID 4696 wrote to memory of 4368	4696	scvhost.exe	99
PID 4368 wrote to memory of 4076	4368	scvhost.exe	100
PID 4368 wrote to memory of 4076	4368	scvhost.exe	100
PID 4368 wrote to memory of 4076	4368	scvhost.exe	100

C:\Users\Admin\AppData\Local\Temp\ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\scvhost.exe
  C:\Windows\system32\scvhost.exe 1148 "C:\Users\Admin\AppData\Local\Temp\ecb3fb6cabac7484f84184105ab4ad03_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\scvhost.exe
    C:\Windows\system32\scvhost.exe 1152 "C:\Windows\SysWOW64\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\scvhost.exe
      C:\Windows\system32\scvhost.exe 1136 "C:\Windows\SysWOW64\scvhost.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 1124 "C:\Windows\SysWOW64\scvhost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 1092 "C:\Windows\SysWOW64\scvhost.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 1128 "C:\Windows\SysWOW64\scvhost.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 1132 "C:\Windows\SysWOW64\scvhost.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 1140 "C:\Windows\SysWOW64\scvhost.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 1144 "C:\Windows\SysWOW64\scvhost.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 1160 "C:\Windows\SysWOW64\scvhost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\scvhost.exe

Filesize
852KB

MD5
ecb3fb6cabac7484f84184105ab4ad03

SHA1
4e01872b5afdc16d1b18e1f650cbefa67d9ffbc5

SHA256
b0e184242cd2daafaf9f756b2140b0ea432ea733d66fdb03f1a0018ed28170e1

SHA512
4c46d96745e1a0e23ec3b6b8edc1c1808e5a8ca91de7e636d91bf11849dd74c862aad6e9dba1de031e3b4087cb007782accf781c6672d81bc3b5f8f232914d7b

Download Submit
memory/456-18-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1252-20-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1960-8-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2504-12-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3044-10-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3064-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3064-7-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4076-26-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4300-16-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4368-24-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4696-22-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/5072-14-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download