metasploit | 4eaa4e74021db2d124e6b5979cd2cda877a9d4a204f4b34430102e1989236d61

Analysis

max time kernel
137s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe
Size

113KB
MD5

efe3736fe4f5ba9b7aceb15270500679
SHA1

ad66cb10dbcb4964ec640466d8304fe5741bed95
SHA256

4eaa4e74021db2d124e6b5979cd2cda877a9d4a204f4b34430102e1989236d61
SHA512

2ddd6ac3786c069a162e0cf8eb11a203ca2ea5692a1dab2b20ed9979903b43677cb1b6868d82c2e594f7e4828ccdcc9406e22d81f0d175b80d5dd60f287705a6
SSDEEP

3072:jL2nmXmAXjuaenOuoV0zrbK7s+pcF7MNFwrK3xU+1:ntTzuVna0zr3ycF7MNFCsxU8

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
1904	derservice.exe
2852	derservice.exe
2744	derservice.exe
2360	derservice.exe
2844	derservice.exe
2348	derservice.exe
768	derservice.exe
2396	derservice.exe
772	derservice.exe
1620	derservice.exe

Loads dropped DLL 20 IoCs

pid	Process
3052	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe
3052	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe
1904	derservice.exe
1904	derservice.exe
2852	derservice.exe
2852	derservice.exe
2744	derservice.exe
2744	derservice.exe
2360	derservice.exe
2360	derservice.exe
2844	derservice.exe
2844	derservice.exe
2348	derservice.exe
2348	derservice.exe
768	derservice.exe
768	derservice.exe
2396	derservice.exe
2396	derservice.exe
772	derservice.exe
772	derservice.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File created	C:\Windows\SysWOW64\derservice.exe	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File opened for modification	C:\Windows\SysWOW64\derservice.exe	derservice.exe
File created	C:\Windows\SysWOW64\derservice.exe	derservice.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	derservice.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1904	3052	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe	31
PID 3052 wrote to memory of 1904	3052	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe	31
PID 3052 wrote to memory of 1904	3052	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe	31
PID 3052 wrote to memory of 1904	3052	efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2852	1904	derservice.exe	32
PID 1904 wrote to memory of 2852	1904	derservice.exe	32
PID 1904 wrote to memory of 2852	1904	derservice.exe	32
PID 1904 wrote to memory of 2852	1904	derservice.exe	32
PID 2852 wrote to memory of 2744	2852	derservice.exe	33
PID 2852 wrote to memory of 2744	2852	derservice.exe	33
PID 2852 wrote to memory of 2744	2852	derservice.exe	33
PID 2852 wrote to memory of 2744	2852	derservice.exe	33
PID 2744 wrote to memory of 2360	2744	derservice.exe	34
PID 2744 wrote to memory of 2360	2744	derservice.exe	34
PID 2744 wrote to memory of 2360	2744	derservice.exe	34
PID 2744 wrote to memory of 2360	2744	derservice.exe	34
PID 2360 wrote to memory of 2844	2360	derservice.exe	35
PID 2360 wrote to memory of 2844	2360	derservice.exe	35
PID 2360 wrote to memory of 2844	2360	derservice.exe	35
PID 2360 wrote to memory of 2844	2360	derservice.exe	35
PID 2844 wrote to memory of 2348	2844	derservice.exe	36
PID 2844 wrote to memory of 2348	2844	derservice.exe	36
PID 2844 wrote to memory of 2348	2844	derservice.exe	36
PID 2844 wrote to memory of 2348	2844	derservice.exe	36
PID 2348 wrote to memory of 768	2348	derservice.exe	38
PID 2348 wrote to memory of 768	2348	derservice.exe	38
PID 2348 wrote to memory of 768	2348	derservice.exe	38
PID 2348 wrote to memory of 768	2348	derservice.exe	38
PID 768 wrote to memory of 2396	768	derservice.exe	39
PID 768 wrote to memory of 2396	768	derservice.exe	39
PID 768 wrote to memory of 2396	768	derservice.exe	39
PID 768 wrote to memory of 2396	768	derservice.exe	39
PID 2396 wrote to memory of 772	2396	derservice.exe	40
PID 2396 wrote to memory of 772	2396	derservice.exe	40
PID 2396 wrote to memory of 772	2396	derservice.exe	40
PID 2396 wrote to memory of 772	2396	derservice.exe	40
PID 772 wrote to memory of 1620	772	derservice.exe	41
PID 772 wrote to memory of 1620	772	derservice.exe	41
PID 772 wrote to memory of 1620	772	derservice.exe	41
PID 772 wrote to memory of 1620	772	derservice.exe	41

C:\Users\Admin\AppData\Local\Temp\efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\derservice.exe
  C:\Windows\system32\derservice.exe 472 "C:\Users\Admin\AppData\Local\Temp\efe3736fe4f5ba9b7aceb15270500679_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\derservice.exe
    C:\Windows\system32\derservice.exe 528 "C:\Windows\SysWOW64\derservice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\derservice.exe
      C:\Windows\system32\derservice.exe 524 "C:\Windows\SysWOW64\derservice.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\derservice.exe
        
        C:\Windows\system32\derservice.exe 532 "C:\Windows\SysWOW64\derservice.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\SysWOW64\derservice.exe
        
        C:\Windows\system32\derservice.exe 536 "C:\Windows\SysWOW64\derservice.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\derservice.exe
        
        C:\Windows\system32\derservice.exe 548 "C:\Windows\SysWOW64\derservice.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\derservice.exe
        
        C:\Windows\system32\derservice.exe 552 "C:\Windows\SysWOW64\derservice.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\derservice.exe
        
        C:\Windows\system32\derservice.exe 540 "C:\Windows\SysWOW64\derservice.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\derservice.exe
        
        C:\Windows\system32\derservice.exe 560 "C:\Windows\SysWOW64\derservice.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\derservice.exe
        
        C:\Windows\system32\derservice.exe 556 "C:\Windows\SysWOW64\derservice.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\derservice.exe

Filesize
113KB

MD5
efe3736fe4f5ba9b7aceb15270500679

SHA1
ad66cb10dbcb4964ec640466d8304fe5741bed95

SHA256
4eaa4e74021db2d124e6b5979cd2cda877a9d4a204f4b34430102e1989236d61

SHA512
2ddd6ac3786c069a162e0cf8eb11a203ca2ea5692a1dab2b20ed9979903b43677cb1b6868d82c2e594f7e4828ccdcc9406e22d81f0d175b80d5dd60f287705a6

Download Submit
memory/1904-18-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/1904-14-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/1904-13-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/1904-15-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/2744-29-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/2744-32-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/2744-31-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/2744-30-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/2852-22-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/2852-24-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/2852-25-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/2852-23-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/3052-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3052-17-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/3052-2-0x0000000000400000-0x00000000004AADA1-memory.dmp

Filesize
683KB

Download
memory/3052-1-0x00000000004A9000-0x00000000004AB000-memory.dmp

Filesize
8KB

Download