metasploit | 7dbae0ed5df2ae4b7a84004fa5cc78225986239342fd84cde91a5ef78be01708

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe
Size

124KB
MD5

f4ce09b59dae3b2e3e4c85db80f6c199
SHA1

53871024857fe7f6fff616329c2ee5dcfa4ddd6d
SHA256

7dbae0ed5df2ae4b7a84004fa5cc78225986239342fd84cde91a5ef78be01708
SHA512

551f710276d164d11cff6a2ab149fe7915ec5450feec95cbdb05497b08715b1cc8bf730d7908cffa213b39e9768854312f66649ae370a0bf6037e0950ec129f4
SSDEEP

3072:BlfSv3TznN0u3juM52r+/PibY2YzBxkN4BW4hd/hMdTWDmNzpE3:Pf+NRzj2C/Pr2YzzW2l9kyGzp8

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 10 IoCs

pid	Process
2772	scvhost.exe
2712	scvhost.exe
1716	scvhost.exe
2324	scvhost.exe
2828	scvhost.exe
2928	scvhost.exe
1928	scvhost.exe
3000	scvhost.exe
1932	scvhost.exe
1476	scvhost.exe

Loads dropped DLL 20 IoCs

pid	Process
1152	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe
1152	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe
2772	scvhost.exe
2772	scvhost.exe
2712	scvhost.exe
2712	scvhost.exe
1716	scvhost.exe
1716	scvhost.exe
2324	scvhost.exe
2324	scvhost.exe
2828	scvhost.exe
2828	scvhost.exe
2928	scvhost.exe
2928	scvhost.exe
1928	scvhost.exe
1928	scvhost.exe
3000	scvhost.exe
3000	scvhost.exe
1932	scvhost.exe
1932	scvhost.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File created	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	scvhost.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2772	1152	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2772	1152	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2772	1152	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2772	1152	f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2712	2772	scvhost.exe	32
PID 2772 wrote to memory of 2712	2772	scvhost.exe	32
PID 2772 wrote to memory of 2712	2772	scvhost.exe	32
PID 2772 wrote to memory of 2712	2772	scvhost.exe	32
PID 2712 wrote to memory of 1716	2712	scvhost.exe	33
PID 2712 wrote to memory of 1716	2712	scvhost.exe	33
PID 2712 wrote to memory of 1716	2712	scvhost.exe	33
PID 2712 wrote to memory of 1716	2712	scvhost.exe	33
PID 1716 wrote to memory of 2324	1716	scvhost.exe	34
PID 1716 wrote to memory of 2324	1716	scvhost.exe	34
PID 1716 wrote to memory of 2324	1716	scvhost.exe	34
PID 1716 wrote to memory of 2324	1716	scvhost.exe	34
PID 2324 wrote to memory of 2828	2324	scvhost.exe	35
PID 2324 wrote to memory of 2828	2324	scvhost.exe	35
PID 2324 wrote to memory of 2828	2324	scvhost.exe	35
PID 2324 wrote to memory of 2828	2324	scvhost.exe	35
PID 2828 wrote to memory of 2928	2828	scvhost.exe	36
PID 2828 wrote to memory of 2928	2828	scvhost.exe	36
PID 2828 wrote to memory of 2928	2828	scvhost.exe	36
PID 2828 wrote to memory of 2928	2828	scvhost.exe	36
PID 2928 wrote to memory of 1928	2928	scvhost.exe	38
PID 2928 wrote to memory of 1928	2928	scvhost.exe	38
PID 2928 wrote to memory of 1928	2928	scvhost.exe	38
PID 2928 wrote to memory of 1928	2928	scvhost.exe	38
PID 1928 wrote to memory of 3000	1928	scvhost.exe	39
PID 1928 wrote to memory of 3000	1928	scvhost.exe	39
PID 1928 wrote to memory of 3000	1928	scvhost.exe	39
PID 1928 wrote to memory of 3000	1928	scvhost.exe	39
PID 3000 wrote to memory of 1932	3000	scvhost.exe	40
PID 3000 wrote to memory of 1932	3000	scvhost.exe	40
PID 3000 wrote to memory of 1932	3000	scvhost.exe	40
PID 3000 wrote to memory of 1932	3000	scvhost.exe	40
PID 1932 wrote to memory of 1476	1932	scvhost.exe	41
PID 1932 wrote to memory of 1476	1932	scvhost.exe	41
PID 1932 wrote to memory of 1476	1932	scvhost.exe	41
PID 1932 wrote to memory of 1476	1932	scvhost.exe	41

C:\Users\Admin\AppData\Local\Temp\f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\scvhost.exe
  C:\Windows\system32\scvhost.exe 476 "C:\Users\Admin\AppData\Local\Temp\f4ce09b59dae3b2e3e4c85db80f6c199_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\scvhost.exe
    C:\Windows\system32\scvhost.exe 528 "C:\Windows\SysWOW64\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\scvhost.exe
      C:\Windows\system32\scvhost.exe 532 "C:\Windows\SysWOW64\scvhost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 536 "C:\Windows\SysWOW64\scvhost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 544 "C:\Windows\SysWOW64\scvhost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 552 "C:\Windows\SysWOW64\scvhost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 524 "C:\Windows\SysWOW64\scvhost.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 548 "C:\Windows\SysWOW64\scvhost.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 556 "C:\Windows\SysWOW64\scvhost.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\scvhost.exe
        
        C:\Windows\system32\scvhost.exe 560 "C:\Windows\SysWOW64\scvhost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\scvhost.exe

Filesize
124KB

MD5
f4ce09b59dae3b2e3e4c85db80f6c199

SHA1
53871024857fe7f6fff616329c2ee5dcfa4ddd6d

SHA256
7dbae0ed5df2ae4b7a84004fa5cc78225986239342fd84cde91a5ef78be01708

SHA512
551f710276d164d11cff6a2ab149fe7915ec5450feec95cbdb05497b08715b1cc8bf730d7908cffa213b39e9768854312f66649ae370a0bf6037e0950ec129f4

Download Submit
memory/1152-0-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/1152-11-0x00000000027B0000-0x0000000002885000-memory.dmp

Filesize
852KB

Download
memory/1152-12-0x00000000027B0000-0x0000000002885000-memory.dmp

Filesize
852KB

Download
memory/1152-15-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/1476-64-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/1716-28-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/1928-52-0x0000000002920000-0x00000000029F5000-memory.dmp

Filesize
852KB

Download
memory/1928-51-0x0000000002920000-0x00000000029F5000-memory.dmp

Filesize
852KB

Download
memory/1928-48-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/1928-46-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/1932-59-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/1932-63-0x0000000002880000-0x0000000002955000-memory.dmp

Filesize
852KB

Download
memory/2324-35-0x0000000002870000-0x0000000002945000-memory.dmp

Filesize
852KB

Download
memory/2324-32-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/2324-36-0x0000000002870000-0x0000000002945000-memory.dmp

Filesize
852KB

Download
memory/2712-21-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/2712-25-0x0000000002870000-0x0000000002945000-memory.dmp

Filesize
852KB

Download
memory/2712-26-0x0000000002870000-0x0000000002945000-memory.dmp

Filesize
852KB

Download
memory/2712-22-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/2772-18-0x0000000002940000-0x0000000002A15000-memory.dmp

Filesize
852KB

Download
memory/2772-16-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/2772-13-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/2828-38-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/2928-42-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/2928-47-0x0000000002A30000-0x0000000002B05000-memory.dmp

Filesize
852KB

Download
memory/3000-54-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download
memory/3000-55-0x0000000000400000-0x00000000004D402C-memory.dmp

Filesize
848KB

Download