metasploit | 3fc24b8be6c1aeafd1d4be0aa1d26fe5d51bdb6308f5157b894a13c255d31e0e

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 02:04

Target

f4eee5f982f2482fbb3f8761404805f1_JaffaCakes118.dll
Size

8KB
MD5

f4eee5f982f2482fbb3f8761404805f1
SHA1

7d8241337adba17d4b0577aa0843112c769bf942
SHA256

3fc24b8be6c1aeafd1d4be0aa1d26fe5d51bdb6308f5157b894a13c255d31e0e
SHA512

b69dda8ac7130dea6dbeb3c902af003de27f416c1424cddc52125367b216d03153ea53ce643a428d6f97980f9421887a936cddcae0f10bb47d05971b0eaf8ea8
SSDEEP

48:i7uD6XmotviCNIA734mkhthkYkJggydFpgH2SD9CTolgJehMSO:4WIgA73xJgXd3gHZ5Golg

Score

10^/10

Family

metasploit

Version

metasploit_stager

149.248.6.193:2011

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 8 IoCs

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 1920	2672	rundll32.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1920	2672	rundll32.exe	84
PID 2672 wrote to memory of 1920	2672	rundll32.exe	84
PID 2672 wrote to memory of 1920	2672	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4eee5f982f2482fbb3f8761404805f1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\system32\rundll32.exe
  rundll32.exe
  2⤵
  - Blocklisted process makes network request
  PID:1920

memory/1920-0-0x000001314DF50000-0x000001314DF51000-memory.dmp

Filesize
4KB

Download