metasploit | 48e10a914d4e2c754c223e1a6fd2a373c71de262b135a92db790de03944ea85c

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
Size

410KB
MD5

f5939606bd81a26a63e7d75f1604f512
SHA1

a21c1712f4a8900bcf0017afd3ceb1c15b791fd3
SHA256

48e10a914d4e2c754c223e1a6fd2a373c71de262b135a92db790de03944ea85c
SHA512

7bc4b3da5630a14d2612a4bb2c7a439e4de91ae357ae0db16d132d0eebd872d9f5abed0ec1a8365d4ca2cb4144867048fba9cdbaa5ae8bb8476234570121d24b
SSDEEP

6144:uwdlYcZu3veqrqAcRijtpIYvolrl9g+ymzOLPrnOKIgkKUM/CoFGR34eTmup:uTvFRpIDvv1CTLOLvqCgCj64

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 20 IoCs

pid	Process
1136	peterrr.exe
2816	peterrr.exe
2848	peterrr.exe
2800	peterrr.exe
2584	peterrr.exe
2040	peterrr.exe
3004	peterrr.exe
3012	peterrr.exe
2044	peterrr.exe
1316	peterrr.exe
2140	peterrr.exe
2104	peterrr.exe
2812	peterrr.exe
848	peterrr.exe
1884	peterrr.exe
1864	peterrr.exe
2364	peterrr.exe
2196	peterrr.exe
884	peterrr.exe
1748	peterrr.exe

Loads dropped DLL 21 IoCs

pid	Process
2072	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
2072	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
1136	peterrr.exe
2816	peterrr.exe
2816	peterrr.exe
2800	peterrr.exe
2800	peterrr.exe
2040	peterrr.exe
2040	peterrr.exe
3012	peterrr.exe
3012	peterrr.exe
1316	peterrr.exe
1316	peterrr.exe
2104	peterrr.exe
2104	peterrr.exe
848	peterrr.exe
848	peterrr.exe
1864	peterrr.exe
1864	peterrr.exe
2196	peterrr.exe
2196	peterrr.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File created	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe
File opened for modification	C:\Windows\SysWOW64\peterrr.exe	peterrr.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 2072	1292	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	30
PID 1136 set thread context of 2816	1136	peterrr.exe	32
PID 2848 set thread context of 2800	2848	peterrr.exe	35
PID 2584 set thread context of 2040	2584	peterrr.exe	37
PID 3004 set thread context of 3012	3004	peterrr.exe	39
PID 2044 set thread context of 1316	2044	peterrr.exe	41
PID 2140 set thread context of 2104	2140	peterrr.exe	43
PID 2812 set thread context of 848	2812	peterrr.exe	45
PID 1884 set thread context of 1864	1884	peterrr.exe	47
PID 2364 set thread context of 2196	2364	peterrr.exe	49
PID 884 set thread context of 1748	884	peterrr.exe	51

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peterrr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2072	1292	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2072	1292	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2072	1292	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2072	1292	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2072	1292	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	30
PID 1292 wrote to memory of 2072	1292	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	30
PID 2072 wrote to memory of 1136	2072	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1136	2072	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1136	2072	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	31
PID 2072 wrote to memory of 1136	2072	f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe	31
PID 1136 wrote to memory of 2816	1136	peterrr.exe	32
PID 1136 wrote to memory of 2816	1136	peterrr.exe	32
PID 1136 wrote to memory of 2816	1136	peterrr.exe	32
PID 1136 wrote to memory of 2816	1136	peterrr.exe	32
PID 1136 wrote to memory of 2816	1136	peterrr.exe	32
PID 1136 wrote to memory of 2816	1136	peterrr.exe	32
PID 2816 wrote to memory of 2848	2816	peterrr.exe	34
PID 2816 wrote to memory of 2848	2816	peterrr.exe	34
PID 2816 wrote to memory of 2848	2816	peterrr.exe	34
PID 2816 wrote to memory of 2848	2816	peterrr.exe	34
PID 2848 wrote to memory of 2800	2848	peterrr.exe	35
PID 2848 wrote to memory of 2800	2848	peterrr.exe	35
PID 2848 wrote to memory of 2800	2848	peterrr.exe	35
PID 2848 wrote to memory of 2800	2848	peterrr.exe	35
PID 2848 wrote to memory of 2800	2848	peterrr.exe	35
PID 2848 wrote to memory of 2800	2848	peterrr.exe	35
PID 2800 wrote to memory of 2584	2800	peterrr.exe	36
PID 2800 wrote to memory of 2584	2800	peterrr.exe	36
PID 2800 wrote to memory of 2584	2800	peterrr.exe	36
PID 2800 wrote to memory of 2584	2800	peterrr.exe	36
PID 2584 wrote to memory of 2040	2584	peterrr.exe	37
PID 2584 wrote to memory of 2040	2584	peterrr.exe	37
PID 2584 wrote to memory of 2040	2584	peterrr.exe	37
PID 2584 wrote to memory of 2040	2584	peterrr.exe	37
PID 2584 wrote to memory of 2040	2584	peterrr.exe	37
PID 2584 wrote to memory of 2040	2584	peterrr.exe	37
PID 2040 wrote to memory of 3004	2040	peterrr.exe	38
PID 2040 wrote to memory of 3004	2040	peterrr.exe	38
PID 2040 wrote to memory of 3004	2040	peterrr.exe	38
PID 2040 wrote to memory of 3004	2040	peterrr.exe	38
PID 3004 wrote to memory of 3012	3004	peterrr.exe	39
PID 3004 wrote to memory of 3012	3004	peterrr.exe	39
PID 3004 wrote to memory of 3012	3004	peterrr.exe	39
PID 3004 wrote to memory of 3012	3004	peterrr.exe	39
PID 3004 wrote to memory of 3012	3004	peterrr.exe	39
PID 3004 wrote to memory of 3012	3004	peterrr.exe	39
PID 3012 wrote to memory of 2044	3012	peterrr.exe	40
PID 3012 wrote to memory of 2044	3012	peterrr.exe	40
PID 3012 wrote to memory of 2044	3012	peterrr.exe	40
PID 3012 wrote to memory of 2044	3012	peterrr.exe	40
PID 2044 wrote to memory of 1316	2044	peterrr.exe	41
PID 2044 wrote to memory of 1316	2044	peterrr.exe	41
PID 2044 wrote to memory of 1316	2044	peterrr.exe	41
PID 2044 wrote to memory of 1316	2044	peterrr.exe	41
PID 2044 wrote to memory of 1316	2044	peterrr.exe	41
PID 2044 wrote to memory of 1316	2044	peterrr.exe	41
PID 1316 wrote to memory of 2140	1316	peterrr.exe	42
PID 1316 wrote to memory of 2140	1316	peterrr.exe	42
PID 1316 wrote to memory of 2140	1316	peterrr.exe	42
PID 1316 wrote to memory of 2140	1316	peterrr.exe	42
PID 2140 wrote to memory of 2104	2140	peterrr.exe	43
PID 2140 wrote to memory of 2104	2140	peterrr.exe	43
PID 2140 wrote to memory of 2104	2140	peterrr.exe	43
PID 2140 wrote to memory of 2104	2140	peterrr.exe	43

C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\peterrr.exe
    C:\Windows\system32\peterrr.exe 528 "C:\Users\Admin\AppData\Local\Temp\f5939606bd81a26a63e7d75f1604f512_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\SysWOW64\peterrr.exe
      C:\Windows\SysWOW64\peterrr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\system32\peterrr.exe 524 "C:\Windows\SysWOW64\peterrr.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\peterrr.exe
        
        C:\Windows\SysWOW64\peterrr.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\peterrr.exe

Filesize
410KB

MD5
f5939606bd81a26a63e7d75f1604f512

SHA1
a21c1712f4a8900bcf0017afd3ceb1c15b791fd3

SHA256
48e10a914d4e2c754c223e1a6fd2a373c71de262b135a92db790de03944ea85c

SHA512
7bc4b3da5630a14d2612a4bb2c7a439e4de91ae357ae0db16d132d0eebd872d9f5abed0ec1a8365d4ca2cb4144867048fba9cdbaa5ae8bb8476234570121d24b

Download Submit
memory/1316-93-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1316-83-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2040-69-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2040-59-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2072-7-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2072-2-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2072-30-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2072-6-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2072-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-5-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2104-95-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2800-44-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2800-47-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2800-57-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2816-45-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2816-31-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3012-81-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3012-71-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download