metasploit | dd6ce76e8f6225349e107b3f8df86492db4041fba3247d2dbed8d085cb3cf621 | Triage

Sharing

General

Target

8f425d83c00a8657dc1166a2ff8d34db_JaffaCakes118
Size

122KB
Sample

241104-fkva4axjdm
MD5

8f425d83c00a8657dc1166a2ff8d34db
SHA1

2131d705977f5fe7325b6fe6a32e75c9201a9f45
SHA256

dd6ce76e8f6225349e107b3f8df86492db4041fba3247d2dbed8d085cb3cf621
SHA512

f1831c1d138e0bce96c3f86c87557e6afa67e8fce36efe728466c2775737fffc692da5c46f611cd7633c77e798de41ade5946a1dcce0914bf9295a86d5b2faad
SSDEEP

3072:LoixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:0W5jOA96xrRd

Score

10^/10

metasploit backdoor discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  8f425d83c00a8657dc1166a2ff8d34db_JaffaCakes118
- Size
  
  122KB
- MD5
  
  8f425d83c00a8657dc1166a2ff8d34db
- SHA1
  
  2131d705977f5fe7325b6fe6a32e75c9201a9f45
- SHA256
  
  dd6ce76e8f6225349e107b3f8df86492db4041fba3247d2dbed8d085cb3cf621
- SHA512
  
  f1831c1d138e0bce96c3f86c87557e6afa67e8fce36efe728466c2775737fffc692da5c46f611cd7633c77e798de41ade5946a1dcce0914bf9295a86d5b2faad
- SSDEEP
  
  3072:LoixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:0W5jOA96xrRd
Score

10^/10

metasploit backdoor discovery evasion persistence privilege_escalation trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Looks for VMWare Tools registry key
  evasion
- Modifies Windows Firewall
  evasion
- Deletes itself
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan