metasploit | f381e1f8f462a5b2de8e6384867e3546e50b8b7830d25f4f34b3154c61859062

Analysis

max time kernel
138s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe
Size

401KB
MD5

8ff2493e38fb26b5ade18347e659234a
SHA1

c71ab76574c6dec55d7133559e11bcad752437c7
SHA256

f381e1f8f462a5b2de8e6384867e3546e50b8b7830d25f4f34b3154c61859062
SHA512

8894137422980454212e3548db60981931fa69207513073f8a4a13f2262068024e478a514dd6b849f2edfcdb21d04380abe6fcb897e8904b0c828fc106bc8752
SSDEEP

6144:8L5UO7uyUmmR3ZiQp2Fu4CU2RWGsIWA9+WsQj30zM/m61R7U:8L5P7uyVmPGu4CU2RUIP9+xQj3jm

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 10 IoCs

pid	Process
2200	msq23.exe
2628	msq23.exe
1780	msq23.exe
636	msq23.exe
2932	msq23.exe
2944	msq23.exe
340	msq23.exe
2348	msq23.exe
2356	msq23.exe
980	msq23.exe

Loads dropped DLL 20 IoCs

pid	Process
1064	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe
1064	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe
2200	msq23.exe
2200	msq23.exe
2628	msq23.exe
2628	msq23.exe
1780	msq23.exe
1780	msq23.exe
636	msq23.exe
636	msq23.exe
2932	msq23.exe
2932	msq23.exe
2944	msq23.exe
2944	msq23.exe
340	msq23.exe
340	msq23.exe
2348	msq23.exe
2348	msq23.exe
2356	msq23.exe
2356	msq23.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msq23.exe	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File opened for modification	C:\Windows\SysWOW64\msq23.exe	msq23.exe
File created	C:\Windows\SysWOW64\msq23.exe	msq23.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq23.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2200	1064	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2200	1064	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2200	1064	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2200	1064	8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2628	2200	msq23.exe	31
PID 2200 wrote to memory of 2628	2200	msq23.exe	31
PID 2200 wrote to memory of 2628	2200	msq23.exe	31
PID 2200 wrote to memory of 2628	2200	msq23.exe	31
PID 2628 wrote to memory of 1780	2628	msq23.exe	32
PID 2628 wrote to memory of 1780	2628	msq23.exe	32
PID 2628 wrote to memory of 1780	2628	msq23.exe	32
PID 2628 wrote to memory of 1780	2628	msq23.exe	32
PID 1780 wrote to memory of 636	1780	msq23.exe	33
PID 1780 wrote to memory of 636	1780	msq23.exe	33
PID 1780 wrote to memory of 636	1780	msq23.exe	33
PID 1780 wrote to memory of 636	1780	msq23.exe	33
PID 636 wrote to memory of 2932	636	msq23.exe	34
PID 636 wrote to memory of 2932	636	msq23.exe	34
PID 636 wrote to memory of 2932	636	msq23.exe	34
PID 636 wrote to memory of 2932	636	msq23.exe	34
PID 2932 wrote to memory of 2944	2932	msq23.exe	35
PID 2932 wrote to memory of 2944	2932	msq23.exe	35
PID 2932 wrote to memory of 2944	2932	msq23.exe	35
PID 2932 wrote to memory of 2944	2932	msq23.exe	35
PID 2944 wrote to memory of 340	2944	msq23.exe	36
PID 2944 wrote to memory of 340	2944	msq23.exe	36
PID 2944 wrote to memory of 340	2944	msq23.exe	36
PID 2944 wrote to memory of 340	2944	msq23.exe	36
PID 340 wrote to memory of 2348	340	msq23.exe	38
PID 340 wrote to memory of 2348	340	msq23.exe	38
PID 340 wrote to memory of 2348	340	msq23.exe	38
PID 340 wrote to memory of 2348	340	msq23.exe	38
PID 2348 wrote to memory of 2356	2348	msq23.exe	39
PID 2348 wrote to memory of 2356	2348	msq23.exe	39
PID 2348 wrote to memory of 2356	2348	msq23.exe	39
PID 2348 wrote to memory of 2356	2348	msq23.exe	39
PID 2356 wrote to memory of 980	2356	msq23.exe	40
PID 2356 wrote to memory of 980	2356	msq23.exe	40
PID 2356 wrote to memory of 980	2356	msq23.exe	40
PID 2356 wrote to memory of 980	2356	msq23.exe	40

C:\Users\Admin\AppData\Local\Temp\8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\msq23.exe
  C:\Windows\system32\msq23.exe 504 "C:\Users\Admin\AppData\Local\Temp\8ff2493e38fb26b5ade18347e659234a_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\msq23.exe
    C:\Windows\system32\msq23.exe 532 "C:\Windows\SysWOW64\msq23.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\msq23.exe
      C:\Windows\system32\msq23.exe 520 "C:\Windows\SysWOW64\msq23.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 536 "C:\Windows\SysWOW64\msq23.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 556 "C:\Windows\SysWOW64\msq23.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 544 "C:\Windows\SysWOW64\msq23.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 548 "C:\Windows\SysWOW64\msq23.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 552 "C:\Windows\SysWOW64\msq23.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 540 "C:\Windows\SysWOW64\msq23.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\msq23.exe
        
        C:\Windows\system32\msq23.exe 564 "C:\Windows\SysWOW64\msq23.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msq23.exe

Filesize
401KB

MD5
8ff2493e38fb26b5ade18347e659234a

SHA1
c71ab76574c6dec55d7133559e11bcad752437c7

SHA256
f381e1f8f462a5b2de8e6384867e3546e50b8b7830d25f4f34b3154c61859062

SHA512
8894137422980454212e3548db60981931fa69207513073f8a4a13f2262068024e478a514dd6b849f2edfcdb21d04380abe6fcb897e8904b0c828fc106bc8752

Download Submit