metasploit | c5631bed2b3c9c899d5ed9176f4d69444bd354d6ef311eeefa18fae1d8be99a3

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe
Size

155KB
MD5

9246ed3f080a5b1ffb18cf72f1cd6ea9
SHA1

04d6d08a2ba9fa7268e8f7d3c3779052b4d61754
SHA256

c5631bed2b3c9c899d5ed9176f4d69444bd354d6ef311eeefa18fae1d8be99a3
SHA512

cd686c5a15e033ff8389c950dfdbe55a4fc28d4547af339b363699cd572d910e3162d2b36190ea98e576553e7e32429099cf3c5556f0dab2094b9e8ffa20d782
SSDEEP

3072:PfVskFgAFay1Gt9xPUKWUCfTYxSzzdniHlcbLHm7C:PNskFPFaaGtDMv9fnzhniHGby7C

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 10 IoCs

pid	Process
2264	winupdat.exe
2832	winupdat.exe
2860	winupdat.exe
2876	winupdat.exe
1612	winupdat.exe
2120	winupdat.exe
1328	winupdat.exe
1748	winupdat.exe
2460	winupdat.exe
1716	winupdat.exe

Loads dropped DLL 20 IoCs

pid	Process
2156	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe
2156	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe
2264	winupdat.exe
2264	winupdat.exe
2832	winupdat.exe
2832	winupdat.exe
2860	winupdat.exe
2860	winupdat.exe
2876	winupdat.exe
2876	winupdat.exe
1612	winupdat.exe
1612	winupdat.exe
2120	winupdat.exe
2120	winupdat.exe
1328	winupdat.exe
1328	winupdat.exe
1748	winupdat.exe
1748	winupdat.exe
2460	winupdat.exe
2460	winupdat.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe
File created	C:\windows\SysWOW64\Aquarium-06.scr	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2264	2156	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2264	2156	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2264	2156	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2264	2156	9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe	30
PID 2264 wrote to memory of 2832	2264	winupdat.exe	33
PID 2264 wrote to memory of 2832	2264	winupdat.exe	33
PID 2264 wrote to memory of 2832	2264	winupdat.exe	33
PID 2264 wrote to memory of 2832	2264	winupdat.exe	33
PID 2832 wrote to memory of 2860	2832	winupdat.exe	35
PID 2832 wrote to memory of 2860	2832	winupdat.exe	35
PID 2832 wrote to memory of 2860	2832	winupdat.exe	35
PID 2832 wrote to memory of 2860	2832	winupdat.exe	35
PID 2860 wrote to memory of 2876	2860	winupdat.exe	36
PID 2860 wrote to memory of 2876	2860	winupdat.exe	36
PID 2860 wrote to memory of 2876	2860	winupdat.exe	36
PID 2860 wrote to memory of 2876	2860	winupdat.exe	36
PID 2876 wrote to memory of 1612	2876	winupdat.exe	37
PID 2876 wrote to memory of 1612	2876	winupdat.exe	37
PID 2876 wrote to memory of 1612	2876	winupdat.exe	37
PID 2876 wrote to memory of 1612	2876	winupdat.exe	37
PID 1612 wrote to memory of 2120	1612	winupdat.exe	38
PID 1612 wrote to memory of 2120	1612	winupdat.exe	38
PID 1612 wrote to memory of 2120	1612	winupdat.exe	38
PID 1612 wrote to memory of 2120	1612	winupdat.exe	38
PID 2120 wrote to memory of 1328	2120	winupdat.exe	39
PID 2120 wrote to memory of 1328	2120	winupdat.exe	39
PID 2120 wrote to memory of 1328	2120	winupdat.exe	39
PID 2120 wrote to memory of 1328	2120	winupdat.exe	39
PID 1328 wrote to memory of 1748	1328	winupdat.exe	40
PID 1328 wrote to memory of 1748	1328	winupdat.exe	40
PID 1328 wrote to memory of 1748	1328	winupdat.exe	40
PID 1328 wrote to memory of 1748	1328	winupdat.exe	40
PID 1748 wrote to memory of 2460	1748	winupdat.exe	41
PID 1748 wrote to memory of 2460	1748	winupdat.exe	41
PID 1748 wrote to memory of 2460	1748	winupdat.exe	41
PID 1748 wrote to memory of 2460	1748	winupdat.exe	41
PID 2460 wrote to memory of 1716	2460	winupdat.exe	42
PID 2460 wrote to memory of 1716	2460	winupdat.exe	42
PID 2460 wrote to memory of 1716	2460	winupdat.exe	42
PID 2460 wrote to memory of 1716	2460	winupdat.exe	42

C:\Users\Admin\AppData\Local\Temp\9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\winupdat.exe
  C:\Windows\system32\winupdat.exe 496 "C:\Users\Admin\AppData\Local\Temp\9246ed3f080a5b1ffb18cf72f1cd6ea9_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\winupdat.exe
    C:\Windows\system32\winupdat.exe 536 "C:\Windows\SysWOW64\winupdat.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\winupdat.exe
      C:\Windows\system32\winupdat.exe 544 "C:\Windows\SysWOW64\winupdat.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 532 "C:\Windows\SysWOW64\winupdat.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 540 "C:\Windows\SysWOW64\winupdat.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 548 "C:\Windows\SysWOW64\winupdat.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 560 "C:\Windows\SysWOW64\winupdat.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 556 "C:\Windows\SysWOW64\winupdat.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 568 "C:\Windows\SysWOW64\winupdat.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 572 "C:\Windows\SysWOW64\winupdat.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winupdat.exe

Filesize
155KB

MD5
9246ed3f080a5b1ffb18cf72f1cd6ea9

SHA1
04d6d08a2ba9fa7268e8f7d3c3779052b4d61754

SHA256
c5631bed2b3c9c899d5ed9176f4d69444bd354d6ef311eeefa18fae1d8be99a3

SHA512
cd686c5a15e033ff8389c950dfdbe55a4fc28d4547af339b363699cd572d910e3162d2b36190ea98e576553e7e32429099cf3c5556f0dab2094b9e8ffa20d782

Download Submit
C:\nude_pic.scr

Filesize
155KB

MD5
13f6648245c803c902eeebce1992003c

SHA1
44f2c9a34a70e888bc4ca90fbeff66296744a75b

SHA256
96f23e0e26f5f81974dccdad6d8567363ea211ee81aab0bec10b2a5a84fac394

SHA512
c1bfc84503a8851bc12e6edcdbec6b2c26b63e954f14d7cbda6b05ccd1c4e86b72d6292928fb65ef62a2c58929a838491be6c3d08ec6f0da565402a0ee6cb160

Download Submit
C:\nude_pic.scr

Filesize
155KB

MD5
34cfd342c96f44062a4884c29535f37d

SHA1
5e977dd33425e9adbdb6e65ad055f11bab32b54b

SHA256
804a6ccbdbb0059cada103e626b32877327a9841ae97fc25a8985cc7139734fc

SHA512
a8bdddc42b9a6d990aa938e17e9028fb91c4790e0e891cb4544c80325537dd1604c791a7ac6442ad52bf786addcb00aa7c0527802a3ccc732ad34e6a77740c73

Download Submit
C:\nude_pic.scr

Filesize
155KB

MD5
815c2cb1bff4804aad98754a8d0e0532

SHA1
875feff2b717e87e5b96872bc1acd8dc491f0402

SHA256
f0d778c58a4887277d72766cf30ddbbe01b1de540e2b8b5d0943b68b35f8b328

SHA512
903e90c47efbf6a0d8942a32a2cb3b367af21eaccc7e291d71a34cd81430a9b46f92591a4572bae2bedd3e14a2077393362bd25520886fcf1d547f23750faf8a

Download Submit
memory/1328-93-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1612-71-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1716-126-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1748-104-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2120-82-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2156-21-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2156-15-0x0000000002850000-0x0000000002973000-memory.dmp

Filesize
1.1MB

Download
memory/2156-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2156-2-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2156-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2264-22-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2264-32-0x0000000002AA0000-0x0000000002BC3000-memory.dmp

Filesize
1.1MB

Download
memory/2264-18-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2264-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2460-115-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2832-35-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2832-45-0x0000000002A10000-0x0000000002B33000-memory.dmp

Filesize
1.1MB

Download
memory/2832-33-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2860-48-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2860-46-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2876-60-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2876-58-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download