metasploit | f33980daf3faf7b042c76bbf4256e309399c3d78891c075e71af3ab6889eb0a5

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe
Size

93KB
MD5

a08c36ce4fc63d3d737b76fe24a65c0e
SHA1

cf7c1d0235b7145e70b9f153fd831082d3b23ba0
SHA256

f33980daf3faf7b042c76bbf4256e309399c3d78891c075e71af3ab6889eb0a5
SHA512

8d2963f15f10b78a14ca28d5c7bcc2e2460e80ac724794ef04d297925978cc1a2ebc60ea5e989ffdec9c4d4bf26e12ab13f2e12014399a0c4dc0445919b57842
SSDEEP

1536:V/snZ4NJ8QAUIqvcUYNaxNIe9AR63oYklGi5rc7LtCzJqK/U4tg2vYdo0917:V0nuNJUqNYuIrSelrVStCzJzTe2vYdo+

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 10 IoCs

pid	Process
2324	wuamgrd.exe
2868	wuamgrd.exe
2760	wuamgrd.exe
2656	wuamgrd.exe
2288	wuamgrd.exe
380	wuamgrd.exe
1448	wuamgrd.exe
2952	wuamgrd.exe
2232	wuamgrd.exe
448	wuamgrd.exe

Loads dropped DLL 20 IoCs

pid	Process
2072	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe
2072	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe
2324	wuamgrd.exe
2324	wuamgrd.exe
2868	wuamgrd.exe
2868	wuamgrd.exe
2760	wuamgrd.exe
2760	wuamgrd.exe
2656	wuamgrd.exe
2656	wuamgrd.exe
2288	wuamgrd.exe
2288	wuamgrd.exe
380	wuamgrd.exe
380	wuamgrd.exe
1448	wuamgrd.exe
1448	wuamgrd.exe
2952	wuamgrd.exe
2952	wuamgrd.exe
2232	wuamgrd.exe
2232	wuamgrd.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File opened for modification	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe
File created	C:\Windows\SysWOW64\wuamgrd.exe	wuamgrd.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuamgrd.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2324	2072	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2324	2072	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2324	2072	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe	30
PID 2072 wrote to memory of 2324	2072	a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2868	2324	wuamgrd.exe	32
PID 2324 wrote to memory of 2868	2324	wuamgrd.exe	32
PID 2324 wrote to memory of 2868	2324	wuamgrd.exe	32
PID 2324 wrote to memory of 2868	2324	wuamgrd.exe	32
PID 2868 wrote to memory of 2760	2868	wuamgrd.exe	33
PID 2868 wrote to memory of 2760	2868	wuamgrd.exe	33
PID 2868 wrote to memory of 2760	2868	wuamgrd.exe	33
PID 2868 wrote to memory of 2760	2868	wuamgrd.exe	33
PID 2760 wrote to memory of 2656	2760	wuamgrd.exe	34
PID 2760 wrote to memory of 2656	2760	wuamgrd.exe	34
PID 2760 wrote to memory of 2656	2760	wuamgrd.exe	34
PID 2760 wrote to memory of 2656	2760	wuamgrd.exe	34
PID 2656 wrote to memory of 2288	2656	wuamgrd.exe	35
PID 2656 wrote to memory of 2288	2656	wuamgrd.exe	35
PID 2656 wrote to memory of 2288	2656	wuamgrd.exe	35
PID 2656 wrote to memory of 2288	2656	wuamgrd.exe	35
PID 2288 wrote to memory of 380	2288	wuamgrd.exe	36
PID 2288 wrote to memory of 380	2288	wuamgrd.exe	36
PID 2288 wrote to memory of 380	2288	wuamgrd.exe	36
PID 2288 wrote to memory of 380	2288	wuamgrd.exe	36
PID 380 wrote to memory of 1448	380	wuamgrd.exe	37
PID 380 wrote to memory of 1448	380	wuamgrd.exe	37
PID 380 wrote to memory of 1448	380	wuamgrd.exe	37
PID 380 wrote to memory of 1448	380	wuamgrd.exe	37
PID 1448 wrote to memory of 2952	1448	wuamgrd.exe	38
PID 1448 wrote to memory of 2952	1448	wuamgrd.exe	38
PID 1448 wrote to memory of 2952	1448	wuamgrd.exe	38
PID 1448 wrote to memory of 2952	1448	wuamgrd.exe	38
PID 2952 wrote to memory of 2232	2952	wuamgrd.exe	39
PID 2952 wrote to memory of 2232	2952	wuamgrd.exe	39
PID 2952 wrote to memory of 2232	2952	wuamgrd.exe	39
PID 2952 wrote to memory of 2232	2952	wuamgrd.exe	39
PID 2232 wrote to memory of 448	2232	wuamgrd.exe	40
PID 2232 wrote to memory of 448	2232	wuamgrd.exe	40
PID 2232 wrote to memory of 448	2232	wuamgrd.exe	40
PID 2232 wrote to memory of 448	2232	wuamgrd.exe	40

C:\Users\Admin\AppData\Local\Temp\a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\wuamgrd.exe
  C:\Windows\system32\wuamgrd.exe 452 "C:\Users\Admin\AppData\Local\Temp\a08c36ce4fc63d3d737b76fe24a65c0e_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\wuamgrd.exe
    C:\Windows\system32\wuamgrd.exe 504 "C:\Windows\SysWOW64\wuamgrd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\wuamgrd.exe
      C:\Windows\system32\wuamgrd.exe 508 "C:\Windows\SysWOW64\wuamgrd.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 512 "C:\Windows\SysWOW64\wuamgrd.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 516 "C:\Windows\SysWOW64\wuamgrd.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 520 "C:\Windows\SysWOW64\wuamgrd.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 524 "C:\Windows\SysWOW64\wuamgrd.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 528 "C:\Windows\SysWOW64\wuamgrd.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 532 "C:\Windows\SysWOW64\wuamgrd.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\wuamgrd.exe
        
        C:\Windows\system32\wuamgrd.exe 536 "C:\Windows\SysWOW64\wuamgrd.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wuamgrd.exe

Filesize
93KB

MD5
a08c36ce4fc63d3d737b76fe24a65c0e

SHA1
cf7c1d0235b7145e70b9f153fd831082d3b23ba0

SHA256
f33980daf3faf7b042c76bbf4256e309399c3d78891c075e71af3ab6889eb0a5

SHA512
8d2963f15f10b78a14ca28d5c7bcc2e2460e80ac724794ef04d297925978cc1a2ebc60ea5e989ffdec9c4d4bf26e12ab13f2e12014399a0c4dc0445919b57842

Download Submit
memory/380-37-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/448-57-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1448-42-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2072-11-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2232-52-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2288-32-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2324-12-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2656-27-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2760-22-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2868-17-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2952-47-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download