metasploit | e92e60a8605e161b5087d7c64bd3dbd8bacac9cf7f032c2e1939fa874c70e11e

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe
Size

93KB
MD5

a3d4721af23e576373b7dcf4868ff310
SHA1

aca02c0c2b45a037968d4c42c4f51f654cd3ad7f
SHA256

e92e60a8605e161b5087d7c64bd3dbd8bacac9cf7f032c2e1939fa874c70e11e
SHA512

03fd76ec9513431fe79542bf97e6d7e17a822aea227c010ee1f26fc0333014e3a8fbf861a56dd48c9e2de165f10f4bc97b1e3f68fbb971ab5153371ff3150952
SSDEEP

1536:Pgs9QoWlIUV0D6dJSnVV39XN15ZC4F6NwqnfKVnPU3xm+zI4g8jmufY0t7W8nZf4:3WmCI6ijBilNZfJBm+zg8CufjtVnZf4

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 10 IoCs

pid	Process
2488	msmisso.exe
2540	msmisso.exe
2812	msmisso.exe
2844	msmisso.exe
2876	msmisso.exe
1984	msmisso.exe
1740	msmisso.exe
2072	msmisso.exe
564	msmisso.exe
1612	msmisso.exe

Loads dropped DLL 20 IoCs

pid	Process
2580	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe
2580	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe
2488	msmisso.exe
2488	msmisso.exe
2540	msmisso.exe
2540	msmisso.exe
2812	msmisso.exe
2812	msmisso.exe
2844	msmisso.exe
2844	msmisso.exe
2876	msmisso.exe
2876	msmisso.exe
1984	msmisso.exe
1984	msmisso.exe
1740	msmisso.exe
1740	msmisso.exe
2072	msmisso.exe
2072	msmisso.exe
564	msmisso.exe
564	msmisso.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File opened for modification	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe
File created	C:\Windows\SysWOW64\msmisso.exe	msmisso.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmisso.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2488	2580	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2488	2580	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2488	2580	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2488	2580	a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe	30
PID 2488 wrote to memory of 2540	2488	msmisso.exe	32
PID 2488 wrote to memory of 2540	2488	msmisso.exe	32
PID 2488 wrote to memory of 2540	2488	msmisso.exe	32
PID 2488 wrote to memory of 2540	2488	msmisso.exe	32
PID 2540 wrote to memory of 2812	2540	msmisso.exe	33
PID 2540 wrote to memory of 2812	2540	msmisso.exe	33
PID 2540 wrote to memory of 2812	2540	msmisso.exe	33
PID 2540 wrote to memory of 2812	2540	msmisso.exe	33
PID 2812 wrote to memory of 2844	2812	msmisso.exe	34
PID 2812 wrote to memory of 2844	2812	msmisso.exe	34
PID 2812 wrote to memory of 2844	2812	msmisso.exe	34
PID 2812 wrote to memory of 2844	2812	msmisso.exe	34
PID 2844 wrote to memory of 2876	2844	msmisso.exe	35
PID 2844 wrote to memory of 2876	2844	msmisso.exe	35
PID 2844 wrote to memory of 2876	2844	msmisso.exe	35
PID 2844 wrote to memory of 2876	2844	msmisso.exe	35
PID 2876 wrote to memory of 1984	2876	msmisso.exe	36
PID 2876 wrote to memory of 1984	2876	msmisso.exe	36
PID 2876 wrote to memory of 1984	2876	msmisso.exe	36
PID 2876 wrote to memory of 1984	2876	msmisso.exe	36
PID 1984 wrote to memory of 1740	1984	msmisso.exe	37
PID 1984 wrote to memory of 1740	1984	msmisso.exe	37
PID 1984 wrote to memory of 1740	1984	msmisso.exe	37
PID 1984 wrote to memory of 1740	1984	msmisso.exe	37
PID 1740 wrote to memory of 2072	1740	msmisso.exe	38
PID 1740 wrote to memory of 2072	1740	msmisso.exe	38
PID 1740 wrote to memory of 2072	1740	msmisso.exe	38
PID 1740 wrote to memory of 2072	1740	msmisso.exe	38
PID 2072 wrote to memory of 564	2072	msmisso.exe	39
PID 2072 wrote to memory of 564	2072	msmisso.exe	39
PID 2072 wrote to memory of 564	2072	msmisso.exe	39
PID 2072 wrote to memory of 564	2072	msmisso.exe	39
PID 564 wrote to memory of 1612	564	msmisso.exe	40
PID 564 wrote to memory of 1612	564	msmisso.exe	40
PID 564 wrote to memory of 1612	564	msmisso.exe	40
PID 564 wrote to memory of 1612	564	msmisso.exe	40

C:\Users\Admin\AppData\Local\Temp\a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\msmisso.exe
  C:\Windows\system32\msmisso.exe 452 "C:\Users\Admin\AppData\Local\Temp\a3d4721af23e576373b7dcf4868ff310_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\msmisso.exe
    C:\Windows\system32\msmisso.exe 516 "C:\Windows\SysWOW64\msmisso.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\msmisso.exe
      C:\Windows\system32\msmisso.exe 524 "C:\Windows\SysWOW64\msmisso.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\msmisso.exe
        
        C:\Windows\system32\msmisso.exe 520 "C:\Windows\SysWOW64\msmisso.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\SysWOW64\msmisso.exe
        
        C:\Windows\system32\msmisso.exe 532 "C:\Windows\SysWOW64\msmisso.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\msmisso.exe
        
        C:\Windows\system32\msmisso.exe 512 "C:\Windows\SysWOW64\msmisso.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\msmisso.exe
        
        C:\Windows\system32\msmisso.exe 528 "C:\Windows\SysWOW64\msmisso.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\msmisso.exe
        
        C:\Windows\system32\msmisso.exe 536 "C:\Windows\SysWOW64\msmisso.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\msmisso.exe
        
        C:\Windows\system32\msmisso.exe 548 "C:\Windows\SysWOW64\msmisso.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\msmisso.exe
        
        C:\Windows\system32\msmisso.exe 544 "C:\Windows\SysWOW64\msmisso.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msmisso.exe

Filesize
93KB

MD5
a3d4721af23e576373b7dcf4868ff310

SHA1
aca02c0c2b45a037968d4c42c4f51f654cd3ad7f

SHA256
e92e60a8605e161b5087d7c64bd3dbd8bacac9cf7f032c2e1939fa874c70e11e

SHA512
03fd76ec9513431fe79542bf97e6d7e17a822aea227c010ee1f26fc0333014e3a8fbf861a56dd48c9e2de165f10f4bc97b1e3f68fbb971ab5153371ff3150952

Download Submit
memory/564-52-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/1612-57-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/1740-42-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/1984-37-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/2072-47-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/2488-12-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/2540-17-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/2580-11-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/2812-22-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/2844-27-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download
memory/2876-32-0x0000000000400000-0x0000000000976318-memory.dmp

Filesize
5.5MB

Download