metasploit | ac357c437fb811fd26c500fd7b22629ab089c45e130b2870195cfa633de1d167

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
Size

323KB
MD5

a74a1519011d08c8a3524144765e3fe0
SHA1

30354936612ed44c6e8e1b08eea8e225cab06616
SHA256

ac357c437fb811fd26c500fd7b22629ab089c45e130b2870195cfa633de1d167
SHA512

4eba836c1b9803ceea4d01c09cd057f58c3b9b368187c4a2f7f278bd6bebc5d13bc7d8ffd9c0b7a12ea56f5a4021a3f2962cd6f1ebd7fd0b729f18c1763d9694
SSDEEP

1536:7idi4xZsarhAGo7+7T/ziPxjoBXDK+HHnnq:m8OCU6FoBXdHnnq

Score

10^/10

metasploit backdoor discovery persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\system32\\drivers\\dafmgr.exe"	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\dafmgr.exe	dafmgr.exe
File created	C:\Windows\SysWOW64\drivers\dafmgr.exe	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\dafmgr.exe	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\dafmgr.exe	dafmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	dafmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\system32\\drivers\\dafmgr.exe"	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\logfile32.txt	dafmgr.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dafmgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3836	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
3836	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
3836	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
3836	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2960	3836	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe	82
PID 3836 wrote to memory of 2960	3836	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe	82
PID 3836 wrote to memory of 2960	3836	a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a74a1519011d08c8a3524144765e3fe0_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\SysWOW64\drivers\dafmgr.exe
  "C:\Windows\system32\drivers\dafmgr.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\dafmgr.exe

Filesize
323KB

MD5
a74a1519011d08c8a3524144765e3fe0

SHA1
30354936612ed44c6e8e1b08eea8e225cab06616

SHA256
ac357c437fb811fd26c500fd7b22629ab089c45e130b2870195cfa633de1d167

SHA512
4eba836c1b9803ceea4d01c09cd057f58c3b9b368187c4a2f7f278bd6bebc5d13bc7d8ffd9c0b7a12ea56f5a4021a3f2962cd6f1ebd7fd0b729f18c1763d9694

Download Submit
memory/2960-7-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3836-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3836-6-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download