metasploit | 05aeda20e41ca92a853806bd846b8d1703ae8b36857f2aec62c298feca0624b1 | Triage

Sharing

General

Target

a942e57ad5f91351cc03c6b77b5dd439_JaffaCakes118
Size

158KB
Sample

241127-xxql4swmfv
MD5

a942e57ad5f91351cc03c6b77b5dd439
SHA1

89ea1c58c986f81d01f4da5a2c2917437e7f392a
SHA256

05aeda20e41ca92a853806bd846b8d1703ae8b36857f2aec62c298feca0624b1
SHA512

e68cd052a94c31de9bcb49353f6dfb5a250181ba4847f4f542b7f4ab96dbf134597d450527a17b8f4406116f246f511d2799fd2e3d91562b5743c24f5cbcc821
SSDEEP

3072:doixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:mW5jOA96xrRd

Score

10^/10

metasploit backdoor discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  a942e57ad5f91351cc03c6b77b5dd439_JaffaCakes118
- Size
  
  158KB
- MD5
  
  a942e57ad5f91351cc03c6b77b5dd439
- SHA1
  
  89ea1c58c986f81d01f4da5a2c2917437e7f392a
- SHA256
  
  05aeda20e41ca92a853806bd846b8d1703ae8b36857f2aec62c298feca0624b1
- SHA512
  
  e68cd052a94c31de9bcb49353f6dfb5a250181ba4847f4f542b7f4ab96dbf134597d450527a17b8f4406116f246f511d2799fd2e3d91562b5743c24f5cbcc821
- SSDEEP
  
  3072:doixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:mW5jOA96xrRd
Score

10^/10

metasploit backdoor discovery evasion persistence privilege_escalation trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Looks for VMWare Tools registry key
  evasion
- Modifies Windows Firewall
  evasion
- Deletes itself
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan