metasploit | 12cdebb4fcb3ba8b2a20c02ce2511d313f53c0c22c8cfe04870bb48396f5fdd7

Analysis

max time kernel
147s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe
Size

153KB
MD5

aa387aaa0b91d9e94474aac00e584365
SHA1

459d0ad1a6380154da13f4bcce60da23919a98b2
SHA256

12cdebb4fcb3ba8b2a20c02ce2511d313f53c0c22c8cfe04870bb48396f5fdd7
SHA512

ab0b20678a81fd19cbf18d364a52df5b60c0428476e0eb19e5ee172702f56a65db4c2d3209e69260e8374c4d5caf2d48020a54d7a2ca40fcc936233ad8b97b21
SSDEEP

3072:PfVskFgAFay1Gt9xPUKWUCfTYxSzzdniHlcbLHm7a:PNskFPFaaGtDMv9fnzhniHGby7a

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 10 IoCs

pid	Process
2560	winupdat.exe
1132	winupdat.exe
3720	winupdat.exe
1504	winupdat.exe
4064	winupdat.exe
4264	winupdat.exe
2512	winupdat.exe
2712	winupdat.exe
1124	winupdat.exe
868	winupdat.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File created	C:\windows\SysWOW64\Aquarium-06.scr	aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\windows\SysWOW64\Aquarium-06.scr	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File created	C:\Windows\SysWOW64\winupdat.exe	winupdat.exe
File opened for modification	C:\Windows\SysWOW64\winupdat.exe	aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdat.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2560	904	aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe	83
PID 904 wrote to memory of 2560	904	aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe	83
PID 904 wrote to memory of 2560	904	aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe	83
PID 2560 wrote to memory of 1132	2560	winupdat.exe	97
PID 2560 wrote to memory of 1132	2560	winupdat.exe	97
PID 2560 wrote to memory of 1132	2560	winupdat.exe	97
PID 1132 wrote to memory of 3720	1132	winupdat.exe	101
PID 1132 wrote to memory of 3720	1132	winupdat.exe	101
PID 1132 wrote to memory of 3720	1132	winupdat.exe	101
PID 3720 wrote to memory of 1504	3720	winupdat.exe	104
PID 3720 wrote to memory of 1504	3720	winupdat.exe	104
PID 3720 wrote to memory of 1504	3720	winupdat.exe	104
PID 1504 wrote to memory of 4064	1504	winupdat.exe	106
PID 1504 wrote to memory of 4064	1504	winupdat.exe	106
PID 1504 wrote to memory of 4064	1504	winupdat.exe	106
PID 4064 wrote to memory of 4264	4064	winupdat.exe	109
PID 4064 wrote to memory of 4264	4064	winupdat.exe	109
PID 4064 wrote to memory of 4264	4064	winupdat.exe	109
PID 4264 wrote to memory of 2512	4264	winupdat.exe	111
PID 4264 wrote to memory of 2512	4264	winupdat.exe	111
PID 4264 wrote to memory of 2512	4264	winupdat.exe	111
PID 2512 wrote to memory of 2712	2512	winupdat.exe	113
PID 2512 wrote to memory of 2712	2512	winupdat.exe	113
PID 2512 wrote to memory of 2712	2512	winupdat.exe	113
PID 2712 wrote to memory of 1124	2712	winupdat.exe	115
PID 2712 wrote to memory of 1124	2712	winupdat.exe	115
PID 2712 wrote to memory of 1124	2712	winupdat.exe	115
PID 1124 wrote to memory of 868	1124	winupdat.exe	117
PID 1124 wrote to memory of 868	1124	winupdat.exe	117
PID 1124 wrote to memory of 868	1124	winupdat.exe	117

C:\Users\Admin\AppData\Local\Temp\aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\winupdat.exe
  C:\Windows\system32\winupdat.exe 1148 "C:\Users\Admin\AppData\Local\Temp\aa387aaa0b91d9e94474aac00e584365_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\winupdat.exe
    C:\Windows\system32\winupdat.exe 1152 "C:\Windows\SysWOW64\winupdat.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\winupdat.exe
      C:\Windows\system32\winupdat.exe 1124 "C:\Windows\SysWOW64\winupdat.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 1120 "C:\Windows\SysWOW64\winupdat.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 992 "C:\Windows\SysWOW64\winupdat.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 1132 "C:\Windows\SysWOW64\winupdat.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 1140 "C:\Windows\SysWOW64\winupdat.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 1136 "C:\Windows\SysWOW64\winupdat.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 1104 "C:\Windows\SysWOW64\winupdat.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\winupdat.exe
        
        C:\Windows\system32\winupdat.exe 1156 "C:\Windows\SysWOW64\winupdat.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winupdat.exe

Filesize
153KB

MD5
aa387aaa0b91d9e94474aac00e584365

SHA1
459d0ad1a6380154da13f4bcce60da23919a98b2

SHA256
12cdebb4fcb3ba8b2a20c02ce2511d313f53c0c22c8cfe04870bb48396f5fdd7

SHA512
ab0b20678a81fd19cbf18d364a52df5b60c0428476e0eb19e5ee172702f56a65db4c2d3209e69260e8374c4d5caf2d48020a54d7a2ca40fcc936233ad8b97b21

Download Submit
C:\nude_pic.scr

Filesize
153KB

MD5
938139fae4072f362940c3803053daae

SHA1
e28002da608ad9a7fb0eeccc1dcb436e4dcf3d77

SHA256
4de7d8da051da25796044c938e92cce816b4daed22bf78760e858809e806f251

SHA512
0369594edbc5ee8550313b17fd56f4df51127d4a5a94627534462142523158aa3595fc9c5825c1af001710e5ed79c79e02bd79c858311cafb9783c3acd6d2452

Download Submit
memory/868-103-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/868-104-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/904-13-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/904-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/904-1-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/904-2-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1124-95-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1132-23-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1132-26-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1132-27-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1132-25-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/1132-24-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1504-48-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2512-76-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2560-12-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2560-14-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2560-15-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2712-86-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2712-85-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/3720-37-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/3720-39-0x0000000000020000-0x000000000003B000-memory.dmp

Filesize
108KB

Download
memory/3720-38-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/3720-36-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4064-58-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4064-57-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4264-67-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download