metasploit | 1a248a52f78dc5dad37a0eabd2beb47480890e1742707d4780cd454e4791bcb4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe
Size

548KB
MD5

abe300564511a30fae7e7248f704b7e1
SHA1

43954340f7dcee1cc820d7f6533362d31a8b2485
SHA256

1a248a52f78dc5dad37a0eabd2beb47480890e1742707d4780cd454e4791bcb4
SHA512

88be09fbfafffbdfecf167ccfa23a0992114c30e9e3ebcf0e5c8a0092251ee645e6ef8bbcc93a9e531758ec5f9e258c48ab78442be91503b7fc12e60e852f0d8
SSDEEP

12288:qdnY2XPBf5kesOWlUYB3kNNQYP1YNwjsvd:2nHXPB5kdBUEYP1gwAvd

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 20 IoCs

pid	Process
3844	cryptnets.exe
528	cryptnets.exe
3504	cryptnets.exe
1924	cryptnets.exe
4572	cryptnets.exe
3104	cryptnets.exe
1840	cryptnets.exe
3376	cryptnets.exe
3956	cryptnets.exe
1544	cryptnets.exe
3844	cryptnets.exe
4848	cryptnets.exe
712	cryptnets.exe
4020	cryptnets.exe
4984	cryptnets.exe
1408	cryptnets.exe
1012	cryptnets.exe
2584	cryptnets.exe
2112	cryptnets.exe
3752	cryptnets.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File opened for modification	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	cryptnets.exe
File created	C:\Windows\SysWOW64\cryptnets.exe	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 4388 set thread context of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 3844 set thread context of 528	3844	cryptnets.exe	85
PID 3504 set thread context of 1924	3504	cryptnets.exe	99
PID 4572 set thread context of 3104	4572	cryptnets.exe	104
PID 1840 set thread context of 3376	1840	cryptnets.exe	106
PID 3956 set thread context of 1544	3956	cryptnets.exe	109
PID 3844 set thread context of 4848	3844	cryptnets.exe	111
PID 712 set thread context of 4020	712	cryptnets.exe	113
PID 4984 set thread context of 1408	4984	cryptnets.exe	115
PID 1012 set thread context of 2584	1012	cryptnets.exe	117
PID 2112 set thread context of 3752	2112	cryptnets.exe	119

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryptnets.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe
3844	cryptnets.exe
3504	cryptnets.exe
4572	cryptnets.exe
1840	cryptnets.exe
3956	cryptnets.exe
3844	cryptnets.exe
712	cryptnets.exe
4984	cryptnets.exe
1012	cryptnets.exe
2112	cryptnets.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 4388 wrote to memory of 3136	4388	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	83
PID 3136 wrote to memory of 3844	3136	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	84
PID 3136 wrote to memory of 3844	3136	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	84
PID 3136 wrote to memory of 3844	3136	abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe	84
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 3844 wrote to memory of 528	3844	cryptnets.exe	85
PID 528 wrote to memory of 3504	528	cryptnets.exe	98
PID 528 wrote to memory of 3504	528	cryptnets.exe	98
PID 528 wrote to memory of 3504	528	cryptnets.exe	98
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 3504 wrote to memory of 1924	3504	cryptnets.exe	99
PID 1924 wrote to memory of 4572	1924	cryptnets.exe	103
PID 1924 wrote to memory of 4572	1924	cryptnets.exe	103
PID 1924 wrote to memory of 4572	1924	cryptnets.exe	103
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 4572 wrote to memory of 3104	4572	cryptnets.exe	104
PID 3104 wrote to memory of 1840	3104	cryptnets.exe	105
PID 3104 wrote to memory of 1840	3104	cryptnets.exe	105
PID 3104 wrote to memory of 1840	3104	cryptnets.exe	105
PID 1840 wrote to memory of 3376	1840	cryptnets.exe	106
PID 1840 wrote to memory of 3376	1840	cryptnets.exe	106
PID 1840 wrote to memory of 3376	1840	cryptnets.exe	106
PID 1840 wrote to memory of 3376	1840	cryptnets.exe	106
PID 1840 wrote to memory of 3376	1840	cryptnets.exe	106
PID 1840 wrote to memory of 3376	1840	cryptnets.exe	106
PID 1840 wrote to memory of 3376	1840	cryptnets.exe	106
PID 1840 wrote to memory of 3376	1840	cryptnets.exe	106

C:\Users\Admin\AppData\Local\Temp\abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\cryptnets.exe
    C:\Windows\system32\cryptnets.exe 1132 "C:\Users\Admin\AppData\Local\Temp\abe300564511a30fae7e7248f704b7e1_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\SysWOW64\cryptnets.exe
      C:\Windows\SysWOW64\cryptnets.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:528
    - - C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 1148 "C:\Windows\SysWOW64\cryptnets.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 1124 "C:\Windows\SysWOW64\cryptnets.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 1120 "C:\Windows\SysWOW64\cryptnets.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 1120 "C:\Windows\SysWOW64\cryptnets.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3956
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 1120 "C:\Windows\SysWOW64\cryptnets.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3844
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 1120 "C:\Windows\SysWOW64\cryptnets.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:712
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 924 "C:\Windows\SysWOW64\cryptnets.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 1088 "C:\Windows\SysWOW64\cryptnets.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\system32\cryptnets.exe 1124 "C:\Windows\SysWOW64\cryptnets.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\cryptnets.exe
        
        C:\Windows\SysWOW64\cryptnets.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cryptnets.exe

Filesize
548KB

MD5
abe300564511a30fae7e7248f704b7e1

SHA1
43954340f7dcee1cc820d7f6533362d31a8b2485

SHA256
1a248a52f78dc5dad37a0eabd2beb47480890e1742707d4780cd454e4791bcb4

SHA512
88be09fbfafffbdfecf167ccfa23a0992114c30e9e3ebcf0e5c8a0092251ee645e6ef8bbcc93a9e531758ec5f9e258c48ab78442be91503b7fc12e60e852f0d8

Download Submit
memory/528-20-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/528-21-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/528-22-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1408-85-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1544-58-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1924-31-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2584-94-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3104-40-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3136-16-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3136-2-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3136-5-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3136-4-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3376-49-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4020-76-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4848-67-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download