metasploit | dcebf9ef50cb79f0686dacaa02f1a9ed34316f23dcd9630e57b78d91459a1811

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe
Size

153KB
MD5

b2ef11a82e287e6f0bf3fe57274adf11
SHA1

ed77b9ee297d71fae61ebeb98120dc52c6bdf54b
SHA256

dcebf9ef50cb79f0686dacaa02f1a9ed34316f23dcd9630e57b78d91459a1811
SHA512

b7fe00919bb55d0d3f370b413091cdbe7d2a7058d3de77887f6c3e499e153374de15d40548acb88f5e76f2bdca85be3a7a8a467d7aed9fb16628bb9e124839a0
SSDEEP

3072:DBU5v2uu18Q8d1+2ACISbkBdgYhNsGAcC04usWQQIork8K+zZ6x3Uo9G:+erN8HAZnzgYheufhrk8K+svG

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 20 IoCs

pid	Process
3192	MSSCF32.exe
3376	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
2568	MSSCF32.exe
2056	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
4644	MSSCF32.exe
4480	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
2088	MSSCF32.exe
2772	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
1472	MSSCF32.exe
2244	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
3588	MSSCF32.exe
2824	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
4144	MSSCF32.exe
2884	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
1732	MSSCF32.exe
2616	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
1872	MSSCF32.exe
1340	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
2500	MSSCF32.exe
2040	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File opened for modification	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe
File created	C:\Windows\SysWOW64\MSSCF32.exe	MSSCF32.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSSCF32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3192	4884	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe	83
PID 4884 wrote to memory of 3192	4884	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe	83
PID 4884 wrote to memory of 3192	4884	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe	83
PID 4884 wrote to memory of 3376	4884	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe	84
PID 4884 wrote to memory of 3376	4884	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe	84
PID 4884 wrote to memory of 3376	4884	b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe	84
PID 3192 wrote to memory of 2568	3192	MSSCF32.exe	92
PID 3192 wrote to memory of 2568	3192	MSSCF32.exe	92
PID 3192 wrote to memory of 2568	3192	MSSCF32.exe	92
PID 3192 wrote to memory of 2056	3192	MSSCF32.exe	93
PID 3192 wrote to memory of 2056	3192	MSSCF32.exe	93
PID 3192 wrote to memory of 2056	3192	MSSCF32.exe	93
PID 2568 wrote to memory of 4644	2568	MSSCF32.exe	102
PID 2568 wrote to memory of 4644	2568	MSSCF32.exe	102
PID 2568 wrote to memory of 4644	2568	MSSCF32.exe	102
PID 2568 wrote to memory of 4480	2568	MSSCF32.exe	103
PID 2568 wrote to memory of 4480	2568	MSSCF32.exe	103
PID 2568 wrote to memory of 4480	2568	MSSCF32.exe	103
PID 4644 wrote to memory of 2088	4644	MSSCF32.exe	105
PID 4644 wrote to memory of 2088	4644	MSSCF32.exe	105
PID 4644 wrote to memory of 2088	4644	MSSCF32.exe	105
PID 4644 wrote to memory of 2772	4644	MSSCF32.exe	106
PID 4644 wrote to memory of 2772	4644	MSSCF32.exe	106
PID 4644 wrote to memory of 2772	4644	MSSCF32.exe	106
PID 2088 wrote to memory of 1472	2088	MSSCF32.exe	107
PID 2088 wrote to memory of 1472	2088	MSSCF32.exe	107
PID 2088 wrote to memory of 1472	2088	MSSCF32.exe	107
PID 2088 wrote to memory of 2244	2088	MSSCF32.exe	108
PID 2088 wrote to memory of 2244	2088	MSSCF32.exe	108
PID 2088 wrote to memory of 2244	2088	MSSCF32.exe	108
PID 1472 wrote to memory of 3588	1472	MSSCF32.exe	109
PID 1472 wrote to memory of 3588	1472	MSSCF32.exe	109
PID 1472 wrote to memory of 3588	1472	MSSCF32.exe	109
PID 1472 wrote to memory of 2824	1472	MSSCF32.exe	110
PID 1472 wrote to memory of 2824	1472	MSSCF32.exe	110
PID 1472 wrote to memory of 2824	1472	MSSCF32.exe	110
PID 3588 wrote to memory of 4144	3588	MSSCF32.exe	111
PID 3588 wrote to memory of 4144	3588	MSSCF32.exe	111
PID 3588 wrote to memory of 4144	3588	MSSCF32.exe	111
PID 3588 wrote to memory of 2884	3588	MSSCF32.exe	112
PID 3588 wrote to memory of 2884	3588	MSSCF32.exe	112
PID 3588 wrote to memory of 2884	3588	MSSCF32.exe	112
PID 4144 wrote to memory of 1732	4144	MSSCF32.exe	113
PID 4144 wrote to memory of 1732	4144	MSSCF32.exe	113
PID 4144 wrote to memory of 1732	4144	MSSCF32.exe	113
PID 4144 wrote to memory of 2616	4144	MSSCF32.exe	114
PID 4144 wrote to memory of 2616	4144	MSSCF32.exe	114
PID 4144 wrote to memory of 2616	4144	MSSCF32.exe	114
PID 1732 wrote to memory of 1872	1732	MSSCF32.exe	115
PID 1732 wrote to memory of 1872	1732	MSSCF32.exe	115
PID 1732 wrote to memory of 1872	1732	MSSCF32.exe	115
PID 1732 wrote to memory of 1340	1732	MSSCF32.exe	116
PID 1732 wrote to memory of 1340	1732	MSSCF32.exe	116
PID 1732 wrote to memory of 1340	1732	MSSCF32.exe	116
PID 1872 wrote to memory of 2500	1872	MSSCF32.exe	117
PID 1872 wrote to memory of 2500	1872	MSSCF32.exe	117
PID 1872 wrote to memory of 2500	1872	MSSCF32.exe	117
PID 1872 wrote to memory of 2040	1872	MSSCF32.exe	118
PID 1872 wrote to memory of 2040	1872	MSSCF32.exe	118
PID 1872 wrote to memory of 2040	1872	MSSCF32.exe	118

C:\Users\Admin\AppData\Local\Temp\b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\MSSCF32.exe
  C:\Windows\system32\MSSCF32.exe 1180 "C:\Users\Admin\AppData\Local\Temp\b2ef11a82e287e6f0bf3fe57274adf11_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\MSSCF32.exe
    C:\Windows\system32\MSSCF32.exe 1136 "C:\Windows\SysWOW64\MSSCF32.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\MSSCF32.exe
      C:\Windows\system32\MSSCF32.exe 1104 "C:\Windows\SysWOW64\MSSCF32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\MSSCF32.exe
        
        C:\Windows\system32\MSSCF32.exe 1108 "C:\Windows\SysWOW64\MSSCF32.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\SysWOW64\MSSCF32.exe
        
        C:\Windows\system32\MSSCF32.exe 1112 "C:\Windows\SysWOW64\MSSCF32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\MSSCF32.exe
        
        C:\Windows\system32\MSSCF32.exe 1116 "C:\Windows\SysWOW64\MSSCF32.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\MSSCF32.exe
        
        C:\Windows\system32\MSSCF32.exe 1100 "C:\Windows\SysWOW64\MSSCF32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\MSSCF32.exe
        
        C:\Windows\system32\MSSCF32.exe 1124 "C:\Windows\SysWOW64\MSSCF32.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\MSSCF32.exe
        
        C:\Windows\system32\MSSCF32.exe 1120 "C:\Windows\SysWOW64\MSSCF32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\MSSCF32.exe
        
        C:\Windows\system32\MSSCF32.exe 992 "C:\Windows\SysWOW64\MSSCF32.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
        11⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
        10⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
        9⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
        8⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
        7⤵
        Executes dropped EXE
        
        PID:2824
      - C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
        6⤵
        Executes dropped EXE
        
        PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
        5⤵
        Executes dropped EXE
        
        PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
      "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
      4⤵
      Executes dropped EXE
      PID:4480
- - C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
    "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
    3⤵
    - Executes dropped EXE
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe
  "C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe

Filesize
3KB

MD5
7152446fd31220dd1038b6f7d95ab8a3

SHA1
355b3bfae2ff8bf09a040834adae611f85820b02

SHA256
ff09e05ee41167c091d35664a44a4af4dd0790fe3f71994a5063f23ca3746a02

SHA512
daa5a6f68231bac1a8ac4f6edfac53e85ccd3c4fbc6a1b6c0e9f63f6f7f34f5051e1fe7e4372b1154638b654d7fdc7ed6d6eec26ba967c11224d7f4b525231be

Download Submit
C:\Windows\SysWOW64\MSSCF32.exe

Filesize
153KB

MD5
b2ef11a82e287e6f0bf3fe57274adf11

SHA1
ed77b9ee297d71fae61ebeb98120dc52c6bdf54b

SHA256
dcebf9ef50cb79f0686dacaa02f1a9ed34316f23dcd9630e57b78d91459a1811

SHA512
b7fe00919bb55d0d3f370b413091cdbe7d2a7058d3de77887f6c3e499e153374de15d40548acb88f5e76f2bdca85be3a7a8a467d7aed9fb16628bb9e124839a0

Download Submit
memory/1472-45-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1472-39-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1732-66-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1732-60-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1872-73-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1872-67-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2088-32-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2088-38-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2500-74-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2568-24-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2568-18-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3192-17-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3192-12-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3588-46-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3588-52-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4144-53-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4144-59-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4644-31-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4644-25-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4884-0-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4884-11-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download