metasploit | 1012b75cdc2057963f62e04a26d347b9c3c2b83278c98b15c23d4c000b7eec45

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 23:49

Target

bfd3c756fb0202d8ef03f975bc4b0db1_JaffaCakes118.exe
Size

2.6MB
MD5

bfd3c756fb0202d8ef03f975bc4b0db1
SHA1

9408d16579adeb471ac72cb1fc8e80b29d0277be
SHA256

1012b75cdc2057963f62e04a26d347b9c3c2b83278c98b15c23d4c000b7eec45
SHA512

642cb88af9586775d314db17b1dddf2a0f13860b3c753714b04c0be80a45391d11e81180f55de043e31db80962400a567e7e717ea0d8492599d353463a0e6c73
SSDEEP

49152:olSHjDowustHSGKEIYvQigJJhVK0Z0Yd/uVSnky:T0nIxoigJ7c0+VSnky

Score

10^/10

Family

metasploit

Version

encoder/shikata_ga_nai

Family

metasploit

Version

windows/reverse_tcp

10.0.2.15:8080

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1840	2384	bfd3c756fb0202d8ef03f975bc4b0db1_JaffaCakes118.exe	32
PID 2384 wrote to memory of 1840	2384	bfd3c756fb0202d8ef03f975bc4b0db1_JaffaCakes118.exe	32
PID 2384 wrote to memory of 1840	2384	bfd3c756fb0202d8ef03f975bc4b0db1_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\bfd3c756fb0202d8ef03f975bc4b0db1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfd3c756fb0202d8ef03f975bc4b0db1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2384 -s 36
  2⤵
  PID:1840

memory/2384-0-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download