metasploit | 1e3ef83406a2e352a1fa26f318d6bd208d93a115b392c3a2e79a7caaab2f91d7

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
Size

326KB
MD5

bf19fec7f8810c0ddb23cba97afa7e77
SHA1

42ae94f6004ba042951f0e26a6282b78df857df3
SHA256

1e3ef83406a2e352a1fa26f318d6bd208d93a115b392c3a2e79a7caaab2f91d7
SHA512

87ad2135faed1db18b96c61c11af8cec82006c5dc59d22fdb012b4d4e534266849509eec5d589906f8197d21dae752e7d3830ded64ef6144dabb6e284ee2d6fd
SSDEEP

6144:9lAauzvsND84HrYDIc6BkWEYD62hL2zv9CBaIFKC7vmVF7FglO4N:9TuzkNmMRBnD628xFIvwK

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 12 IoCs

pid	Process
2320	kernnel.exe
2776	kernnel.exe
2540	kernnel.exe
2768	kernnel.exe
680	kernnel.exe
1848	kernnel.exe
2604	kernnel.exe
2828	kernnel.exe
3064	kernnel.exe
2200	kernnel.exe
1112	kernnel.exe
972	kernnel.exe

Loads dropped DLL 12 IoCs

pid	Process
2316	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
2316	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
2776	kernnel.exe
2776	kernnel.exe
2768	kernnel.exe
2768	kernnel.exe
1848	kernnel.exe
1848	kernnel.exe
2828	kernnel.exe
2828	kernnel.exe
2200	kernnel.exe
2200	kernnel.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File opened for modification	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File created	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File opened for modification	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File created	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File opened for modification	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File created	C:\Windows\SysWOW64\kernnel.exe	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File opened for modification	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File opened for modification	C:\Windows\SysWOW64\kernnel.exe	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File opened for modification	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File created	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe
File created	C:\Windows\SysWOW64\kernnel.exe	kernnel.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 2316	2600	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	31
PID 2320 set thread context of 2776	2320	kernnel.exe	33
PID 2540 set thread context of 2768	2540	kernnel.exe	35
PID 680 set thread context of 1848	680	kernnel.exe	37
PID 2604 set thread context of 2828	2604	kernnel.exe	39
PID 3064 set thread context of 2200	3064	kernnel.exe	41
PID 1112 set thread context of 972	1112	kernnel.exe	43

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kernnel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2316	2600	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	31
PID 2600 wrote to memory of 2316	2600	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	31
PID 2600 wrote to memory of 2316	2600	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	31
PID 2600 wrote to memory of 2316	2600	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	31
PID 2600 wrote to memory of 2316	2600	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	31
PID 2600 wrote to memory of 2316	2600	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2320	2316	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2320	2316	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2320	2316	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2320	2316	bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe	32
PID 2320 wrote to memory of 2776	2320	kernnel.exe	33
PID 2320 wrote to memory of 2776	2320	kernnel.exe	33
PID 2320 wrote to memory of 2776	2320	kernnel.exe	33
PID 2320 wrote to memory of 2776	2320	kernnel.exe	33
PID 2320 wrote to memory of 2776	2320	kernnel.exe	33
PID 2320 wrote to memory of 2776	2320	kernnel.exe	33
PID 2776 wrote to memory of 2540	2776	kernnel.exe	34
PID 2776 wrote to memory of 2540	2776	kernnel.exe	34
PID 2776 wrote to memory of 2540	2776	kernnel.exe	34
PID 2776 wrote to memory of 2540	2776	kernnel.exe	34
PID 2540 wrote to memory of 2768	2540	kernnel.exe	35
PID 2540 wrote to memory of 2768	2540	kernnel.exe	35
PID 2540 wrote to memory of 2768	2540	kernnel.exe	35
PID 2540 wrote to memory of 2768	2540	kernnel.exe	35
PID 2540 wrote to memory of 2768	2540	kernnel.exe	35
PID 2540 wrote to memory of 2768	2540	kernnel.exe	35
PID 2768 wrote to memory of 680	2768	kernnel.exe	36
PID 2768 wrote to memory of 680	2768	kernnel.exe	36
PID 2768 wrote to memory of 680	2768	kernnel.exe	36
PID 2768 wrote to memory of 680	2768	kernnel.exe	36
PID 680 wrote to memory of 1848	680	kernnel.exe	37
PID 680 wrote to memory of 1848	680	kernnel.exe	37
PID 680 wrote to memory of 1848	680	kernnel.exe	37
PID 680 wrote to memory of 1848	680	kernnel.exe	37
PID 680 wrote to memory of 1848	680	kernnel.exe	37
PID 680 wrote to memory of 1848	680	kernnel.exe	37
PID 1848 wrote to memory of 2604	1848	kernnel.exe	38
PID 1848 wrote to memory of 2604	1848	kernnel.exe	38
PID 1848 wrote to memory of 2604	1848	kernnel.exe	38
PID 1848 wrote to memory of 2604	1848	kernnel.exe	38
PID 2604 wrote to memory of 2828	2604	kernnel.exe	39
PID 2604 wrote to memory of 2828	2604	kernnel.exe	39
PID 2604 wrote to memory of 2828	2604	kernnel.exe	39
PID 2604 wrote to memory of 2828	2604	kernnel.exe	39
PID 2604 wrote to memory of 2828	2604	kernnel.exe	39
PID 2604 wrote to memory of 2828	2604	kernnel.exe	39
PID 2828 wrote to memory of 3064	2828	kernnel.exe	40
PID 2828 wrote to memory of 3064	2828	kernnel.exe	40
PID 2828 wrote to memory of 3064	2828	kernnel.exe	40
PID 2828 wrote to memory of 3064	2828	kernnel.exe	40
PID 3064 wrote to memory of 2200	3064	kernnel.exe	41
PID 3064 wrote to memory of 2200	3064	kernnel.exe	41
PID 3064 wrote to memory of 2200	3064	kernnel.exe	41
PID 3064 wrote to memory of 2200	3064	kernnel.exe	41
PID 3064 wrote to memory of 2200	3064	kernnel.exe	41
PID 3064 wrote to memory of 2200	3064	kernnel.exe	41
PID 2200 wrote to memory of 1112	2200	kernnel.exe	42
PID 2200 wrote to memory of 1112	2200	kernnel.exe	42
PID 2200 wrote to memory of 1112	2200	kernnel.exe	42
PID 2200 wrote to memory of 1112	2200	kernnel.exe	42
PID 1112 wrote to memory of 972	1112	kernnel.exe	43
PID 1112 wrote to memory of 972	1112	kernnel.exe	43
PID 1112 wrote to memory of 972	1112	kernnel.exe	43
PID 1112 wrote to memory of 972	1112	kernnel.exe	43

C:\Users\Admin\AppData\Local\Temp\bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe C:\Documents and Settings\Admin.PAL\Desktop\__setup.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\kernnel.exe
    C:\Windows\system32\kernnel.exe 496 "C:\Users\Admin\AppData\Local\Temp\bf19fec7f8810c0ddb23cba97afa7e77_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\kernnel.exe
      C:\Windows\SysWOW64\kernnel.exe C:\Documents and Settings\Admin.PAL\Desktop\__setup.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\system32\kernnel.exe 532 "C:\Windows\SysWOW64\kernnel.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\SysWOW64\kernnel.exe C:\Documents and Settings\Admin.PAL\Desktop\__setup.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\system32\kernnel.exe 536 "C:\Windows\SysWOW64\kernnel.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\SysWOW64\kernnel.exe C:\Documents and Settings\Admin.PAL\Desktop\__setup.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\system32\kernnel.exe 528 "C:\Windows\SysWOW64\kernnel.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\SysWOW64\kernnel.exe C:\Documents and Settings\Admin.PAL\Desktop\__setup.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\system32\kernnel.exe 528 "C:\Windows\SysWOW64\kernnel.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\SysWOW64\kernnel.exe C:\Documents and Settings\Admin.PAL\Desktop\__setup.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\system32\kernnel.exe 524 "C:\Windows\SysWOW64\kernnel.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\kernnel.exe
        
        C:\Windows\SysWOW64\kernnel.exe C:\Documents and Settings\Admin.PAL\Desktop\__setup.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\kernnel.exe

Filesize
326KB

MD5
bf19fec7f8810c0ddb23cba97afa7e77

SHA1
42ae94f6004ba042951f0e26a6282b78df857df3

SHA256
1e3ef83406a2e352a1fa26f318d6bd208d93a115b392c3a2e79a7caaab2f91d7

SHA512
87ad2135faed1db18b96c61c11af8cec82006c5dc59d22fdb012b4d4e534266849509eec5d589906f8197d21dae752e7d3830ded64ef6144dabb6e284ee2d6fd

Download Submit
memory/680-48-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/1112-78-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2316-7-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2316-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2316-6-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2316-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2316-18-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2316-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2320-25-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2540-37-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2600-5-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2604-57-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download
memory/2776-28-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2776-29-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3064-67-0x0000000010000000-0x000000001005C000-memory.dmp

Filesize
368KB

Download