metasploit | 062d3b9e6fe74d35bdef0c5cfbd3297c5e513585e1985d7a831a1762fc3fc021 | Triage

Sharing

General

Target

c6121682f0df6ec10c470fbc4d65bf48_JaffaCakes118
Size

151KB
Sample

241205-fxca2swncj
MD5

c6121682f0df6ec10c470fbc4d65bf48
SHA1

83a8cf58ed6937380bcac160202becd148d6bef2
SHA256

062d3b9e6fe74d35bdef0c5cfbd3297c5e513585e1985d7a831a1762fc3fc021
SHA512

0f3395c25cb76971c193857a05fa885ff4b8ff4d197ff28319daf440ca258e066c098d4b8227af4a8f3620387d179c0c668e16dfeab80f9f1ea3f55d7bb880cd
SSDEEP

3072:Z9Cg/6nVnE/HxE9hWtZrm6N+z6pG9IIupTjuWC/g3WMCvPajGmg2rSi6c:Z9Cg/6nVnMxSQG7z6AWIupTj19CvmX

Score

10^/10

metasploit backdoor discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  c6121682f0df6ec10c470fbc4d65bf48_JaffaCakes118
- Size
  
  151KB
- MD5
  
  c6121682f0df6ec10c470fbc4d65bf48
- SHA1
  
  83a8cf58ed6937380bcac160202becd148d6bef2
- SHA256
  
  062d3b9e6fe74d35bdef0c5cfbd3297c5e513585e1985d7a831a1762fc3fc021
- SHA512
  
  0f3395c25cb76971c193857a05fa885ff4b8ff4d197ff28319daf440ca258e066c098d4b8227af4a8f3620387d179c0c668e16dfeab80f9f1ea3f55d7bb880cd
- SSDEEP
  
  3072:Z9Cg/6nVnE/HxE9hWtZrm6N+z6pG9IIupTjuWC/g3WMCvPajGmg2rSi6c:Z9Cg/6nVnMxSQG7z6AWIupTj19CvmX
Score

10^/10

metasploit backdoor discovery evasion persistence privilege_escalation trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Looks for VMWare Tools registry key
  evasion
- Modifies Windows Firewall
  evasion
- Deletes itself
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan