metasploit | e1d20275cba70c2ea30ac11d76c96197ac5bcf192c85b9986ca3b496eb79caf5

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe
Size

246KB
MD5

dc92ff4f166d38b6abeac80b5cc9af9c
SHA1

5afa2679d052c95f216f23815d683e3eb54abb09
SHA256

e1d20275cba70c2ea30ac11d76c96197ac5bcf192c85b9986ca3b496eb79caf5
SHA512

cace0022a05005531378d5f26ff1003fa543a301e63f053fcd756ab59dbf77798b0d149d2292b0f240b5a693ca94fabdb421f2a5fdb0c57383bd79887eab60bc
SSDEEP

6144:shvcSsx+K+v1AwmkRXcaSacztIvPAAivpmU0b6:sBZs0KYAwXcWscobvpx0

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 10 IoCs

pid	Process
2116	msnlive.exe
2704	msnlive.exe
1688	msnlive.exe
2024	msnlive.exe
2156	msnlive.exe
2732	msnlive.exe
1268	msnlive.exe
2244	msnlive.exe
920	msnlive.exe
300	msnlive.exe

Loads dropped DLL 20 IoCs

pid	Process
2944	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe
2944	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe
2116	msnlive.exe
2116	msnlive.exe
2704	msnlive.exe
2704	msnlive.exe
1688	msnlive.exe
1688	msnlive.exe
2024	msnlive.exe
2024	msnlive.exe
2156	msnlive.exe
2156	msnlive.exe
2732	msnlive.exe
2732	msnlive.exe
1268	msnlive.exe
1268	msnlive.exe
2244	msnlive.exe
2244	msnlive.exe
920	msnlive.exe
920	msnlive.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File opened for modification	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe
File created	C:\Windows\SysWOW64\msnlive.exe	msnlive.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnlive.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2116	2944	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2116	2944	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2116	2944	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2116	2944	dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2704	2116	msnlive.exe	31
PID 2116 wrote to memory of 2704	2116	msnlive.exe	31
PID 2116 wrote to memory of 2704	2116	msnlive.exe	31
PID 2116 wrote to memory of 2704	2116	msnlive.exe	31
PID 2704 wrote to memory of 1688	2704	msnlive.exe	33
PID 2704 wrote to memory of 1688	2704	msnlive.exe	33
PID 2704 wrote to memory of 1688	2704	msnlive.exe	33
PID 2704 wrote to memory of 1688	2704	msnlive.exe	33
PID 1688 wrote to memory of 2024	1688	msnlive.exe	34
PID 1688 wrote to memory of 2024	1688	msnlive.exe	34
PID 1688 wrote to memory of 2024	1688	msnlive.exe	34
PID 1688 wrote to memory of 2024	1688	msnlive.exe	34
PID 2024 wrote to memory of 2156	2024	msnlive.exe	35
PID 2024 wrote to memory of 2156	2024	msnlive.exe	35
PID 2024 wrote to memory of 2156	2024	msnlive.exe	35
PID 2024 wrote to memory of 2156	2024	msnlive.exe	35
PID 2156 wrote to memory of 2732	2156	msnlive.exe	36
PID 2156 wrote to memory of 2732	2156	msnlive.exe	36
PID 2156 wrote to memory of 2732	2156	msnlive.exe	36
PID 2156 wrote to memory of 2732	2156	msnlive.exe	36
PID 2732 wrote to memory of 1268	2732	msnlive.exe	37
PID 2732 wrote to memory of 1268	2732	msnlive.exe	37
PID 2732 wrote to memory of 1268	2732	msnlive.exe	37
PID 2732 wrote to memory of 1268	2732	msnlive.exe	37
PID 1268 wrote to memory of 2244	1268	msnlive.exe	38
PID 1268 wrote to memory of 2244	1268	msnlive.exe	38
PID 1268 wrote to memory of 2244	1268	msnlive.exe	38
PID 1268 wrote to memory of 2244	1268	msnlive.exe	38
PID 2244 wrote to memory of 920	2244	msnlive.exe	39
PID 2244 wrote to memory of 920	2244	msnlive.exe	39
PID 2244 wrote to memory of 920	2244	msnlive.exe	39
PID 2244 wrote to memory of 920	2244	msnlive.exe	39
PID 920 wrote to memory of 300	920	msnlive.exe	40
PID 920 wrote to memory of 300	920	msnlive.exe	40
PID 920 wrote to memory of 300	920	msnlive.exe	40
PID 920 wrote to memory of 300	920	msnlive.exe	40

C:\Users\Admin\AppData\Local\Temp\dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\msnlive.exe
  C:\Windows\system32\msnlive.exe 500 "C:\Users\Admin\AppData\Local\Temp\dc92ff4f166d38b6abeac80b5cc9af9c_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\msnlive.exe
    C:\Windows\system32\msnlive.exe 532 "C:\Windows\SysWOW64\msnlive.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\msnlive.exe
      C:\Windows\system32\msnlive.exe 536 "C:\Windows\SysWOW64\msnlive.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\msnlive.exe
        
        C:\Windows\system32\msnlive.exe 540 "C:\Windows\SysWOW64\msnlive.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\SysWOW64\msnlive.exe
        
        C:\Windows\system32\msnlive.exe 544 "C:\Windows\SysWOW64\msnlive.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\msnlive.exe
        
        C:\Windows\system32\msnlive.exe 552 "C:\Windows\SysWOW64\msnlive.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\msnlive.exe
        
        C:\Windows\system32\msnlive.exe 548 "C:\Windows\SysWOW64\msnlive.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\msnlive.exe
        
        C:\Windows\system32\msnlive.exe 556 "C:\Windows\SysWOW64\msnlive.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\msnlive.exe
        
        C:\Windows\system32\msnlive.exe 564 "C:\Windows\SysWOW64\msnlive.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\msnlive.exe
        
        C:\Windows\system32\msnlive.exe 576 "C:\Windows\SysWOW64\msnlive.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msnlive.exe

Filesize
246KB

MD5
dc92ff4f166d38b6abeac80b5cc9af9c

SHA1
5afa2679d052c95f216f23815d683e3eb54abb09

SHA256
e1d20275cba70c2ea30ac11d76c96197ac5bcf192c85b9986ca3b496eb79caf5

SHA512
cace0022a05005531378d5f26ff1003fa543a301e63f053fcd756ab59dbf77798b0d149d2292b0f240b5a693ca94fabdb421f2a5fdb0c57383bd79887eab60bc

Download Submit
memory/300-68-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/920-63-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1268-52-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1688-28-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2024-32-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2024-35-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2116-16-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2116-12-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2156-41-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2244-57-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2704-20-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2704-23-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2732-45-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2732-47-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2944-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2944-15-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2944-11-0x0000000002A80000-0x0000000002B98000-memory.dmp

Filesize
1.1MB

Download