metasploit | abfe3fffb949e07b2fb651c5370764f0084f4f3a041528ec661f84e0f0e53652

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd54f9f03a5b41d9b52637d0128c1829_JaffaCakes118.exe
Size

34KB
MD5

dd54f9f03a5b41d9b52637d0128c1829
SHA1

8e88facfef924f410ad393e25b3b29028475b7f2
SHA256

abfe3fffb949e07b2fb651c5370764f0084f4f3a041528ec661f84e0f0e53652
SHA512

cc5b9d4aff16c4e9e5ea99d85584f8c26f096c27f8a76b4f21f28f4d85fad7e8af7cae267df0d9c89d22edbf2285f8e76d858d4a311397c58aa60d880fa3a999
SSDEEP

384:wpTNtkA/4CrIlbwGiJUyaTwz8akIDvwL5aFL9yakCt1+Ggzlu4keWoGzKjuGcvAi:MT7kA/FIlbkJzDvs5e04qzfk3yjbk

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2500	1820	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd54f9f03a5b41d9b52637d0128c1829_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2500	1820	dd54f9f03a5b41d9b52637d0128c1829_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2500	1820	dd54f9f03a5b41d9b52637d0128c1829_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2500	1820	dd54f9f03a5b41d9b52637d0128c1829_JaffaCakes118.exe	31
PID 1820 wrote to memory of 2500	1820	dd54f9f03a5b41d9b52637d0128c1829_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\dd54f9f03a5b41d9b52637d0128c1829_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd54f9f03a5b41d9b52637d0128c1829_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 52
  2⤵
  - Program crash
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download