metasploit | 3574fd49d0ac8209f233a79dd47045d3e620dffb2317c02fa51be736b25c7f2d

General

Target

e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe
Size

5.9MB
MD5

e2f0f7a08657106ea63eefd7af3a8e66
SHA1

db468caa90a04d124ea093d8123228f9e987a759
SHA256

3574fd49d0ac8209f233a79dd47045d3e620dffb2317c02fa51be736b25c7f2d
SHA512

2fe06fae338223642acd9e62cfe1592a0390343187cacc7ae69881684ed57ef134fca27441a3421e0e9c5e4796691fb6e686dd123a1b62d4462acc892128e47a
SSDEEP

768:E0OTUQP3nNzcxYBSlWXYtmVY0sxYp3hXP:E0OAc3FcxBsdVdsyBhXP

Score

10^/10

metasploit backdoor defense_evasion discovery persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\sysdrv32.sys	svhost.exe
File created	C:\Windows\SysWOW64\drivers\sysdrv32.sys	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	svhost.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SVCWINSPOOL\ = "Service"	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SVCWINSPOOL	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe
2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmon = "C:\\Windows\\system\\svhost.exe"	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\svhost.exe	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe
File created	C:\Windows\system\svhost.exe	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2808	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2808	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2808	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2808	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2740	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2740	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2740	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2740	2956	e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2f0f7a08657106ea63eefd7af3a8e66_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system\svhost.exe
  "C:\Windows\system\svhost.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E2F0F7~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Safe Mode Boot

1

T1562.009

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\system\svhost.exe

Filesize
5.9MB

MD5
e2f0f7a08657106ea63eefd7af3a8e66

SHA1
db468caa90a04d124ea093d8123228f9e987a759

SHA256
3574fd49d0ac8209f233a79dd47045d3e620dffb2317c02fa51be736b25c7f2d

SHA512
2fe06fae338223642acd9e62cfe1592a0390343187cacc7ae69881684ed57ef134fca27441a3421e0e9c5e4796691fb6e686dd123a1b62d4462acc892128e47a

Download Submit
memory/2808-11-0x00000000299F0000-0x0000000029FD5000-memory.dmp

Filesize
5.9MB

Download
memory/2808-16-0x00000000299F0000-0x0000000029FD5000-memory.dmp

Filesize
5.9MB

Download
memory/2956-0-0x00000000299F0000-0x0000000029FD5000-memory.dmp

Filesize
5.9MB

Download
memory/2956-9-0x0000000002130000-0x0000000002715000-memory.dmp

Filesize
5.9MB

Download
memory/2956-15-0x00000000299F0000-0x0000000029FD5000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads