metasploit | 2e23ed0d7f505401da9928cd481478fe72a751a99fbf46d7abfe92f032a407de

Analysis

max time kernel
147s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe
Size

286KB
MD5

f150fb7c56ae8edefd0a81539d661c4f
SHA1

c1c364da21f8b532cc52b2f7abc4d4099fa09938
SHA256

2e23ed0d7f505401da9928cd481478fe72a751a99fbf46d7abfe92f032a407de
SHA512

95aa74b0c886dd146c42313abb3a285d25eb1e0c3c6c3141a8feaf979e9ffa2a79588260f6fb6598a9ca442aba90620b1ae87f5d1f18c77a8f99773e53934a59
SSDEEP

3072:l2ulHM8xeHFGBlZXQ8AxHCe8qKViO7OaZpOBF7mB5Kvwz3z+radXg2yBrojcCyTG:l2MeMBlZXpUHLO7OGCdU8Iz3z5obd8

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 10 IoCs

pid	Process
980	wingate32.exe
2904	wingate32.exe
2988	wingate32.exe
4464	wingate32.exe
3412	wingate32.exe
1692	wingate32.exe
3264	wingate32.exe
4304	wingate32.exe
2484	wingate32.exe
3476	wingate32.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File opened for modification	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe
File created	C:\Windows\SysWOW64\wingate32.exe	wingate32.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingate32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 980	3304	f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe	83
PID 3304 wrote to memory of 980	3304	f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe	83
PID 3304 wrote to memory of 980	3304	f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe	83
PID 980 wrote to memory of 2904	980	wingate32.exe	85
PID 980 wrote to memory of 2904	980	wingate32.exe	85
PID 980 wrote to memory of 2904	980	wingate32.exe	85
PID 2904 wrote to memory of 2988	2904	wingate32.exe	101
PID 2904 wrote to memory of 2988	2904	wingate32.exe	101
PID 2904 wrote to memory of 2988	2904	wingate32.exe	101
PID 2988 wrote to memory of 4464	2988	wingate32.exe	103
PID 2988 wrote to memory of 4464	2988	wingate32.exe	103
PID 2988 wrote to memory of 4464	2988	wingate32.exe	103
PID 4464 wrote to memory of 3412	4464	wingate32.exe	104
PID 4464 wrote to memory of 3412	4464	wingate32.exe	104
PID 4464 wrote to memory of 3412	4464	wingate32.exe	104
PID 3412 wrote to memory of 1692	3412	wingate32.exe	105
PID 3412 wrote to memory of 1692	3412	wingate32.exe	105
PID 3412 wrote to memory of 1692	3412	wingate32.exe	105
PID 1692 wrote to memory of 3264	1692	wingate32.exe	106
PID 1692 wrote to memory of 3264	1692	wingate32.exe	106
PID 1692 wrote to memory of 3264	1692	wingate32.exe	106
PID 3264 wrote to memory of 4304	3264	wingate32.exe	107
PID 3264 wrote to memory of 4304	3264	wingate32.exe	107
PID 3264 wrote to memory of 4304	3264	wingate32.exe	107
PID 4304 wrote to memory of 2484	4304	wingate32.exe	108
PID 4304 wrote to memory of 2484	4304	wingate32.exe	108
PID 4304 wrote to memory of 2484	4304	wingate32.exe	108
PID 2484 wrote to memory of 3476	2484	wingate32.exe	109
PID 2484 wrote to memory of 3476	2484	wingate32.exe	109
PID 2484 wrote to memory of 3476	2484	wingate32.exe	109

C:\Users\Admin\AppData\Local\Temp\f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\wingate32.exe
  C:\Windows\system32\wingate32.exe 1160 "C:\Users\Admin\AppData\Local\Temp\f150fb7c56ae8edefd0a81539d661c4f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\wingate32.exe
    C:\Windows\system32\wingate32.exe 1132 "C:\Windows\SysWOW64\wingate32.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\wingate32.exe
      C:\Windows\system32\wingate32.exe 1140 "C:\Windows\SysWOW64\wingate32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\wingate32.exe
        
        C:\Windows\system32\wingate32.exe 1004 "C:\Windows\SysWOW64\wingate32.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\SysWOW64\wingate32.exe
        
        C:\Windows\system32\wingate32.exe 1144 "C:\Windows\SysWOW64\wingate32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\wingate32.exe
        
        C:\Windows\system32\wingate32.exe 1148 "C:\Windows\SysWOW64\wingate32.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\wingate32.exe
        
        C:\Windows\system32\wingate32.exe 1164 "C:\Windows\SysWOW64\wingate32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\wingate32.exe
        
        C:\Windows\system32\wingate32.exe 1152 "C:\Windows\SysWOW64\wingate32.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\wingate32.exe
        
        C:\Windows\system32\wingate32.exe 1108 "C:\Windows\SysWOW64\wingate32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\wingate32.exe
        
        C:\Windows\system32\wingate32.exe 1120 "C:\Windows\SysWOW64\wingate32.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wingate32.exe

Filesize
286KB

MD5
f150fb7c56ae8edefd0a81539d661c4f

SHA1
c1c364da21f8b532cc52b2f7abc4d4099fa09938

SHA256
2e23ed0d7f505401da9928cd481478fe72a751a99fbf46d7abfe92f032a407de

SHA512
95aa74b0c886dd146c42313abb3a285d25eb1e0c3c6c3141a8feaf979e9ffa2a79588260f6fb6598a9ca442aba90620b1ae87f5d1f18c77a8f99773e53934a59

Download Submit
memory/980-8-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/980-11-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/980-15-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1692-33-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1692-31-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2484-43-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2484-41-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2904-14-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2904-19-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2904-16-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2988-20-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2988-22-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3264-34-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3264-36-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3304-0-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3304-10-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3304-1-0x0000000000401000-0x000000000043D000-memory.dmp

Filesize
240KB

Download
memory/3412-27-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3412-30-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3476-44-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4304-37-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4304-40-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4464-26-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4464-23-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download