metasploit | 599784a3ad4502ab1992ee62b23f5ef87e77bb68965e4de362e8e04a244c2c27

Analysis

max time kernel
137s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe
Size

70KB
MD5

fe1332473563e13ed67c105c54cb17e1
SHA1

69accbb16f26724b17c26571e21010cbb08f91a0
SHA256

599784a3ad4502ab1992ee62b23f5ef87e77bb68965e4de362e8e04a244c2c27
SHA512

1e1e627fd7dc5b7a9de671ae27ac968d8249f963a7a7e84261967b8a0b3b442123590070740277261050a9a36a6837dec7b1cbf1bf7e2f08dab7fdeba6fe2885
SSDEEP

1536:EpruGgy7+76iC+s4RhzK3lhIB1pE70ZswU2hjh06DRQN4iDQ0jWG5:8ruGFoC+s44lhY5BU2hjhTCCiDF

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 10 IoCs

pid	Process
2088	mssdh.exe
2744	mssdh.exe
2736	mssdh.exe
492	mssdh.exe
1484	mssdh.exe
2984	mssdh.exe
2456	mssdh.exe
264	mssdh.exe
2580	mssdh.exe
292	mssdh.exe

Loads dropped DLL 20 IoCs

pid	Process
2100	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe
2100	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe
2088	mssdh.exe
2088	mssdh.exe
2744	mssdh.exe
2744	mssdh.exe
2736	mssdh.exe
2736	mssdh.exe
492	mssdh.exe
492	mssdh.exe
1484	mssdh.exe
1484	mssdh.exe
2984	mssdh.exe
2984	mssdh.exe
2456	mssdh.exe
2456	mssdh.exe
264	mssdh.exe
264	mssdh.exe
2580	mssdh.exe
2580	mssdh.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File created	C:\Windows\SysWOW64\mssdh.exe	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File created	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe
File opened for modification	C:\Windows\SysWOW64\mssdh.exe	mssdh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssdh.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2088	2100	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2088	2100	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2088	2100	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2088	2100	fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2744	2088	mssdh.exe	31
PID 2088 wrote to memory of 2744	2088	mssdh.exe	31
PID 2088 wrote to memory of 2744	2088	mssdh.exe	31
PID 2088 wrote to memory of 2744	2088	mssdh.exe	31
PID 2744 wrote to memory of 2736	2744	mssdh.exe	33
PID 2744 wrote to memory of 2736	2744	mssdh.exe	33
PID 2744 wrote to memory of 2736	2744	mssdh.exe	33
PID 2744 wrote to memory of 2736	2744	mssdh.exe	33
PID 2736 wrote to memory of 492	2736	mssdh.exe	34
PID 2736 wrote to memory of 492	2736	mssdh.exe	34
PID 2736 wrote to memory of 492	2736	mssdh.exe	34
PID 2736 wrote to memory of 492	2736	mssdh.exe	34
PID 492 wrote to memory of 1484	492	mssdh.exe	35
PID 492 wrote to memory of 1484	492	mssdh.exe	35
PID 492 wrote to memory of 1484	492	mssdh.exe	35
PID 492 wrote to memory of 1484	492	mssdh.exe	35
PID 1484 wrote to memory of 2984	1484	mssdh.exe	36
PID 1484 wrote to memory of 2984	1484	mssdh.exe	36
PID 1484 wrote to memory of 2984	1484	mssdh.exe	36
PID 1484 wrote to memory of 2984	1484	mssdh.exe	36
PID 2984 wrote to memory of 2456	2984	mssdh.exe	37
PID 2984 wrote to memory of 2456	2984	mssdh.exe	37
PID 2984 wrote to memory of 2456	2984	mssdh.exe	37
PID 2984 wrote to memory of 2456	2984	mssdh.exe	37
PID 2456 wrote to memory of 264	2456	mssdh.exe	38
PID 2456 wrote to memory of 264	2456	mssdh.exe	38
PID 2456 wrote to memory of 264	2456	mssdh.exe	38
PID 2456 wrote to memory of 264	2456	mssdh.exe	38
PID 264 wrote to memory of 2580	264	mssdh.exe	39
PID 264 wrote to memory of 2580	264	mssdh.exe	39
PID 264 wrote to memory of 2580	264	mssdh.exe	39
PID 264 wrote to memory of 2580	264	mssdh.exe	39
PID 2580 wrote to memory of 292	2580	mssdh.exe	40
PID 2580 wrote to memory of 292	2580	mssdh.exe	40
PID 2580 wrote to memory of 292	2580	mssdh.exe	40
PID 2580 wrote to memory of 292	2580	mssdh.exe	40

C:\Users\Admin\AppData\Local\Temp\fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\mssdh.exe
  C:\Windows\system32\mssdh.exe 476 "C:\Users\Admin\AppData\Local\Temp\fe1332473563e13ed67c105c54cb17e1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\mssdh.exe
    C:\Windows\system32\mssdh.exe 524 "C:\Windows\SysWOW64\mssdh.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\mssdh.exe
      C:\Windows\system32\mssdh.exe 528 "C:\Windows\SysWOW64\mssdh.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\mssdh.exe
        
        C:\Windows\system32\mssdh.exe 532 "C:\Windows\SysWOW64\mssdh.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:492
      - C:\Windows\SysWOW64\mssdh.exe
        
        C:\Windows\system32\mssdh.exe 544 "C:\Windows\SysWOW64\mssdh.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\mssdh.exe
        
        C:\Windows\system32\mssdh.exe 536 "C:\Windows\SysWOW64\mssdh.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\mssdh.exe
        
        C:\Windows\system32\mssdh.exe 552 "C:\Windows\SysWOW64\mssdh.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\mssdh.exe
        
        C:\Windows\system32\mssdh.exe 540 "C:\Windows\SysWOW64\mssdh.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\mssdh.exe
        
        C:\Windows\system32\mssdh.exe 548 "C:\Windows\SysWOW64\mssdh.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\mssdh.exe
        
        C:\Windows\system32\mssdh.exe 560 "C:\Windows\SysWOW64\mssdh.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mssdh.exe

Filesize
70KB

MD5
fe1332473563e13ed67c105c54cb17e1

SHA1
69accbb16f26724b17c26571e21010cbb08f91a0

SHA256
599784a3ad4502ab1992ee62b23f5ef87e77bb68965e4de362e8e04a244c2c27

SHA512
1e1e627fd7dc5b7a9de671ae27ac968d8249f963a7a7e84261967b8a0b3b442123590070740277261050a9a36a6837dec7b1cbf1bf7e2f08dab7fdeba6fe2885

Download Submit
memory/2088-13-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2088-14-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2088-17-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2100-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000000493000-0x0000000000495000-memory.dmp

Filesize
8KB

Download
memory/2100-2-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2100-16-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2736-29-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2736-28-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2736-30-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2736-31-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2744-23-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2744-22-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2744-24-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download
memory/2744-21-0x0000000000400000-0x0000000000494EFB-memory.dmp

Filesize
595KB

Download