metasploit | 02e26f24f2a1a4b4fceec0c1e0189bbeee5b780c53bb7fa93cc47e6836b82956

Analysis

max time kernel
127s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe
Size

2.9MB
MD5

9a3ef93b621d9309f93f33fb93b7a14d
SHA1

c618101c866bba26bcd2e9b80777887773917cf7
SHA256

02e26f24f2a1a4b4fceec0c1e0189bbeee5b780c53bb7fa93cc47e6836b82956
SHA512

e6a8d8080991cf69d4c546e75c3078aaf2b0e078574a80a28c91b288d2f8f02fcee10b08cb61f604df0a2ed5f93d898c7c73cad49c562a7af88473b8e63fa8af
SSDEEP

49152:otg7ETQsdxxbJI9/ig1GfPpTIsMQzqhwCdxKKTUqZIt7tTt+YsaGGCj/TeDeJQxR:mtdfJNFPpTIs5maKZUga7tMFGNDtNEcd

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Loads dropped DLL 3 IoCs

pid	Process
4932	2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe
4932	2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe
4932	2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4932	1216	2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe	85
PID 1216 wrote to memory of 4932	1216	2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe	85
PID 1216 wrote to memory of 4932	1216	2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-19_9a3ef93b621d9309f93f33fb93b7a14d_karagany_mafia.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI12162\Crypto.Cipher._DES.pyd

Filesize
53KB

MD5
5be8826aa5ad6886c4a6f06f46f6f95b

SHA1
d55051cf2a2f406e8402fb9123d5b0aacbbbc32d

SHA256
07e039cdb74dc84ef43eb3e03ca1516eaa8995c2e5cde5817a51ba87a1d6946f

SHA512
ac033322f29ad6d60664b847ad611bd80b6f8992ae568c70343bbcdac0af94daf04bb262a0b0548ca6ecad9bdaadd63ee1e4421c28ed000a3a25b9ebb530bfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12162\_ctypes.pyd

Filesize
85KB

MD5
d0e6bee31c7f2b0de979562ce5f6444f

SHA1
9223853061b067f7af17007067d24ce746917d1d

SHA256
f6fb937147342609a793a1ccb839ad504ec0e7807d072a9ac6eb51ba846e17a9

SHA512
3d64a460178479eec3cd1a65421dafb78b15011fcae472873ab28fb1ecc42482d00b141426874b12beef9247ad6b4afe1bd723d398f37d44316bc1b9c4dba434

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12162\python27.dll

Filesize
2.3MB

MD5
df1a706ed563fa3f0b48f427609708f4

SHA1
5c479ffca8a2d71023c2522f54ed3f6f36f88e79

SHA256
5c4f7eb850cb4ebd35c039be7319e2ed05439418884d414001e015c4637585fc

SHA512
8757e27d78291f48237a5b4b15cea26d08d03c8b9ff1ad61c50d890b3e8b62fd0db819959b9c13b3d88ebe3e54ae176fc67d02ffe62c89c577af1866cb238a73

Download Submit
memory/4932-19-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4932-18-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download