metasploit | 5a4181ad51b08e58df1353614fffd6898f1c45f2350b679dbf73f18a38fa3204

General

Target

JaffaCakes118_5a4181ad51b08e58df1353614fffd6898f1c45f2350b679dbf73f18a38fa3204.rtf
Size

161KB
MD5

21d18d229d6774e235ead04adf578217
SHA1

7c48f714185a73eb6f5f791bb5573e0bea4d13ad
SHA256

5a4181ad51b08e58df1353614fffd6898f1c45f2350b679dbf73f18a38fa3204
SHA512

eb44a7cab05f6c34ace776e29006d5556a6a125155c8be28386933a413fe56129dc5b34a82f60f4e291ee43f03cb15b43b5b6307eb1a11a8b8e2fea8a977da02
SSDEEP

3072:CiNT+ngtCA9t66AM7+Hz1aHWQABS/rvQ9Z:CiNqngcR657+Hz1eWQAkjvQL

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

3.17.7.232:17405

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 1 IoCs

pid	Process
2904	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
292	cmd.exe
292	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 2 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1988	EQNEDT32.EXE
2428	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2376	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	WINWORD.EXE
2376	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 292	2428	EQNEDT32.EXE	32
PID 2428 wrote to memory of 292	2428	EQNEDT32.EXE	32
PID 2428 wrote to memory of 292	2428	EQNEDT32.EXE	32
PID 2428 wrote to memory of 292	2428	EQNEDT32.EXE	32
PID 292 wrote to memory of 2904	292	cmd.exe	35
PID 292 wrote to memory of 2904	292	cmd.exe	35
PID 292 wrote to memory of 2904	292	cmd.exe	35
PID 292 wrote to memory of 2904	292	cmd.exe	35
PID 2376 wrote to memory of 2836	2376	WINWORD.EXE	36
PID 2376 wrote to memory of 2836	2376	WINWORD.EXE	36
PID 2376 wrote to memory of 2836	2376	WINWORD.EXE	36
PID 2376 wrote to memory of 2836	2376	WINWORD.EXE	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a4181ad51b08e58df1353614fffd6898f1c45f2350b679dbf73f18a38fa3204.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2836

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:1988

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c%tmp%\svchost.exe AC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe AC
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BC58930.wmf

Filesize
316B

MD5
95bb648d6eb9265eeaf0f889731b1e23

SHA1
631d60a024835f4e53ceb9d0a987ce52fe517df4

SHA256
9639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c

SHA512
184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
72KB

MD5
f028af90d27f82513bca2ca140435b2a

SHA1
d3725f56a5b3c02db8100e315319ca35b6f200cc

SHA256
22cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62

SHA512
0ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454

Download Submit
memory/2376-0-0x000000002FF21000-0x000000002FF22000-memory.dmp

Filesize
4KB

Download
memory/2376-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2376-2-0x000000007190D000-0x0000000071918000-memory.dmp

Filesize
44KB

Download
memory/2376-16-0x000000007190D000-0x0000000071918000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing