metasploit | 076b94a0b653e5c2d074d2014c6d3f0adf575f22b997e12d3a767aa4fbfac411

Analysis

max time kernel
73s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_076b94a0b653e5c2d074d2014c6d3f0adf575f22b997e12d3a767aa4fbfac411.exe
Size

2.5MB
MD5

4c0c3dd4ab8d557729c5bf4d38fa03bd
SHA1

d4c1abee2d4dc6bb0bd457a1630c0282ba9c641e
SHA256

076b94a0b653e5c2d074d2014c6d3f0adf575f22b997e12d3a767aa4fbfac411
SHA512

b1f2854f9a98eabf0dbf5194799a75603d101a1813a0e302697f7bdeb13ea6dd624086a73f2d2aa8d70909be29d968f9d32b8b0725108537573025e85be0ae22
SSDEEP

49152:NUadRV4/3dgccsKxJ5nj6GipJGDK0pmy5OqQqkOgz/ZH2SSeJa:SC6gccsK75njbWGDZmmR0ESrA

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.0.153:4444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x000000013F090000-0x000000013F395000-memory.dmp	upx
behavioral1/memory/1736-1-0x000000013F090000-0x000000013F395000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2596	1736	JaffaCakes118_076b94a0b653e5c2d074d2014c6d3f0adf575f22b997e12d3a767aa4fbfac411.exe	31
PID 1736 wrote to memory of 2596	1736	JaffaCakes118_076b94a0b653e5c2d074d2014c6d3f0adf575f22b997e12d3a767aa4fbfac411.exe	31
PID 1736 wrote to memory of 2596	1736	JaffaCakes118_076b94a0b653e5c2d074d2014c6d3f0adf575f22b997e12d3a767aa4fbfac411.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_076b94a0b653e5c2d074d2014c6d3f0adf575f22b997e12d3a767aa4fbfac411.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_076b94a0b653e5c2d074d2014c6d3f0adf575f22b997e12d3a767aa4fbfac411.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1736 -s 40
  2⤵
  PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-0-0x000000013F090000-0x000000013F395000-memory.dmp

Filesize
3.0MB

Download
memory/1736-1-0x000000013F090000-0x000000013F395000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads