metasploit | b6c806fccfeb1bae95a4f02a14b5d1676df10166d7fda4e6a053d4e4bf931fe1

General

Target

JaffaCakes118_b6c806fccfeb1bae95a4f02a14b5d1676df10166d7fda4e6a053d4e4bf931fe1.ps1
Size

734KB
MD5

ad0871c1aa964d2617379e8424091e83
SHA1

0da34d9fc8f474dcc0c871c7626fa6ffa350250a
SHA256

b6c806fccfeb1bae95a4f02a14b5d1676df10166d7fda4e6a053d4e4bf931fe1
SHA512

b6a44495ff96ac032a48a497c6d63d69f2393eef666751f3ac0ec8024d37155ff4f0f1ede906a5c3299d2d7f369a25912606e7c3a4019f70727944689fe85a77
SSDEEP

12288:1/wxxwwHubxxwxx8xxwWxIwwwwwwwLxxewxwxxwSwAxxxwwwwwwwwwwwwwbxtwwI:fFWGyBpLepNnnWJ

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://157.230.184.142:443/ST/TWGRYKf0/d/du92w/RUk/Z2l.htm

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3060	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3060	powershell.exe
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 744	3060	powershell.exe	84
PID 3060 wrote to memory of 744	3060	powershell.exe	84
PID 744 wrote to memory of 5084	744	csc.exe	85
PID 744 wrote to memory of 5084	744	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6c806fccfeb1bae95a4f02a14b5d1676df10166d7fda4e6a053d4e4bf931fe1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y1kbt20i\y1kbt20i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD76.tmp" "c:\Users\Admin\AppData\Local\Temp\y1kbt20i\CSC4318AF76B1DE4A3A8C505F43791378B.TMP"
    3⤵
    PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAD76.tmp

Filesize
1KB

MD5
3a04384ab1e69f730e0e1eacd4f3075d

SHA1
ff1e52d9363095e0d6e2e5b65673d1185fa002e3

SHA256
8ba5242866b4746574efa4a57231453d22782b828395ca52bca4c57f7d4dbcfd

SHA512
3f7f2a4d7e081b93354426b6854e4978a91a6c27934b7f07015f6057ea941c3b55131d34e4632d00418137c68191ff13be84d5ef2c1ce29a583dcc6acbd1c851

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rtcn3xe1.qbt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\y1kbt20i\y1kbt20i.dll

Filesize
3KB

MD5
d6f3695c74376a18be23965b45681e17

SHA1
925f91f2a58e0a4f3bd4bf5cb2e84d4c05f55b26

SHA256
ad55d2b4011b628ade8845b39edca0672a6d80a62413f69f328e0c7e6be502dd

SHA512
74bbdc9f8b0dc3bba3048ea30f896b9007577abf1206f307207265ed651214ee1c4249dc80eb1882b703f5c1c9b3d476ec9e89f78791c6f96f4d7b17c5774708

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y1kbt20i\CSC4318AF76B1DE4A3A8C505F43791378B.TMP

Filesize
652B

MD5
bffcc8bd9147b33eb35b193622a52ab5

SHA1
5d9ee91b268e970dc3b2177873965edb464f1cee

SHA256
46ac98130df35cba70a23a8c36cca33582fe21e7a43303f2a2edbd9eca01768c

SHA512
9ff45670d37a4aa5798ca62c4695152720ebccc36a8a39dc3161c7c566c1bc0d7317beef9709564f954debe685995125e189be4c328315fd7f78f7552ca0c016

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y1kbt20i\y1kbt20i.0.cs

Filesize
766B

MD5
55849ed53c1f40026d13055936ebf200

SHA1
c1f3dc4dde4619f6aa72ec1f4ab9e4595c2e7b57

SHA256
37f921e7eb12a6f30ddf45670e5edfd06e9796d57d6566bddbfc0b328f9a86c9

SHA512
b689e2f07eb8695f41bd1411218087c1e2e4a00484c981df99da1148d95b14fc24c831a7c06e107a0b5c7a4d35cd52c670e495d08eee4b9864e2e2686b819bc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y1kbt20i\y1kbt20i.cmdline

Filesize
369B

MD5
8642b79e787046a8b092be330f622c46

SHA1
d04079c7efac71abd0b483bbee1e6a52a042983e

SHA256
1b61c49eb1d2c4e4f44eff39ec81ad9cfdfd8b1401dad8ec9947620108912a18

SHA512
2889cfd1e8c36c0fd9f46621af98e8c0e03b528c66dc5e6a7a99bd64b696f53ed09505d94304a1129a1ba8b054b1077287570b1d504b3784961960fddbf45b0a

Download Submit
memory/3060-11-0x00007FFE72330000-0x00007FFE72DF1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-12-0x00007FFE72330000-0x00007FFE72DF1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-0-0x00007FFE72333000-0x00007FFE72335000-memory.dmp

Filesize
8KB

Download
memory/3060-25-0x0000026EA5070000-0x0000026EA5078000-memory.dmp

Filesize
32KB

Download
memory/3060-6-0x0000026EBD5E0000-0x0000026EBD602000-memory.dmp

Filesize
136KB

Download
memory/3060-27-0x00007FFE72330000-0x00007FFE72DF1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-28-0x0000026EBD5C0000-0x0000026EBD5C1000-memory.dmp

Filesize
4KB

Download
memory/3060-29-0x00007FFE72330000-0x00007FFE72DF1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-31-0x00007FFE72330000-0x00007FFE72DF1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing