metasploit | a4135183ab6542751a8b8f9e527ea68c1e41bce08f85506025dae1c329e786ad

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a4135183ab6542751a8b8f9e527ea68c1e41bce08f85506025dae1c329e786ad.msi
Size

156KB
MD5

b1ff5a52f6e3c537ef1f89bcc2919843
SHA1

fb2fc853a6ebbcfe48c9f1934e64b51416d408c1
SHA256

a4135183ab6542751a8b8f9e527ea68c1e41bce08f85506025dae1c329e786ad
SHA512

071ff588a52de4937ea6e10557c534fd0eb4a7d7eb952677c7d81784bbd57cbca29bb308c4042296637cd51d542d2267a6f95af890e35874512920481b10492e
SSDEEP

1536:Ek7K+T5fUWtIU4Dpgm+9/FSL0r/DAln9XMb+KR0Nc8QsJq3UDj0D:v7K+TJUwIjp1iS8Aln9Xe0Nc8QsC

Score

10^/10

metasploit backdoor discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

52.14.18.129:16935

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{705771E1-8028-4A2A-A93E-7DA02AB734CD}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC4A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cb6e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cb6e.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4428	MSICC4A.tmp

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2324	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSICC4A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2312	msiexec.exe
2312	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2324	msiexec.exe
Token: SeSecurityPrivilege	2312	msiexec.exe
Token: SeCreateTokenPrivilege	2324	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2324	msiexec.exe
Token: SeLockMemoryPrivilege	2324	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2324	msiexec.exe
Token: SeMachineAccountPrivilege	2324	msiexec.exe
Token: SeTcbPrivilege	2324	msiexec.exe
Token: SeSecurityPrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeLoadDriverPrivilege	2324	msiexec.exe
Token: SeSystemProfilePrivilege	2324	msiexec.exe
Token: SeSystemtimePrivilege	2324	msiexec.exe
Token: SeProfSingleProcessPrivilege	2324	msiexec.exe
Token: SeIncBasePriorityPrivilege	2324	msiexec.exe
Token: SeCreatePagefilePrivilege	2324	msiexec.exe
Token: SeCreatePermanentPrivilege	2324	msiexec.exe
Token: SeBackupPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeShutdownPrivilege	2324	msiexec.exe
Token: SeDebugPrivilege	2324	msiexec.exe
Token: SeAuditPrivilege	2324	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2324	msiexec.exe
Token: SeChangeNotifyPrivilege	2324	msiexec.exe
Token: SeRemoteShutdownPrivilege	2324	msiexec.exe
Token: SeUndockPrivilege	2324	msiexec.exe
Token: SeSyncAgentPrivilege	2324	msiexec.exe
Token: SeEnableDelegationPrivilege	2324	msiexec.exe
Token: SeManageVolumePrivilege	2324	msiexec.exe
Token: SeImpersonatePrivilege	2324	msiexec.exe
Token: SeCreateGlobalPrivilege	2324	msiexec.exe
Token: SeBackupPrivilege	3776	vssvc.exe
Token: SeRestorePrivilege	3776	vssvc.exe
Token: SeAuditPrivilege	3776	vssvc.exe
Token: SeBackupPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeRestorePrivilege	2312	msiexec.exe
Token: SeTakeOwnershipPrivilege	2312	msiexec.exe
Token: SeBackupPrivilege	3440	srtasks.exe
Token: SeRestorePrivilege	3440	srtasks.exe
Token: SeSecurityPrivilege	3440	srtasks.exe
Token: SeTakeOwnershipPrivilege	3440	srtasks.exe
Token: SeBackupPrivilege	3440	srtasks.exe
Token: SeRestorePrivilege	3440	srtasks.exe
Token: SeSecurityPrivilege	3440	srtasks.exe
Token: SeTakeOwnershipPrivilege	3440	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2324	msiexec.exe
2324	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3440	2312	msiexec.exe	87
PID 2312 wrote to memory of 3440	2312	msiexec.exe	87
PID 2312 wrote to memory of 4428	2312	msiexec.exe	90
PID 2312 wrote to memory of 4428	2312	msiexec.exe	90
PID 2312 wrote to memory of 4428	2312	msiexec.exe	90
PID 2312 wrote to memory of 4840	2312	msiexec.exe	89
PID 2312 wrote to memory of 4840	2312	msiexec.exe	89
PID 2312 wrote to memory of 4840	2312	msiexec.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a4135183ab6542751a8b8f9e527ea68c1e41bce08f85506025dae1c329e786ad.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2324

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A835B9942FEBB0726B3D9CD230F09944
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Windows\Installer\MSICC4A.tmp
  "C:\Windows\Installer\MSICC4A.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSICC4A.tmp

Filesize
124KB

MD5
60039734d27e552a58dd6e983ab73b42

SHA1
1a053b364f73ebdbf1a0947d7a55b72dfed92524

SHA256
4f00243cf76a6d1b75785942f637604acde7e502203fd0365790c585a2c0232c

SHA512
8637e6a255f5cdb12f9c819058d81794bc9f4ab1d2e995375b2d071fab50e9170e6ec7b4bd8be301a8978397c3cf6ca159efc8c916fe445fca8fcfe3107025f7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
b8e145805818c2af3f9f23003960c706

SHA1
40952d3c1b34b106349ad4648e5d32375883ef7e

SHA256
9fbe3ed2453bb3c75ccb38ceec5aace1f43c9ed8ffd3e68bbe040114c662b0d7

SHA512
b67f3ae843c347b709eeb5732f6edea72546bc56f2785a5f65b149ba53f22151406ec9551c5638faf87f378468d6c717ffee2b245c026194f08ed60f1aca7512

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5dea15a9-bbf1-4a98-b3dd-c03d9a3dc146}_OnDiskSnapshotProp

Filesize
6KB

MD5
785f7ae07130df23508e6c51cb300406

SHA1
df7b907c6876d47d634518bef0b5482adafc62af

SHA256
a7652f861d1a8eedf9a39ac13a42e9ddce3592b564169398de9c94744fde14e9

SHA512
966e19d585fabdb8b763bb91d54a7034dfa42778ff6280f7d0fa68f218f5deb23ca1c746c33fdc094a7fd5b13d7934f3c9e682fd3d556a06ad0851cad90becbf

Download Submit