metasploit | c18b063598dd0f8dcc6634530b451f86974734e0b2d9848708dd51dd4c9367b0

General

Target

JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe
Size

244KB
MD5

00fbeef072a47eaf7ce22f393f2b83e0
SHA1

35e397f64579bcc07a973c1be16a89d09c4c537e
SHA256

c18b063598dd0f8dcc6634530b451f86974734e0b2d9848708dd51dd4c9367b0
SHA512

f7a84c31ac03cf3f42174bffcb052f6b4d4f026408765da760d2592b49a0f7e5b8d9a45c927008840f0c788ce14a45b24392b662679aa2bb077de0ca6f5c3364
SSDEEP

3072:KzW+DiC9iLo+GnHo45G3L66ubXuXVbaPfyPW+qjNUZXW02n1/z0nH1QL0md4OSeZ:VKwLo7I7b66urKVbVEeZmrYVxmb5LQu

Score

10^/10

metasploit backdoor discovery persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

59.181.157.182:110

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 2 IoCs

pid	Process
2776	notepad.exe
2848	mspaint2.exe

Loads dropped DLL 5 IoCs

pid	Process
2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe
2776	notepad.exe
2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe
2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe
2848	mspaint2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint2.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2776	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	30
PID 2192 wrote to memory of 2776	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	30
PID 2192 wrote to memory of 2776	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	30
PID 2192 wrote to memory of 2776	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	30
PID 2192 wrote to memory of 2776	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	30
PID 2192 wrote to memory of 2776	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	30
PID 2192 wrote to memory of 2776	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	30
PID 2192 wrote to memory of 2848	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	31
PID 2192 wrote to memory of 2848	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	31
PID 2192 wrote to memory of 2848	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	31
PID 2192 wrote to memory of 2848	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	31
PID 2192 wrote to memory of 2848	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	31
PID 2192 wrote to memory of 2848	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	31
PID 2192 wrote to memory of 2848	2192	JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00fbeef072a47eaf7ce22f393f2b83e0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mspaint2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mspaint2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\mspaint2.exe

Filesize
72KB

MD5
0b7fed021e8ab321b3122760c71ab2f6

SHA1
c8cf00ea88b886fa750cffda9751848534737398

SHA256
fc6e543674ac98aeb8fc706560c7664e4e1ca41813035585801e69a247dd12ef

SHA512
f438c8574ba7ab2363c66f4fee3cfad4d995f08022f6df2399f90bd1488fb06d9e630134605212ab4e151ff1c5f763ec1c9d0335ff1c974d35e9bdd9f8eb314e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads