metasploit | 7e86929223da73cf275e38a0257e34bf64c690b6e5700cf1d120a23414c62495

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 04:29

Target

JaffaCakes118_04a853af099364ee614a404ddde343f3.exe
Size

7KB
MD5

04a853af099364ee614a404ddde343f3
SHA1

c9a4dbd8aebff80b98e110310e454e6fb7546c78
SHA256

7e86929223da73cf275e38a0257e34bf64c690b6e5700cf1d120a23414c62495
SHA512

27d5118603e8b44b54e32f1ca0fc8d9428ffb8251403a04bf0694488b9e1cb3adb3d1997e8c15cba7c3d75924876693f2b82a6f3f520b421821f58288df194a0
SSDEEP

96:bz4a48MRZGbWrW60c7SNfBh+MhpYfgFF2cNoNfi+Py5YIo7aio7yHo7Vo7vzNt:bz0eW7n74fBQEhHrNoN6+TIy3HGq

Score

10^/10

Family

metasploit

Version

metasploit_stager

192.168.50.227:443

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4496	2816	JaffaCakes118_04a853af099364ee614a404ddde343f3.exe	83
PID 2816 wrote to memory of 4496	2816	JaffaCakes118_04a853af099364ee614a404ddde343f3.exe	83
PID 2816 wrote to memory of 4496	2816	JaffaCakes118_04a853af099364ee614a404ddde343f3.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04a853af099364ee614a404ddde343f3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04a853af099364ee614a404ddde343f3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- \??\c:\windows\system32\svchost.exe
  c:\windows\system32\svchost.exe
  2⤵
  PID:4496

memory/2816-0-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

Filesize
8KB

Download
memory/2816-1-0x000001F4F6990000-0x000001F4F6996000-memory.dmp

Filesize
24KB

Download