metasploit | 5ed907dbad20604899e87d9da0e41f1a3e87cba9d93533f736d0ef9f28639340

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_18a78b322bcc7dfabb02811cadea7967.exe
Size

1.7MB
MD5

18a78b322bcc7dfabb02811cadea7967
SHA1

013621a68d0875e1c9c94745a8b945542eb2cf3d
SHA256

5ed907dbad20604899e87d9da0e41f1a3e87cba9d93533f736d0ef9f28639340
SHA512

1c74ede15f601b4a23da73585650f855a9aa704801a6eedf2c13b4c4d407e0420ccdcfad01d09856ba999bbebc5c7434913ce56195393b673d46d3ab067e7f8c
SSDEEP

49152:jG8+5WGKZrb/TMvO90dL3BmAFd4A64nsfJUM/gTR55Ib7gz1:jG5uGvP

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

127.0.0.1:444

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 1 IoCs

pid	Process
2140	go-memexec-2405034160.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	go-memexec-2405034160.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2140	2824	JaffaCakes118_18a78b322bcc7dfabb02811cadea7967.exe	31
PID 2824 wrote to memory of 2140	2824	JaffaCakes118_18a78b322bcc7dfabb02811cadea7967.exe	31
PID 2824 wrote to memory of 2140	2824	JaffaCakes118_18a78b322bcc7dfabb02811cadea7967.exe	31
PID 2824 wrote to memory of 2140	2824	JaffaCakes118_18a78b322bcc7dfabb02811cadea7967.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18a78b322bcc7dfabb02811cadea7967.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_18a78b322bcc7dfabb02811cadea7967.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\go-memexec-2405034160.exe
  C:\Users\Admin\AppData\Local\Temp\go-memexec-2405034160.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\go-memexec-2405034160.exe

Filesize
72KB

MD5
95383025241f374407fa9df4ed3f8b0b

SHA1
24ff2573734655a371dc6f03778a85a4ee60e20b

SHA256
5bf2fd31d3e97d96878a00836dfb36ca45d4cc5e57c568a04a12a2d6313590a9

SHA512
e04fe742d6787825eef4b1ec7e99b0e191144351d0c0600377cbba03ab78f3dc75712ecabe6449b6673e9de3ee467c2e17963ffb8f3cae0a04a75b13cadb1b1d

Download Submit
memory/2140-6-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download