metasploit | 73be46a3d3b65fb6a46399dd8bf31e82090716855f784856bf5033990c356ea9

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe
Size

9.7MB
MD5

18bd01d1e1ff0e94f41946332d59dbad
SHA1

62e8d7c975d1ec895af6cbc725e1eb9c5e5ee069
SHA256

73be46a3d3b65fb6a46399dd8bf31e82090716855f784856bf5033990c356ea9
SHA512

ecbf831a6f8dfc01257f138363cd265ab1c907b88b891902b14dac9d5474e3160b9496993484660fcf0b9853cbb73e21c249786c973217284a48ea3fcd3f8ff1
SSDEEP

12288:ZLN4dRboHyLnc8Qfy8n8sTVQlr2UqOsl539wjZ:ZLN4vQq8ndVQUUqOsl539wjZ

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 8 IoCs

Processes:

msupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exe

pid process

2384 msupd.exe
2692 msupd.exe
2176 msupd.exe
756 msupd.exe
2316 msupd.exe
2928 msupd.exe
484 msupd.exe
1576 msupd.exe

pid	process
2384	msupd.exe
2692	msupd.exe
2176	msupd.exe
756	msupd.exe
2316	msupd.exe
2928	msupd.exe
484	msupd.exe
1576	msupd.exe

Loads dropped DLL 16 IoCs

Processes:

18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exe

pid	process
2132	18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe
2132	18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe
2384	msupd.exe
2384	msupd.exe
2692	msupd.exe
2692	msupd.exe
2176	msupd.exe
2176	msupd.exe
756	msupd.exe
756	msupd.exe
2316	msupd.exe
2316	msupd.exe
2928	msupd.exe
2928	msupd.exe
484	msupd.exe
484	msupd.exe

Drops file in System32 directory 18 IoCs

Processes:

msupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exe18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File created	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File created	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File created	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File created	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File created	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File created	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File created	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File created	C:\Windows\SysWOW64\msupd.exe	18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	msupd.exe
File opened for modification	C:\Windows\SysWOW64\msupd.exe	msupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exemsupd.exe

description	pid	process	target process
PID 2132 wrote to memory of 2384	2132	18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe	msupd.exe
PID 2132 wrote to memory of 2384	2132	18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe	msupd.exe
PID 2132 wrote to memory of 2384	2132	18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe	msupd.exe
PID 2132 wrote to memory of 2384	2132	18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe	msupd.exe
PID 2384 wrote to memory of 2692	2384	msupd.exe	msupd.exe
PID 2384 wrote to memory of 2692	2384	msupd.exe	msupd.exe
PID 2384 wrote to memory of 2692	2384	msupd.exe	msupd.exe
PID 2384 wrote to memory of 2692	2384	msupd.exe	msupd.exe
PID 2692 wrote to memory of 2176	2692	msupd.exe	msupd.exe
PID 2692 wrote to memory of 2176	2692	msupd.exe	msupd.exe
PID 2692 wrote to memory of 2176	2692	msupd.exe	msupd.exe
PID 2692 wrote to memory of 2176	2692	msupd.exe	msupd.exe
PID 2176 wrote to memory of 756	2176	msupd.exe	msupd.exe
PID 2176 wrote to memory of 756	2176	msupd.exe	msupd.exe
PID 2176 wrote to memory of 756	2176	msupd.exe	msupd.exe
PID 2176 wrote to memory of 756	2176	msupd.exe	msupd.exe
PID 756 wrote to memory of 2316	756	msupd.exe	msupd.exe
PID 756 wrote to memory of 2316	756	msupd.exe	msupd.exe
PID 756 wrote to memory of 2316	756	msupd.exe	msupd.exe
PID 756 wrote to memory of 2316	756	msupd.exe	msupd.exe
PID 2316 wrote to memory of 2928	2316	msupd.exe	msupd.exe
PID 2316 wrote to memory of 2928	2316	msupd.exe	msupd.exe
PID 2316 wrote to memory of 2928	2316	msupd.exe	msupd.exe
PID 2316 wrote to memory of 2928	2316	msupd.exe	msupd.exe
PID 2928 wrote to memory of 484	2928	msupd.exe	msupd.exe
PID 2928 wrote to memory of 484	2928	msupd.exe	msupd.exe
PID 2928 wrote to memory of 484	2928	msupd.exe	msupd.exe
PID 2928 wrote to memory of 484	2928	msupd.exe	msupd.exe
PID 484 wrote to memory of 1576	484	msupd.exe	msupd.exe
PID 484 wrote to memory of 1576	484	msupd.exe	msupd.exe
PID 484 wrote to memory of 1576	484	msupd.exe	msupd.exe
PID 484 wrote to memory of 1576	484	msupd.exe	msupd.exe

C:\Users\Admin\AppData\Local\Temp\18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\msupd.exe
C:\Windows\system32\msupd.exe 616 "C:\Users\Admin\AppData\Local\Temp\18bd01d1e1ff0e94f41946332d59dbad_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\msupd.exe
C:\Windows\system32\msupd.exe 652 "C:\Windows\SysWOW64\msupd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\msupd.exe
C:\Windows\system32\msupd.exe 656 "C:\Windows\SysWOW64\msupd.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\msupd.exe
C:\Windows\system32\msupd.exe 660 "C:\Windows\SysWOW64\msupd.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\msupd.exe
C:\Windows\system32\msupd.exe 664 "C:\Windows\SysWOW64\msupd.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\msupd.exe
C:\Windows\system32\msupd.exe 668 "C:\Windows\SysWOW64\msupd.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\msupd.exe
C:\Windows\system32\msupd.exe 672 "C:\Windows\SysWOW64\msupd.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\msupd.exe
C:\Windows\system32\msupd.exe 676 "C:\Windows\SysWOW64\msupd.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\msupd.exe
Filesize
9.7MB

MD5
18bd01d1e1ff0e94f41946332d59dbad

SHA1
62e8d7c975d1ec895af6cbc725e1eb9c5e5ee069

SHA256
73be46a3d3b65fb6a46399dd8bf31e82090716855f784856bf5033990c356ea9

SHA512
ecbf831a6f8dfc01257f138363cd265ab1c907b88b891902b14dac9d5474e3160b9496993484660fcf0b9853cbb73e21c249786c973217284a48ea3fcd3f8ff1

Download Submit
memory/2132-0-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2132-1-0x0000000002850000-0x0000000002960000-memory.dmp

Filesize
1.1MB

Download
memory/2132-6-0x00000000047D0000-0x0000000005184000-memory.dmp

Filesize
9.7MB

Download
memory/2132-13-0x00000000047D0000-0x0000000005184000-memory.dmp

Filesize
9.7MB

Download
memory/2132-16-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2176-35-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2176-30-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2384-18-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2384-22-0x00000000047A0000-0x0000000005154000-memory.dmp

Filesize
9.7MB

Download
memory/2384-24-0x0000000002760000-0x0000000002870000-memory.dmp

Filesize
1.1MB

Download
memory/2384-25-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2384-14-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2384-15-0x0000000002760000-0x0000000002870000-memory.dmp

Filesize
1.1MB

Download
memory/2692-23-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2692-29-0x0000000004840000-0x00000000051F4000-memory.dmp

Filesize
9.7MB

Download
memory/2692-31-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads