metasploit | 29c5267bc432eff80ff5496dbb467e33f3094a2d5795fe146fb4ad051d7ed327

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe
Size

256KB
MD5

199363efcdf47c69fe172d113d744d68
SHA1

20780c67d3f26f4a05b11d437b27dd8a18bf1cf3
SHA256

29c5267bc432eff80ff5496dbb467e33f3094a2d5795fe146fb4ad051d7ed327
SHA512

4c4e6856dba5be288e526bdd7348cd174c963dd13235b09c40e383de71e0603b92e3bcd1c2054c24498387cd2d8d3f4510dd98cb719b9d866369a35f7280d591
SSDEEP

6144:v2C2F8NXC796TB9vj481RcOYx3Zmdh3Vxa3NwOiz87:vweVQkTrvj46A3ZG9Vx3O

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

service.exe

pid process

1452 service.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

vbc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Search Svc = "service.exe" vbc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe

description pid process target process

PID 2944 set thread context of 2660 2944 199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe vbc.exe
Drops file in Windows directory 2 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Windows\service.exe vbc.exe
File opened for modification C:\Windows\service.exe vbc.exe
Runs net.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2944 199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe

pid	process
1452	service.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Search Svc = "service.exe"	vbc.exe

description	pid	process	target process
PID 2944 set thread context of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe

description	ioc	process
File created	C:\Windows\service.exe	vbc.exe
File opened for modification	C:\Windows\service.exe	vbc.exe

description	pid	process
Token: SeDebugPrivilege	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

199363efcdf47c69fe172d113d744d68_JaffaCakes118.exevbc.execmd.exenet.exe

description	pid	process	target process
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2944 wrote to memory of 2660	2944	199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe	vbc.exe
PID 2660 wrote to memory of 3056	2660	vbc.exe	cmd.exe
PID 2660 wrote to memory of 3056	2660	vbc.exe	cmd.exe
PID 2660 wrote to memory of 3056	2660	vbc.exe	cmd.exe
PID 2660 wrote to memory of 3056	2660	vbc.exe	cmd.exe
PID 2660 wrote to memory of 1452	2660	vbc.exe	service.exe
PID 2660 wrote to memory of 1452	2660	vbc.exe	service.exe
PID 2660 wrote to memory of 1452	2660	vbc.exe	service.exe
PID 2660 wrote to memory of 1452	2660	vbc.exe	service.exe
PID 3056 wrote to memory of 1236	3056	cmd.exe	net.exe
PID 3056 wrote to memory of 1236	3056	cmd.exe	net.exe
PID 3056 wrote to memory of 1236	3056	cmd.exe	net.exe
PID 3056 wrote to memory of 1236	3056	cmd.exe	net.exe
PID 1236 wrote to memory of 2040	1236	net.exe	net1.exe
PID 1236 wrote to memory of 2040	1236	net.exe	net1.exe
PID 1236 wrote to memory of 2040	1236	net.exe	net1.exe
PID 1236 wrote to memory of 2040	1236	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\199363efcdf47c69fe172d113d744d68_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\x.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\net.exe
net stop "Security Center"
4⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
5⤵
PID:2040

C:\Windows\service.exe
"C:\Windows\service.exe"
3⤵
- Executes dropped EXE
PID:1452

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\service.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\x.bat
Filesize
53B

MD5
e6ed7be2b9572503f07663ca6e53759f

SHA1
7ad80bd38f2a27e06c111b551c76ad0a0585c194

SHA256
b1a6c027d18eb5766129a059f68201e6fb8c68d095f3932983009fe5ae2e4df9

SHA512
e0010782b4fe567290536743375112db3107f8390d4c5cbb97f1bf1a8c83825399e1fe2fe9793d351896bb704f3bdec583fa7241b853b136fa9440a927d94227

Download Submit
memory/2660-52-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2660-79-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2660-80-0x00000000753F0000-0x0000000075500000-memory.dmp

Filesize
1.1MB

Download
memory/2660-50-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2660-48-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2660-54-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2660-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-61-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2660-62-0x00000000753F0000-0x0000000075500000-memory.dmp

Filesize
1.1MB

Download
memory/2660-59-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2660-56-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2944-20-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-24-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-35-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-42-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-41-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-40-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-39-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-38-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-37-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-36-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-34-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-33-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-32-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-30-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-29-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-28-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-27-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-26-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-25-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-31-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-23-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-43-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-21-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-46-0x00000000753F0000-0x0000000075500000-memory.dmp

Filesize
1.1MB

Download
memory/2944-47-0x00000000753F0000-0x0000000075500000-memory.dmp

Filesize
1.1MB

Download
memory/2944-0-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-19-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-18-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-17-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-15-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-16-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-14-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-22-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-13-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-63-0x00000000753F0000-0x0000000075500000-memory.dmp

Filesize
1.1MB

Download
memory/2944-12-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-11-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2944-9-0x0000000075404000-0x0000000075405000-memory.dmp

Filesize
4KB

Download
memory/2944-10-0x00000000753F0000-0x0000000075500000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads