metasploit | 954f50be8810c7d138d0b295a720bb7e268afd23b6ceccf61413e4816ab89cd0 | Triage

Submit
Reports

Overview

overview

Static

static

3

19b1ef5224...18.exe

windows7-x64

1

19b1ef5224...18.exe

windows10-2004-x64

Sharing

General

Target

19b1ef52243d9eb67d59872970b1ce53_JaffaCakes118
Size

212KB
Sample

240628-lv46yatamb
MD5

19b1ef52243d9eb67d59872970b1ce53
SHA1

5a6b7f101cbcb43c278ee4f916d8710b23e10321
SHA256

954f50be8810c7d138d0b295a720bb7e268afd23b6ceccf61413e4816ab89cd0
SHA512

c711df2b10509ef23c2ae196d70474667d52ee6ee5afd5c190e805e9d15c9cf87b1b552c8b97dd69a9b0fa8dc1f49cf79562c00d1eb19d45069f61d94ddb6806
SSDEEP

6144:cRxlIA8ugFFnrXfg6XM8Xx9mhzTxL7bVbksB:c6Ki5rY6z9mFxTFRB

Score

10^/10

metasploit backdoor trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

19b1ef52243d9eb67d59872970b1ce53_JaffaCakes118.exe

Resource

win7-20240508-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

19b1ef52243d9eb67d59872970b1ce53_JaffaCakes118.exe

Resource

win10v2004-20240611-en

metasploit backdoor trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  19b1ef52243d9eb67d59872970b1ce53_JaffaCakes118
- Size
  
  212KB
- MD5
  
  19b1ef52243d9eb67d59872970b1ce53
- SHA1
  
  5a6b7f101cbcb43c278ee4f916d8710b23e10321
- SHA256
  
  954f50be8810c7d138d0b295a720bb7e268afd23b6ceccf61413e4816ab89cd0
- SHA512
  
  c711df2b10509ef23c2ae196d70474667d52ee6ee5afd5c190e805e9d15c9cf87b1b552c8b97dd69a9b0fa8dc1f49cf79562c00d1eb19d45069f61d94ddb6806
- SSDEEP
  
  6144:cRxlIA8ugFFnrXfg6XM8Xx9mhzTxL7bVbksB:c6Ki5rY6z9mFxTFRB
Score

10^/10

metasploit backdoor trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

metasploitbackdoortrojan

© 2018-2024

Terms | Privacy