metasploit | efe8d10184f741f9d26315f7914c0b3920a008ba89b0b1308f5e1e291ba54c91

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
Size

231KB
MD5

1a6f6227d4407dd10f4ca1bbc771357d
SHA1

a833b40efc4821e9ebf18cb82382596bdaa6d33e
SHA256

efe8d10184f741f9d26315f7914c0b3920a008ba89b0b1308f5e1e291ba54c91
SHA512

0c9ac3337c9338823b3a68fe8578bc12bbe8bdd08168b4c89334240da4429146c92eca1aedd8882bff7bbede1a01e4dd769a092ac2791a03abd8df24328c69c6
SSDEEP

3072:NtezRfHWyHsZ6PJcuBsZ2qAP7o7UUy47WoZ5iN9uQyOi4RoJGHxtQoBJhBGF9Pb:nixHwZUqf7JWo3wFRoJGHxfBLBg9z

Score

10^/10

metasploit backdoor evasion persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

ntservice.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	ntservice.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	ntservice.exe

Executes dropped EXE 2 IoCs

Processes:

ntservice.exentservice.exe

pid process

3256 ntservice.exe
2720 ntservice.exe

pid	process
3256	ntservice.exe
2720	ntservice.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ntservice.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intec Service Drivers = "ntservice.exe"	ntservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\Intec Service Drivers = "ntservice.exe"	ntservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intec Service Drivers = "ntservice.exe"	ntservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Intec Service Drivers = "ntservice.exe"	ntservice.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exentservice.exe

description	pid	process	target process
PID 396 set thread context of 4252	396	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
PID 396 set thread context of 4252	396	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
PID 3256 set thread context of 2720	3256	ntservice.exe	ntservice.exe
PID 3256 set thread context of 2720	3256	ntservice.exe	ntservice.exe

Drops file in Windows directory 3 IoCs

Processes:

ntservice.exe1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\127.0.200.200 update.msiservers.lan	ntservice.exe
File created	C:\Windows\ntservice.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
File opened for modification	C:\Windows\ntservice.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ntservice.exe

pid	process
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe
2720	ntservice.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ntservice.exe

description pid process

Token: SeDebugPrivilege 2720 ntservice.exe

description	pid	process
Token: SeDebugPrivilege	2720	ntservice.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exentservice.exe

description	pid	process	target process
PID 396 wrote to memory of 4252	396	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
PID 396 wrote to memory of 4252	396	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
PID 396 wrote to memory of 4252	396	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
PID 396 wrote to memory of 4252	396	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
PID 396 wrote to memory of 4252	396	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
PID 396 wrote to memory of 4252	396	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
PID 4252 wrote to memory of 3256	4252	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	ntservice.exe
PID 4252 wrote to memory of 3256	4252	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	ntservice.exe
PID 4252 wrote to memory of 3256	4252	1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe	ntservice.exe
PID 3256 wrote to memory of 2720	3256	ntservice.exe	ntservice.exe
PID 3256 wrote to memory of 2720	3256	ntservice.exe	ntservice.exe
PID 3256 wrote to memory of 2720	3256	ntservice.exe	ntservice.exe
PID 3256 wrote to memory of 2720	3256	ntservice.exe	ntservice.exe
PID 3256 wrote to memory of 2720	3256	ntservice.exe	ntservice.exe
PID 3256 wrote to memory of 2720	3256	ntservice.exe	ntservice.exe

C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\ntservice.exe
C:\Windows\ntservice.exe 968 "C:\Users\Admin\AppData\Local\Temp\1a6f6227d4407dd10f4ca1bbc771357d_JaffaCakes118.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\ntservice.exe
C:\Windows\ntservice.exe
4⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8
1⤵
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ntservice.exe
Filesize
231KB

MD5
1a6f6227d4407dd10f4ca1bbc771357d

SHA1
a833b40efc4821e9ebf18cb82382596bdaa6d33e

SHA256
efe8d10184f741f9d26315f7914c0b3920a008ba89b0b1308f5e1e291ba54c91

SHA512
0c9ac3337c9338823b3a68fe8578bc12bbe8bdd08168b4c89334240da4429146c92eca1aedd8882bff7bbede1a01e4dd769a092ac2791a03abd8df24328c69c6

Download Submit
memory/396-7-0x0000000011000000-0x0000000011040000-memory.dmp

Filesize
256KB

Download
memory/396-0-0x0000000011000000-0x0000000011040000-memory.dmp

Filesize
256KB

Download
memory/2720-22-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2720-24-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2720-23-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2720-26-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3256-21-0x0000000011000000-0x0000000011040000-memory.dmp

Filesize
256KB

Download
memory/4252-4-0x0000000011000000-0x0000000011040000-memory.dmp

Filesize
256KB

Download
memory/4252-1-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4252-8-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4252-5-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4252-25-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download