metasploit | da9a60d8fbe49d1ff0cb0d4bdb5b92317f16d5c7292ca3978bfbe2dc1163221d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
Size

380KB
MD5

1ceed5dcb2ea13f10a727326633a99f9
SHA1

e23bb5b3d5235757fa56a6b3a43c5e358781653a
SHA256

da9a60d8fbe49d1ff0cb0d4bdb5b92317f16d5c7292ca3978bfbe2dc1163221d
SHA512

1e52fc832946178eec00171e8a3e4c5bc9e892481b593bdc71a43410c95fbca4ea00026bdfc7b65d27aa0b626f3b2d704297a44eae6ae0e21e875cdb6926719e
SSDEEP

6144:WRjfpbvNzGn6+MT1k6CW3e0dZfFgCZTdsmnElX9mzHsmaEJFLaXupTR5QWfdz:WRjfHza6+M5ko1dTdxGmnOX9uhL+KT4o

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 10 IoCs

Processes:

wuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exe

pid process

2604 wuauclt13.exe
2560 wuauclt13.exe
2940 wuauclt13.exe
2936 wuauclt13.exe
1196 wuauclt13.exe
1500 wuauclt13.exe
1916 wuauclt13.exe
1116 wuauclt13.exe
684 wuauclt13.exe
1820 wuauclt13.exe

pid	process
2604	wuauclt13.exe
2560	wuauclt13.exe
2940	wuauclt13.exe
2936	wuauclt13.exe
1196	wuauclt13.exe
1500	wuauclt13.exe
1916	wuauclt13.exe
1116	wuauclt13.exe
684	wuauclt13.exe
1820	wuauclt13.exe

Loads dropped DLL 20 IoCs

Processes:

1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exe

pid	process
1688	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
1688	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
2604	wuauclt13.exe
2604	wuauclt13.exe
2560	wuauclt13.exe
2560	wuauclt13.exe
2940	wuauclt13.exe
2940	wuauclt13.exe
2936	wuauclt13.exe
2936	wuauclt13.exe
1196	wuauclt13.exe
1196	wuauclt13.exe
1500	wuauclt13.exe
1500	wuauclt13.exe
1916	wuauclt13.exe
1916	wuauclt13.exe
1116	wuauclt13.exe
1116	wuauclt13.exe
684	wuauclt13.exe
684	wuauclt13.exe

Drops file in System32 directory 22 IoCs

Processes:

wuauclt13.exewuauclt13.exe1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exe

description	pid	process	target process
PID 1688 wrote to memory of 2604	1688	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe	wuauclt13.exe
PID 1688 wrote to memory of 2604	1688	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe	wuauclt13.exe
PID 1688 wrote to memory of 2604	1688	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe	wuauclt13.exe
PID 1688 wrote to memory of 2604	1688	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe	wuauclt13.exe
PID 2604 wrote to memory of 2560	2604	wuauclt13.exe	wuauclt13.exe
PID 2604 wrote to memory of 2560	2604	wuauclt13.exe	wuauclt13.exe
PID 2604 wrote to memory of 2560	2604	wuauclt13.exe	wuauclt13.exe
PID 2604 wrote to memory of 2560	2604	wuauclt13.exe	wuauclt13.exe
PID 2560 wrote to memory of 2940	2560	wuauclt13.exe	wuauclt13.exe
PID 2560 wrote to memory of 2940	2560	wuauclt13.exe	wuauclt13.exe
PID 2560 wrote to memory of 2940	2560	wuauclt13.exe	wuauclt13.exe
PID 2560 wrote to memory of 2940	2560	wuauclt13.exe	wuauclt13.exe
PID 2940 wrote to memory of 2936	2940	wuauclt13.exe	wuauclt13.exe
PID 2940 wrote to memory of 2936	2940	wuauclt13.exe	wuauclt13.exe
PID 2940 wrote to memory of 2936	2940	wuauclt13.exe	wuauclt13.exe
PID 2940 wrote to memory of 2936	2940	wuauclt13.exe	wuauclt13.exe
PID 2936 wrote to memory of 1196	2936	wuauclt13.exe	wuauclt13.exe
PID 2936 wrote to memory of 1196	2936	wuauclt13.exe	wuauclt13.exe
PID 2936 wrote to memory of 1196	2936	wuauclt13.exe	wuauclt13.exe
PID 2936 wrote to memory of 1196	2936	wuauclt13.exe	wuauclt13.exe
PID 1196 wrote to memory of 1500	1196	wuauclt13.exe	wuauclt13.exe
PID 1196 wrote to memory of 1500	1196	wuauclt13.exe	wuauclt13.exe
PID 1196 wrote to memory of 1500	1196	wuauclt13.exe	wuauclt13.exe
PID 1196 wrote to memory of 1500	1196	wuauclt13.exe	wuauclt13.exe
PID 1500 wrote to memory of 1916	1500	wuauclt13.exe	wuauclt13.exe
PID 1500 wrote to memory of 1916	1500	wuauclt13.exe	wuauclt13.exe
PID 1500 wrote to memory of 1916	1500	wuauclt13.exe	wuauclt13.exe
PID 1500 wrote to memory of 1916	1500	wuauclt13.exe	wuauclt13.exe
PID 1916 wrote to memory of 1116	1916	wuauclt13.exe	wuauclt13.exe
PID 1916 wrote to memory of 1116	1916	wuauclt13.exe	wuauclt13.exe
PID 1916 wrote to memory of 1116	1916	wuauclt13.exe	wuauclt13.exe
PID 1916 wrote to memory of 1116	1916	wuauclt13.exe	wuauclt13.exe
PID 1116 wrote to memory of 684	1116	wuauclt13.exe	wuauclt13.exe
PID 1116 wrote to memory of 684	1116	wuauclt13.exe	wuauclt13.exe
PID 1116 wrote to memory of 684	1116	wuauclt13.exe	wuauclt13.exe
PID 1116 wrote to memory of 684	1116	wuauclt13.exe	wuauclt13.exe
PID 684 wrote to memory of 1820	684	wuauclt13.exe	wuauclt13.exe
PID 684 wrote to memory of 1820	684	wuauclt13.exe	wuauclt13.exe
PID 684 wrote to memory of 1820	684	wuauclt13.exe	wuauclt13.exe
PID 684 wrote to memory of 1820	684	wuauclt13.exe	wuauclt13.exe

C:\Users\Admin\AppData\Local\Temp\1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 536 "C:\Users\Admin\AppData\Local\Temp\1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 520 "C:\Windows\SysWOW64\wuauclt13.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 548 "C:\Windows\SysWOW64\wuauclt13.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 524 "C:\Windows\SysWOW64\wuauclt13.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 552 "C:\Windows\SysWOW64\wuauclt13.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 528 "C:\Windows\SysWOW64\wuauclt13.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 532 "C:\Windows\SysWOW64\wuauclt13.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 540 "C:\Windows\SysWOW64\wuauclt13.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 568 "C:\Windows\SysWOW64\wuauclt13.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 544 "C:\Windows\SysWOW64\wuauclt13.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wuauclt13.exe
Filesize
380KB

MD5
1ceed5dcb2ea13f10a727326633a99f9

SHA1
e23bb5b3d5235757fa56a6b3a43c5e358781653a

SHA256
da9a60d8fbe49d1ff0cb0d4bdb5b92317f16d5c7292ca3978bfbe2dc1163221d

SHA512
1e52fc832946178eec00171e8a3e4c5bc9e892481b593bdc71a43410c95fbca4ea00026bdfc7b65d27aa0b626f3b2d704297a44eae6ae0e21e875cdb6926719e

Download Submit
memory/684-97-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/684-95-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1116-91-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1116-89-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1196-73-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1196-71-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1500-82-0x0000000003280000-0x00000000033A6000-memory.dmp

Filesize
1.1MB

Download
memory/1500-79-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1500-77-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1688-7-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1688-33-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1688-23-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1688-22-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1688-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1688-20-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1688-19-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1688-18-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1688-17-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1688-16-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1688-15-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1688-14-0x00000000027D0000-0x00000000027DB000-memory.dmp

Filesize
44KB

Download
memory/1688-13-0x00000000027E0000-0x00000000027E5000-memory.dmp

Filesize
20KB

Download
memory/1688-12-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1688-11-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1688-10-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1688-9-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1688-8-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1688-25-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1688-6-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1688-5-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1688-3-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1688-2-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1688-24-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1688-32-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1688-38-0x00000000032C0000-0x00000000033E6000-memory.dmp

Filesize
1.1MB

Download
memory/1688-46-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1688-47-0x00000000005A0000-0x00000000005EB000-memory.dmp

Filesize
300KB

Download
memory/1688-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1688-1-0x00000000005A0000-0x00000000005EB000-memory.dmp

Filesize
300KB

Download
memory/1688-4-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1688-31-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1688-30-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1688-29-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1688-26-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1688-27-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1688-28-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1820-101-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1820-103-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1916-85-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2560-55-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2560-53-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2604-52-0x0000000003200000-0x0000000003326000-memory.dmp

Filesize
1.1MB

Download
memory/2604-48-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-67-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-65-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2940-59-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2940-61-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads