metasploit | da9a60d8fbe49d1ff0cb0d4bdb5b92317f16d5c7292ca3978bfbe2dc1163221d

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
Size

380KB
MD5

1ceed5dcb2ea13f10a727326633a99f9
SHA1

e23bb5b3d5235757fa56a6b3a43c5e358781653a
SHA256

da9a60d8fbe49d1ff0cb0d4bdb5b92317f16d5c7292ca3978bfbe2dc1163221d
SHA512

1e52fc832946178eec00171e8a3e4c5bc9e892481b593bdc71a43410c95fbca4ea00026bdfc7b65d27aa0b626f3b2d704297a44eae6ae0e21e875cdb6926719e
SSDEEP

6144:WRjfpbvNzGn6+MT1k6CW3e0dZfFgCZTdsmnElX9mzHsmaEJFLaXupTR5QWfdz:WRjfHza6+M5ko1dTdxGmnOX9uhL+KT4o

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 10 IoCs

Processes:

wuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exe

pid process

2000 wuauclt13.exe
1284 wuauclt13.exe
2712 wuauclt13.exe
2688 wuauclt13.exe
2580 wuauclt13.exe
3276 wuauclt13.exe
436 wuauclt13.exe
4572 wuauclt13.exe
2776 wuauclt13.exe
1508 wuauclt13.exe

pid	process
2000	wuauclt13.exe
1284	wuauclt13.exe
2712	wuauclt13.exe
2688	wuauclt13.exe
2580	wuauclt13.exe
3276	wuauclt13.exe
436	wuauclt13.exe
4572	wuauclt13.exe
2776	wuauclt13.exe
1508	wuauclt13.exe

Drops file in System32 directory 22 IoCs

Processes:

wuauclt13.exewuauclt13.exe1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File created	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt13.exe	wuauclt13.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exewuauclt13.exe

description	pid	process	target process
PID 1804 wrote to memory of 2000	1804	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe	wuauclt13.exe
PID 1804 wrote to memory of 2000	1804	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe	wuauclt13.exe
PID 1804 wrote to memory of 2000	1804	1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe	wuauclt13.exe
PID 2000 wrote to memory of 1284	2000	wuauclt13.exe	wuauclt13.exe
PID 2000 wrote to memory of 1284	2000	wuauclt13.exe	wuauclt13.exe
PID 2000 wrote to memory of 1284	2000	wuauclt13.exe	wuauclt13.exe
PID 1284 wrote to memory of 2712	1284	wuauclt13.exe	wuauclt13.exe
PID 1284 wrote to memory of 2712	1284	wuauclt13.exe	wuauclt13.exe
PID 1284 wrote to memory of 2712	1284	wuauclt13.exe	wuauclt13.exe
PID 2712 wrote to memory of 2688	2712	wuauclt13.exe	wuauclt13.exe
PID 2712 wrote to memory of 2688	2712	wuauclt13.exe	wuauclt13.exe
PID 2712 wrote to memory of 2688	2712	wuauclt13.exe	wuauclt13.exe
PID 2688 wrote to memory of 2580	2688	wuauclt13.exe	wuauclt13.exe
PID 2688 wrote to memory of 2580	2688	wuauclt13.exe	wuauclt13.exe
PID 2688 wrote to memory of 2580	2688	wuauclt13.exe	wuauclt13.exe
PID 2580 wrote to memory of 3276	2580	wuauclt13.exe	wuauclt13.exe
PID 2580 wrote to memory of 3276	2580	wuauclt13.exe	wuauclt13.exe
PID 2580 wrote to memory of 3276	2580	wuauclt13.exe	wuauclt13.exe
PID 3276 wrote to memory of 436	3276	wuauclt13.exe	wuauclt13.exe
PID 3276 wrote to memory of 436	3276	wuauclt13.exe	wuauclt13.exe
PID 3276 wrote to memory of 436	3276	wuauclt13.exe	wuauclt13.exe
PID 436 wrote to memory of 4572	436	wuauclt13.exe	wuauclt13.exe
PID 436 wrote to memory of 4572	436	wuauclt13.exe	wuauclt13.exe
PID 436 wrote to memory of 4572	436	wuauclt13.exe	wuauclt13.exe
PID 4572 wrote to memory of 2776	4572	wuauclt13.exe	wuauclt13.exe
PID 4572 wrote to memory of 2776	4572	wuauclt13.exe	wuauclt13.exe
PID 4572 wrote to memory of 2776	4572	wuauclt13.exe	wuauclt13.exe
PID 2776 wrote to memory of 1508	2776	wuauclt13.exe	wuauclt13.exe
PID 2776 wrote to memory of 1508	2776	wuauclt13.exe	wuauclt13.exe
PID 2776 wrote to memory of 1508	2776	wuauclt13.exe	wuauclt13.exe

C:\Users\Admin\AppData\Local\Temp\1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1152 "C:\Users\Admin\AppData\Local\Temp\1ceed5dcb2ea13f10a727326633a99f9_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1148 "C:\Windows\SysWOW64\wuauclt13.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1124 "C:\Windows\SysWOW64\wuauclt13.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1128 "C:\Windows\SysWOW64\wuauclt13.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1132 "C:\Windows\SysWOW64\wuauclt13.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1136 "C:\Windows\SysWOW64\wuauclt13.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1120 "C:\Windows\SysWOW64\wuauclt13.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1144 "C:\Windows\SysWOW64\wuauclt13.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1140 "C:\Windows\SysWOW64\wuauclt13.exe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\wuauclt13.exe
C:\Windows\system32\wuauclt13.exe 1160 "C:\Windows\SysWOW64\wuauclt13.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wuauclt13.exe
Filesize
380KB

MD5
1ceed5dcb2ea13f10a727326633a99f9

SHA1
e23bb5b3d5235757fa56a6b3a43c5e358781653a

SHA256
da9a60d8fbe49d1ff0cb0d4bdb5b92317f16d5c7292ca3978bfbe2dc1163221d

SHA512
1e52fc832946178eec00171e8a3e4c5bc9e892481b593bdc71a43410c95fbca4ea00026bdfc7b65d27aa0b626f3b2d704297a44eae6ae0e21e875cdb6926719e

Download Submit
memory/436-59-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1284-44-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1284-42-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1508-69-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1508-67-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1804-10-0x00000000028F0000-0x00000000028FB000-memory.dmp

Filesize
44KB

Download
memory/1804-7-0x0000000002900000-0x0000000002905000-memory.dmp

Filesize
20KB

Download
memory/1804-24-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1804-23-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1804-22-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1804-21-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1804-20-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1804-19-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1804-18-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1804-17-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1804-16-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1804-15-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1804-14-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1804-13-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1804-12-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1804-11-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1804-1-0x00000000009F0000-0x0000000000A3B000-memory.dmp

Filesize
300KB

Download
memory/1804-9-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1804-8-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1804-25-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1804-3-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1804-2-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1804-5-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1804-4-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1804-26-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1804-0-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1804-38-0x00000000009F0000-0x0000000000A3B000-memory.dmp

Filesize
300KB

Download
memory/1804-39-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1804-6-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1804-27-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1804-28-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1804-29-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2000-40-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2000-36-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2580-53-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2688-50-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2712-47-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2776-65-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3276-56-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4572-62-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download