metasploit | 09bda9bc0821d5576c8b2c9f506333b7ca4bf210016cf76063c20ec0820de71c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
Size

132KB
MD5

1b6f0180f590096ad64577b9f88692c2
SHA1

a8e7a592705c2620a0d300d5b7be778fe37f1c64
SHA256

09bda9bc0821d5576c8b2c9f506333b7ca4bf210016cf76063c20ec0820de71c
SHA512

971dbef8b41624f18d140d211b0f93cb6ef7b9630f180ff5f995181cc2c73d3c1ea79fd7da9c0a0dd023b7e0f21b92661d639a0b00e4b6e8cb2572064dd33099
SSDEEP

1536:33oH7x3kI3mTfPhcQ2QDOFbhSUA9GdPNHeARsV/HWyLcub7FLMejUV2JeHNsUEE:noqOLQDOTn8kV5sV/2yLz7FLHoaUl

Score

10^/10

metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

aadrive32.exeaadrive32.exe

pid process

2680 aadrive32.exe
2416 aadrive32.exe

pid	process
2680	aadrive32.exe
2416	aadrive32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\aadrive32.exe"	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exeaadrive32.exe

description	pid	process	target process
PID 2992 set thread context of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2680 set thread context of 2416	2680	aadrive32.exe	aadrive32.exe

Drops file in Windows directory 3 IoCs

Processes:

1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exeaadrive32.exe

description	ioc	process
File created	C:\Windows\aadrive32.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
File opened for modification	C:\Windows\aadrive32.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
File created	C:\Windows\%windir%\lfffile32.log	aadrive32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe

pid process

2988 1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
2988 1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe

pid	process
2988	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
2988	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exeaadrive32.exe

description	pid	process	target process
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2992 wrote to memory of 2988	2992	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
PID 2988 wrote to memory of 2680	2988	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	aadrive32.exe
PID 2988 wrote to memory of 2680	2988	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	aadrive32.exe
PID 2988 wrote to memory of 2680	2988	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	aadrive32.exe
PID 2988 wrote to memory of 2680	2988	1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe
PID 2680 wrote to memory of 2416	2680	aadrive32.exe	aadrive32.exe

C:\Users\Admin\AppData\Local\Temp\1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b6f0180f590096ad64577b9f88692c2_JaffaCakes118.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\aadrive32.exe
"C:\Windows\aadrive32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\aadrive32.exe
"C:\Windows\aadrive32.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\aadrive32.exe
Filesize
132KB

MD5
1b6f0180f590096ad64577b9f88692c2

SHA1
a8e7a592705c2620a0d300d5b7be778fe37f1c64

SHA256
09bda9bc0821d5576c8b2c9f506333b7ca4bf210016cf76063c20ec0820de71c

SHA512
971dbef8b41624f18d140d211b0f93cb6ef7b9630f180ff5f995181cc2c73d3c1ea79fd7da9c0a0dd023b7e0f21b92661d639a0b00e4b6e8cb2572064dd33099

Download Submit
memory/2416-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-42-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-53-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-52-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-44-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-51-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-50-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-46-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-6-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-23-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2988-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download