metasploit | 5408f860d49bc2bd525c5a86c6bdba2f77a50950118675bc7fe3e4dd3f485456

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe
Size

138KB
MD5

1d0fd2a7eb944863444a4eda7f3c4272
SHA1

25de9b820e7ccb10498666bdc2e4faf980a31543
SHA256

5408f860d49bc2bd525c5a86c6bdba2f77a50950118675bc7fe3e4dd3f485456
SHA512

5c4b86696302077821d20dc2851a83d64dc03e5daf67c8291e8a648fa34ee9f43b160ef25204e74e0168c0c62bbf22b2b00e8973b31d8a99a2b0a7679eea27a6
SSDEEP

3072:uouHQyPemZ32QzqFjXz3Pr/YB0LsUmIG/XWU7Q:VUQyPem52Qszz3D/VLsgK57

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 10 IoCs

Processes:

GO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXE

pid process

2860 GO0GLEFREE.EXE
2844 GO0GLEFREE.EXE
2664 GO0GLEFREE.EXE
852 GO0GLEFREE.EXE
2180 GO0GLEFREE.EXE
1724 GO0GLEFREE.EXE
1580 GO0GLEFREE.EXE
1956 GO0GLEFREE.EXE
1416 GO0GLEFREE.EXE
652 GO0GLEFREE.EXE

pid	process
2860	GO0GLEFREE.EXE
2844	GO0GLEFREE.EXE
2664	GO0GLEFREE.EXE
852	GO0GLEFREE.EXE
2180	GO0GLEFREE.EXE
1724	GO0GLEFREE.EXE
1580	GO0GLEFREE.EXE
1956	GO0GLEFREE.EXE
1416	GO0GLEFREE.EXE
652	GO0GLEFREE.EXE

Loads dropped DLL 20 IoCs

Processes:

1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exeGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXE

pid	process
2072	1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe
2072	1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe
2860	GO0GLEFREE.EXE
2860	GO0GLEFREE.EXE
2844	GO0GLEFREE.EXE
2844	GO0GLEFREE.EXE
2664	GO0GLEFREE.EXE
2664	GO0GLEFREE.EXE
852	GO0GLEFREE.EXE
852	GO0GLEFREE.EXE
2180	GO0GLEFREE.EXE
2180	GO0GLEFREE.EXE
1724	GO0GLEFREE.EXE
1724	GO0GLEFREE.EXE
1580	GO0GLEFREE.EXE
1580	GO0GLEFREE.EXE
1956	GO0GLEFREE.EXE
1956	GO0GLEFREE.EXE
1416	GO0GLEFREE.EXE
1416	GO0GLEFREE.EXE

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2072-10-0x0000000002860000-0x0000000002964000-memory.dmp	upx
C:\Windows\SysWOW64\GO0GLEFREE.EXE	upx
behavioral1/memory/2860-13-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2072-15-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2860-16-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2844-20-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2844-22-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2664-26-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2664-28-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/852-33-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2180-37-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/2180-39-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1724-43-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1724-45-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1580-49-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1580-51-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1956-55-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1956-57-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1416-61-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1416-63-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/652-67-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/652-69-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

Processes:

GO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXE1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exeGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File created	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE
File opened for modification	C:\Windows\SysWOW64\GO0GLEFREE.EXE	GO0GLEFREE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exeGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXEGO0GLEFREE.EXE

description	pid	process	target process
PID 2072 wrote to memory of 2860	2072	1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe	GO0GLEFREE.EXE
PID 2072 wrote to memory of 2860	2072	1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe	GO0GLEFREE.EXE
PID 2072 wrote to memory of 2860	2072	1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe	GO0GLEFREE.EXE
PID 2072 wrote to memory of 2860	2072	1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe	GO0GLEFREE.EXE
PID 2860 wrote to memory of 2844	2860	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2860 wrote to memory of 2844	2860	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2860 wrote to memory of 2844	2860	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2860 wrote to memory of 2844	2860	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2844 wrote to memory of 2664	2844	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2844 wrote to memory of 2664	2844	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2844 wrote to memory of 2664	2844	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2844 wrote to memory of 2664	2844	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2664 wrote to memory of 852	2664	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2664 wrote to memory of 852	2664	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2664 wrote to memory of 852	2664	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2664 wrote to memory of 852	2664	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 852 wrote to memory of 2180	852	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 852 wrote to memory of 2180	852	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 852 wrote to memory of 2180	852	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 852 wrote to memory of 2180	852	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2180 wrote to memory of 1724	2180	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2180 wrote to memory of 1724	2180	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2180 wrote to memory of 1724	2180	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 2180 wrote to memory of 1724	2180	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1724 wrote to memory of 1580	1724	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1724 wrote to memory of 1580	1724	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1724 wrote to memory of 1580	1724	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1724 wrote to memory of 1580	1724	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1580 wrote to memory of 1956	1580	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1580 wrote to memory of 1956	1580	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1580 wrote to memory of 1956	1580	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1580 wrote to memory of 1956	1580	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1956 wrote to memory of 1416	1956	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1956 wrote to memory of 1416	1956	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1956 wrote to memory of 1416	1956	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1956 wrote to memory of 1416	1956	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1416 wrote to memory of 652	1416	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1416 wrote to memory of 652	1416	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1416 wrote to memory of 652	1416	GO0GLEFREE.EXE	GO0GLEFREE.EXE
PID 1416 wrote to memory of 652	1416	GO0GLEFREE.EXE	GO0GLEFREE.EXE

C:\Users\Admin\AppData\Local\Temp\1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 456 "C:\Users\Admin\AppData\Local\Temp\1d0fd2a7eb944863444a4eda7f3c4272_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 508 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 516 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 512 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 520 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 524 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 528 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 532 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 540 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\GO0GLEFREE.EXE
C:\Windows\system32\GO0GLEFREE.EXE 544 "C:\Windows\SysWOW64\GO0GLEFREE.EXE"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:652

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GO0GLEFREE.EXE
Filesize
138KB

MD5
1d0fd2a7eb944863444a4eda7f3c4272

SHA1
25de9b820e7ccb10498666bdc2e4faf980a31543

SHA256
5408f860d49bc2bd525c5a86c6bdba2f77a50950118675bc7fe3e4dd3f485456

SHA512
5c4b86696302077821d20dc2851a83d64dc03e5daf67c8291e8a648fa34ee9f43b160ef25204e74e0168c0c62bbf22b2b00e8973b31d8a99a2b0a7679eea27a6

Download Submit
memory/652-69-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/652-67-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/852-33-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1416-61-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1416-63-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1580-49-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1580-51-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1724-43-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1724-45-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1956-57-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1956-55-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2072-15-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2072-11-0x0000000002860000-0x0000000002964000-memory.dmp

Filesize
1.0MB

Download
memory/2072-10-0x0000000002860000-0x0000000002964000-memory.dmp

Filesize
1.0MB

Download
memory/2072-0-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2180-37-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2180-39-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2664-28-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2664-26-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2844-22-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2844-20-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2860-16-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2860-13-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads