We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:BAT/MetaSploit.JAA!MTB
Aliases: No associated aliases
Summary
Trojan:BAT/Metasploit.JAA!MTB is a detection for a malicious Batch script that belongs to the broader Metasploit malware family. This family comprises tools derived from the Metasploit Framework, a legitimate penetration testing toolset that threat actors weaponize to gain unauthorized remote access to compromised devices. The "BAT" in the name indicates that this particular variant is written as a Windows batch file, which is launched by the system's command-line interpreter.
The primary function of this trojan is to act as a loader, deploying a more advanced, memory-resident payload called Meterpreter. This payload establishes a covert communication channel with a server controlled by the threat actor, providing them with capabilities to steal sensitive data, monitor user activity, and deploy additional malware such as ransomware.
The "!MTB" suffix signifies that the threat was identified through Machine Threat Behavior. It was detected by behavioral analysis or machine learning models that recognize patterns consistent with malicious activity, rather than a known file signature.
- Disconnect the compromised device from all networks (both wired and Wi-Fi) as soon as possible. This severs the threat actor’s remote connection and prevents further data exfiltration.
- Inspect startup entries, scheduled tasks, and running processes for any malicious components that may have established persistence.
- Reset all web browsers to their default settings to remove any malicious extensions, changes to your homepage, or search engine hijackers that the malware may have installed.
- Check and clean Windows Scheduled Tasks and the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key for any malicious entries established by the malware.
- Check and clean startup entries, scheduled tasks, and running processes for any components the malware have used to maintain persistence.
- Examine financial, messaging, and essential platforms for atypical transactions indicative of unauthorized entry.
- Change passwords for local user profiles, privileged accounts, and linked online services immediately, as they may have been intercepted.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
