General

  • Target

    e339871172220fe821bc99045ad7513e_JaffaCakes118

  • Size

    131KB

  • Sample

    240406-za79raba75

  • MD5

    e339871172220fe821bc99045ad7513e

  • SHA1

    0359a3b42eba63aeee9c2310cb7d2a0874d34eb5

  • SHA256

    cb7702519df2cd5d40dce25f0da3ad0bdaca326bb3a00c812bbf053a86178784

  • SHA512

    b4c96742c4fc30f16cc0086872c987e6a52070c9ae8bb2e569984dc14fe398b9d37a0f24b90aa52118961f1942bdba4ba3aac24ee2d6b5e0167b19a35ca88a81

  • SSDEEP

    3072:ISDQNryjtLCZYkFgPbOYSt7bqM1fgjGUlC3:IS0rktmm26bOYS7+Yak

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      e339871172220fe821bc99045ad7513e_JaffaCakes118

    • Size

      131KB

    • MD5

      e339871172220fe821bc99045ad7513e

    • SHA1

      0359a3b42eba63aeee9c2310cb7d2a0874d34eb5

    • SHA256

      cb7702519df2cd5d40dce25f0da3ad0bdaca326bb3a00c812bbf053a86178784

    • SHA512

      b4c96742c4fc30f16cc0086872c987e6a52070c9ae8bb2e569984dc14fe398b9d37a0f24b90aa52118961f1942bdba4ba3aac24ee2d6b5e0167b19a35ca88a81

    • SSDEEP

      3072:ISDQNryjtLCZYkFgPbOYSt7bqM1fgjGUlC3:IS0rktmm26bOYS7+Yak

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks