Overview

overview

10

Static

static

3

f7b95748be...18.exe

windows7-x64

10

f7b95748be...18.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f7b95748be0dcb35fd6e9082c3e758f4_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240418-lkkpjshc35

  • MD5

    f7b95748be0dcb35fd6e9082c3e758f4

  • SHA1

    56056e7b42ce97cfff697bb8c912dab1d700c038

  • SHA256

    8223d57e113fdab4003cbdb87d78e399ed84c4b13a65c4790a36cdddc3484b48

  • SHA512

    9643c80d871208c0486635e742745399a6b9d30de33777de25e24c29da634e271c5b3bedcaf81e34888e6017afe1a40867bfee198a186a0c8b0d6329a6136f09

  • SSDEEP

    24576:pfBc0H7qvHHwvb7YccVlxUioAJje9E7+j+Y/qN5FzFRd2H/zzNt7Y6mQ6QUzGjpn:pf2G79v/xSHzBJ6WC+j2bpW+6Q4GIP

Score
10/10
lummametasploitbackdoorevasionstealerthemidatrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Targets

    • Target

      f7b95748be0dcb35fd6e9082c3e758f4_JaffaCakes118

    • Size

      1.5MB

    • MD5

      f7b95748be0dcb35fd6e9082c3e758f4

    • SHA1

      56056e7b42ce97cfff697bb8c912dab1d700c038

    • SHA256

      8223d57e113fdab4003cbdb87d78e399ed84c4b13a65c4790a36cdddc3484b48

    • SHA512

      9643c80d871208c0486635e742745399a6b9d30de33777de25e24c29da634e271c5b3bedcaf81e34888e6017afe1a40867bfee198a186a0c8b0d6329a6136f09

    • SSDEEP

      24576:pfBc0H7qvHHwvb7YccVlxUioAJje9E7+j+Y/qN5FzFRd2H/zzNt7Y6mQ6QUzGjpn:pf2G79v/xSHzBJ6WC+j2bpW+6Q4GIP

    Score
    10/10
    lummametasploitbackdoorevasionstealerthemidatrojan

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies security service

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks