General

  • Target

    fcb26ace0aa61a1bed4e13887caed05d_JaffaCakes118

  • Size

    224KB

  • Sample

    240420-nw9h6agd8v

  • MD5

    fcb26ace0aa61a1bed4e13887caed05d

  • SHA1

    4e16dd9a3be0d64e4b5994cdd99b0c9789749333

  • SHA256

    6cd0aafdc91e87b1dcc56b6d7b8cad61f93afdb8d9b40b2842337a743612dae9

  • SHA512

    2ee84989bb65818b0862ef2da1cf60fc6a2a3f4fc0a96808aa90cead686f22d39a56b5ca5b55993648b00034fd7a27e40e2f6d3783bb27dfff0c25f98e50a107

  • SSDEEP

    3072:yw3sP568FlQqTeE5gHH0e7wXpXUiJSYdN2eghMgYbOkxG7gieM7g2bvLAuXz38z:NEc4lvBs7wZXUWSeweghMpzMLbLAK38z

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      fcb26ace0aa61a1bed4e13887caed05d_JaffaCakes118

    • Size

      224KB

    • MD5

      fcb26ace0aa61a1bed4e13887caed05d

    • SHA1

      4e16dd9a3be0d64e4b5994cdd99b0c9789749333

    • SHA256

      6cd0aafdc91e87b1dcc56b6d7b8cad61f93afdb8d9b40b2842337a743612dae9

    • SHA512

      2ee84989bb65818b0862ef2da1cf60fc6a2a3f4fc0a96808aa90cead686f22d39a56b5ca5b55993648b00034fd7a27e40e2f6d3783bb27dfff0c25f98e50a107

    • SSDEEP

      3072:yw3sP568FlQqTeE5gHH0e7wXpXUiJSYdN2eghMgYbOkxG7gieM7g2bvLAuXz38z:NEc4lvBs7wZXUWSeweghMpzMLbLAK38z

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks