General
-
Target
00e6f056c93844000da657f883763b37_JaffaCakes118
-
Size
445KB
-
Sample
240619-2gaceavdkd
-
MD5
00e6f056c93844000da657f883763b37
-
SHA1
138f1df9b9b5c19f7701fad125ec236e58730ac1
-
SHA256
3f76f12fbefcf128ee20c97f156acb276e203c681c7172949824256f35824187
-
SHA512
94643d5971d9e8261451aaaa0622f3befc106cd109fc7fc7429d86ddeef942e9ae33eca75b9a1388dbee03879711a7f809e71f9b37c10dff31547eb0d519199b
-
SSDEEP
12288:U4C7lGik2XbR68ri58LYN3aBOVuFYy3qviH:OlHTbQ8GGLYNq9H
Static task
static1
Behavioral task
behavioral1
Sample
00e6f056c93844000da657f883763b37_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
00e6f056c93844000da657f883763b37_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Targets
-
-
Target
00e6f056c93844000da657f883763b37_JaffaCakes118
-
Size
445KB
-
MD5
00e6f056c93844000da657f883763b37
-
SHA1
138f1df9b9b5c19f7701fad125ec236e58730ac1
-
SHA256
3f76f12fbefcf128ee20c97f156acb276e203c681c7172949824256f35824187
-
SHA512
94643d5971d9e8261451aaaa0622f3befc106cd109fc7fc7429d86ddeef942e9ae33eca75b9a1388dbee03879711a7f809e71f9b37c10dff31547eb0d519199b
-
SSDEEP
12288:U4C7lGik2XbR68ri58LYN3aBOVuFYy3qviH:OlHTbQ8GGLYNq9H
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Active Setup
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Active Setup
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
7Impair Defenses
4Disable or Modify Tools
2Disable or Modify System Firewall
2Virtualization/Sandbox Evasion
2