General

  • Target

    06a1130ed8cc328b84f678410f54bf58_JaffaCakes118

  • Size

    536KB

  • Sample

    240620-raf69svgrq

  • MD5

    06a1130ed8cc328b84f678410f54bf58

  • SHA1

    310319f2d9f459e2d347f72c1b68b7176609ef45

  • SHA256

    9599cee6a43dc50db2fa1e68e5571efcccca314f59bd42b6c08706ad6d41bbf5

  • SHA512

    5ae9e0daf931d9b8e11b9c73d40f5fb6e6d8f25391d69ff54db67c89fb76a7a33ecf90f2decbb64c81960a0a9a8fa614c2af6c76fb62d6afbcd1b0eaf0e3f43f

  • SSDEEP

    12288:Jpb/ir7hhARq3/T4GHQSRvJ/ulYPCz+HavEwEQFrN:Jt/ir7bAK/ZFMlY8+HN9w

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Targets

    • Target

      06a1130ed8cc328b84f678410f54bf58_JaffaCakes118

    • Size

      536KB

    • MD5

      06a1130ed8cc328b84f678410f54bf58

    • SHA1

      310319f2d9f459e2d347f72c1b68b7176609ef45

    • SHA256

      9599cee6a43dc50db2fa1e68e5571efcccca314f59bd42b6c08706ad6d41bbf5

    • SHA512

      5ae9e0daf931d9b8e11b9c73d40f5fb6e6d8f25391d69ff54db67c89fb76a7a33ecf90f2decbb64c81960a0a9a8fa614c2af6c76fb62d6afbcd1b0eaf0e3f43f

    • SSDEEP

      12288:Jpb/ir7hhARq3/T4GHQSRvJ/ulYPCz+HavEwEQFrN:Jt/ir7bAK/ZFMlY8+HN9w

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Tasks