General

  • Target

    0934552b0a7261cedff713fafcf6c77f_JaffaCakes118

  • Size

    253KB

  • Sample

    240620-yhbebavclg

  • MD5

    0934552b0a7261cedff713fafcf6c77f

  • SHA1

    0ee02cdd377d3eb0b31d7111d826e347707eebff

  • SHA256

    893bf1a2fa8061aaf5434ee7345e681bfd04b98e114e487662fd40aca9aac4de

  • SHA512

    653eee42be526c1d8081fcff309136a87e40e0a824565e3b17776342b01350a678f12773f8c793d20a95244f84ba993383db6a0b9211816d42372da28e0e3dd4

  • SSDEEP

    3072:KbsUtq7WH2ZRTUKGkpRu2yW0aXUAtJlo9N1vdX1rgdvwV/Zq3/zUyAN9HyPk/f12:KbsUESHsRQKfwGhohH/ZuzU9Dn1T

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      0934552b0a7261cedff713fafcf6c77f_JaffaCakes118

    • Size

      253KB

    • MD5

      0934552b0a7261cedff713fafcf6c77f

    • SHA1

      0ee02cdd377d3eb0b31d7111d826e347707eebff

    • SHA256

      893bf1a2fa8061aaf5434ee7345e681bfd04b98e114e487662fd40aca9aac4de

    • SHA512

      653eee42be526c1d8081fcff309136a87e40e0a824565e3b17776342b01350a678f12773f8c793d20a95244f84ba993383db6a0b9211816d42372da28e0e3dd4

    • SSDEEP

      3072:KbsUtq7WH2ZRTUKGkpRu2yW0aXUAtJlo9N1vdX1rgdvwV/Zq3/zUyAN9HyPk/f12:KbsUESHsRQKfwGhohH/ZuzU9Dn1T

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks