General

  • Target

    0125d86eb826a17743360740ea6e6833_JaffaCakes118

  • Size

    214KB

  • Sample

    240622-eghbpa1arl

  • MD5

    0125d86eb826a17743360740ea6e6833

  • SHA1

    ed2af242ac310ca1a48869b08100f515c46e2989

  • SHA256

    0de32e41371209e04fdb5fdf813322d0b942c8fb0b83bd975064887053db82b8

  • SHA512

    8803d167bcf4b0e3ad4f9103332077a8375bc09a56a7b4a02e9285c808badb19cc703a7e46bd0ce44e37cc4e3b678f0aede55c2746625aca2f54d1a92b0b19c9

  • SSDEEP

    6144:aK2edDW4eeXTO95oKnwGHUUEIYV/+al+h17Lr:abx41q9+ngYVrl+vb

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      0125d86eb826a17743360740ea6e6833_JaffaCakes118

    • Size

      214KB

    • MD5

      0125d86eb826a17743360740ea6e6833

    • SHA1

      ed2af242ac310ca1a48869b08100f515c46e2989

    • SHA256

      0de32e41371209e04fdb5fdf813322d0b942c8fb0b83bd975064887053db82b8

    • SHA512

      8803d167bcf4b0e3ad4f9103332077a8375bc09a56a7b4a02e9285c808badb19cc703a7e46bd0ce44e37cc4e3b678f0aede55c2746625aca2f54d1a92b0b19c9

    • SSDEEP

      6144:aK2edDW4eeXTO95oKnwGHUUEIYV/+al+h17Lr:abx41q9+ngYVrl+vb

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks