General

  • Target

    0171d49f1f22bbad81e76e21be62d669_JaffaCakes118

  • Size

    161KB

  • Sample

    240622-fwzd7atemq

  • MD5

    0171d49f1f22bbad81e76e21be62d669

  • SHA1

    32040c95d3b19af33746b11adc5c8f6c136c2a6c

  • SHA256

    bb24409ce06416dc1fd57b8babbc11712bbdcfe5ce68177a6a91d3fa42ab43b4

  • SHA512

    bb31e0c7292973de10c1a339c44967f08f225ab03b8f9123abe02fcb960ebd322bb836f43676f5aa2f630b7d2fab6cd92ff620a0f336d989bb10293dd4b21b59

  • SSDEEP

    3072:T2KB+5f91dXkbxMhiHLqYbsXDM+P5XnG4wrS2BNa:T2H1dX6xMhuLqYAXRP9GVS2BNa

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      0171d49f1f22bbad81e76e21be62d669_JaffaCakes118

    • Size

      161KB

    • MD5

      0171d49f1f22bbad81e76e21be62d669

    • SHA1

      32040c95d3b19af33746b11adc5c8f6c136c2a6c

    • SHA256

      bb24409ce06416dc1fd57b8babbc11712bbdcfe5ce68177a6a91d3fa42ab43b4

    • SHA512

      bb31e0c7292973de10c1a339c44967f08f225ab03b8f9123abe02fcb960ebd322bb836f43676f5aa2f630b7d2fab6cd92ff620a0f336d989bb10293dd4b21b59

    • SSDEEP

      3072:T2KB+5f91dXkbxMhiHLqYbsXDM+P5XnG4wrS2BNa:T2H1dX6xMhuLqYAXRP9GVS2BNa

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks