General

  • Target

    07d995a671f7adce78adce20860c0d52_JaffaCakes118

  • Size

    245KB

  • Sample

    240624-l29p1awglh

  • MD5

    07d995a671f7adce78adce20860c0d52

  • SHA1

    be004d435d71d6237159595b4a3567cf9ef3d555

  • SHA256

    48d1cf7b2581f906d9a0de81e2ee64bdbb95ad86a52473ff2058d6172c8834c4

  • SHA512

    00dcc44f671066c493e85027f06bb6c7f7956971b82566ab4b7d98de9053a9b11878d7903f6b67c0940ec94989078cb0aecd9d7eeb40d49db047eb2d88301cef

  • SSDEEP

    6144:/bHX3VYhxSrtegif2dzQ63/lyfXD2zhW6OEdMph:/bn+hxSrtGf2dzxoSF+j

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      07d995a671f7adce78adce20860c0d52_JaffaCakes118

    • Size

      245KB

    • MD5

      07d995a671f7adce78adce20860c0d52

    • SHA1

      be004d435d71d6237159595b4a3567cf9ef3d555

    • SHA256

      48d1cf7b2581f906d9a0de81e2ee64bdbb95ad86a52473ff2058d6172c8834c4

    • SHA512

      00dcc44f671066c493e85027f06bb6c7f7956971b82566ab4b7d98de9053a9b11878d7903f6b67c0940ec94989078cb0aecd9d7eeb40d49db047eb2d88301cef

    • SSDEEP

      6144:/bHX3VYhxSrtegif2dzQ63/lyfXD2zhW6OEdMph:/bn+hxSrtGf2dzxoSF+j

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks