General

  • Target

    26c967c0ba12ac44b19a102e6fac61cd_JaffaCakes118

  • Size

    135KB

  • Sample

    240705-kazkaavfmr

  • MD5

    26c967c0ba12ac44b19a102e6fac61cd

  • SHA1

    80dc31e5fe7d1bfce226a57ef2cc776f47fd2fad

  • SHA256

    1c8498ba8e223000d090fc11adb6d3e3241a277de0af7f189d30b7b1d3cb09f9

  • SHA512

    8b520a74b6c512818a23f8a505a208c2a736d3201813c6baab3cb50ced1ee36fba32ecc233ecdf83b1b44058f2a9229e250085de313cda5e19f856faa7d06b7b

  • SSDEEP

    3072:CH9bjcZTXZ+pm9oCnCgWx+LMFPCluE7Tzz7i7S6S+jWSlDy:Yjjw97nCgWxjx07TXGe6SyWSNy

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      Picture65.JPG_www.facebook.com

    • Size

      154KB

    • MD5

      5ac3b1e5dbe9f4bcc7e91e5273b62f69

    • SHA1

      a8aa38fd102891576ec1b1cc2a8de61e2091a725

    • SHA256

      4f4b1473a5f7a50f428f4c59c1d0e53907873252b035e7cb222a548f334040a0

    • SHA512

      7077e2a91db7e91d4e97488ba02e73b416a39691d246803c1ef583b35c8843ed6e0a5838af46480e0fbbc823152aee32dd119cf68322975492070e6118caadcd

    • SSDEEP

      3072:q86+hGt0hLdn49oCnCgWxqLMFPCluE7Tz77i7S6S+jWSso:j3T497nCgWxHx07T3Ge6SyWSso

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks