General

  • Target

    298f9d488bc4be556da9c5337e1edcc6_JaffaCakes118

  • Size

    196KB

  • Sample

    240706-289xcawgpl

  • MD5

    298f9d488bc4be556da9c5337e1edcc6

  • SHA1

    55afb3f7ef5986b6b09a28e7c017cec4dcdd0b62

  • SHA256

    b6f109263ff51089cfd055e9dae9e53a72cb8fdd68e641367387d840ccfbe226

  • SHA512

    50e245a58cc505e90d43bf3572dd77bdb981253c6e25c0a40ac6625b5f948c5098c3b73e9bb10a78c9e840d7c50dd076c516fb72a61d8e1ba479dd271e4c7bcc

  • SSDEEP

    3072:mfxmIa3QHnjlvhMIvjVujeBVe+VFE0nGmlBh133Aqtz4p2fHaNAL+U:m5WMbvj8qnzVFE9Yh1Ftz4pUaNA+U

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      298f9d488bc4be556da9c5337e1edcc6_JaffaCakes118

    • Size

      196KB

    • MD5

      298f9d488bc4be556da9c5337e1edcc6

    • SHA1

      55afb3f7ef5986b6b09a28e7c017cec4dcdd0b62

    • SHA256

      b6f109263ff51089cfd055e9dae9e53a72cb8fdd68e641367387d840ccfbe226

    • SHA512

      50e245a58cc505e90d43bf3572dd77bdb981253c6e25c0a40ac6625b5f948c5098c3b73e9bb10a78c9e840d7c50dd076c516fb72a61d8e1ba479dd271e4c7bcc

    • SSDEEP

      3072:mfxmIa3QHnjlvhMIvjVujeBVe+VFE0nGmlBh133Aqtz4p2fHaNAL+U:m5WMbvj8qnzVFE9Yh1Ftz4pUaNA+U

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks