General

  • Target

    290b36fb84b43a8d493afabd9fda7d7f_JaffaCakes118

  • Size

    254KB

  • Sample

    240706-waeqnaxcpq

  • MD5

    290b36fb84b43a8d493afabd9fda7d7f

  • SHA1

    eb0e32a26ea3eddcdfe24dbdafca7495699853e9

  • SHA256

    8d9b281d2824200cc49d688e6c4e887fb8f12fd1266f652d2745717b071cef37

  • SHA512

    f379b00514d95bdbfed2908bd52e25c79ee9de9db0d5fb7615d481169f4d23da8bcea7747b34f426d4d31ac364fb0ab9eac98965f2e142943ace6f38b3ddc18e

  • SSDEEP

    6144:pihZB1EMcEfiE50WShDj8/0PRDLTWR8CM:piLgMRfDacMPoR8CM

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      290b36fb84b43a8d493afabd9fda7d7f_JaffaCakes118

    • Size

      254KB

    • MD5

      290b36fb84b43a8d493afabd9fda7d7f

    • SHA1

      eb0e32a26ea3eddcdfe24dbdafca7495699853e9

    • SHA256

      8d9b281d2824200cc49d688e6c4e887fb8f12fd1266f652d2745717b071cef37

    • SHA512

      f379b00514d95bdbfed2908bd52e25c79ee9de9db0d5fb7615d481169f4d23da8bcea7747b34f426d4d31ac364fb0ab9eac98965f2e142943ace6f38b3ddc18e

    • SSDEEP

      6144:pihZB1EMcEfiE50WShDj8/0PRDLTWR8CM:piLgMRfDacMPoR8CM

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks