General

  • Target

    291c260e86543ec77dbe9ee075d36352_JaffaCakes118

  • Size

    245KB

  • Sample

    240706-wnn69azgrf

  • MD5

    291c260e86543ec77dbe9ee075d36352

  • SHA1

    a4ed33c519be32d1953aeab38f13ad8710cbe560

  • SHA256

    44b360cb402fc1ff22c8dbc73276d1b8fdada24cb1958b29a4022a2e27b4786b

  • SHA512

    a88d01f9e504674aa19afe5e6aa1fece47d6e3501712b2b2a1974339b4ddccc3d14386da0035795f93773c4f8e6ef3229ba0397f7b8bedab50c901583a64f84f

  • SSDEEP

    6144:MoNGsn29WS7e5VqgPh1nRdCrqgCB8PXIHR8:MoNG62L7OrTem1+Xm

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      291c260e86543ec77dbe9ee075d36352_JaffaCakes118

    • Size

      245KB

    • MD5

      291c260e86543ec77dbe9ee075d36352

    • SHA1

      a4ed33c519be32d1953aeab38f13ad8710cbe560

    • SHA256

      44b360cb402fc1ff22c8dbc73276d1b8fdada24cb1958b29a4022a2e27b4786b

    • SHA512

      a88d01f9e504674aa19afe5e6aa1fece47d6e3501712b2b2a1974339b4ddccc3d14386da0035795f93773c4f8e6ef3229ba0397f7b8bedab50c901583a64f84f

    • SSDEEP

      6144:MoNGsn29WS7e5VqgPh1nRdCrqgCB8PXIHR8:MoNG62L7OrTem1+Xm

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks