General

  • Target

    29a8d70b1ce02cc78adef4a9bccdf73b_JaffaCakes118

  • Size

    196KB

  • Sample

    240707-cd89wssgrd

  • MD5

    29a8d70b1ce02cc78adef4a9bccdf73b

  • SHA1

    266705a1e434488795751f6501c0f2317bbc2178

  • SHA256

    2f0ff81fa08e85e788c23c6e44b6bd9a2381879c6747eaa54bb8ac5e58e5eb57

  • SHA512

    563b8da239b75d9daac4fb4e6eeb8b55cd9382abf59d092c55659bb1d14c63c6a09131ec2c89f02cb72e2277a020dfedd617df88bbc8da0c43856c4223b9bb4d

  • SSDEEP

    3072:2t7uWT680Wo8BlzYj9PrkwnZ7/QbOncHs97WQb56b:2tiWT63/+2/dc+7hAb

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      29a8d70b1ce02cc78adef4a9bccdf73b_JaffaCakes118

    • Size

      196KB

    • MD5

      29a8d70b1ce02cc78adef4a9bccdf73b

    • SHA1

      266705a1e434488795751f6501c0f2317bbc2178

    • SHA256

      2f0ff81fa08e85e788c23c6e44b6bd9a2381879c6747eaa54bb8ac5e58e5eb57

    • SHA512

      563b8da239b75d9daac4fb4e6eeb8b55cd9382abf59d092c55659bb1d14c63c6a09131ec2c89f02cb72e2277a020dfedd617df88bbc8da0c43856c4223b9bb4d

    • SSDEEP

      3072:2t7uWT680Wo8BlzYj9PrkwnZ7/QbOncHs97WQb56b:2tiWT63/+2/dc+7hAb

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks