General

  • Target

    623fe5e47d1e66288d3b806a47586545_JaffaCakes118

  • Size

    158KB

  • Sample

    240722-h2fkdavdmm

  • MD5

    623fe5e47d1e66288d3b806a47586545

  • SHA1

    fc1971740abf08985e00c39663724083996925da

  • SHA256

    257911e607b00c181ef7f4570c6594e28fc3e426737906b30423ac068b5d7e3a

  • SHA512

    b28e97c340ed9b44a014d921ea14ae3528540ed44cf77ab8fb1c51023b10a36f64078e9687b8408d60d3508d82fb72fa3781c7c58f08ab171ea7f2c7ede5df56

  • SSDEEP

    3072:AbgIiyCNZTbljsXM22FBnSW6abBlpd2xV5oKUiYc1XQuQUATNXu1QuR5Q+RL/:AbMNvC+tBlPyoKnYc1XO9MNF/

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      623fe5e47d1e66288d3b806a47586545_JaffaCakes118

    • Size

      158KB

    • MD5

      623fe5e47d1e66288d3b806a47586545

    • SHA1

      fc1971740abf08985e00c39663724083996925da

    • SHA256

      257911e607b00c181ef7f4570c6594e28fc3e426737906b30423ac068b5d7e3a

    • SHA512

      b28e97c340ed9b44a014d921ea14ae3528540ed44cf77ab8fb1c51023b10a36f64078e9687b8408d60d3508d82fb72fa3781c7c58f08ab171ea7f2c7ede5df56

    • SSDEEP

      3072:AbgIiyCNZTbljsXM22FBnSW6abBlpd2xV5oKUiYc1XQuQUATNXu1QuR5Q+RL/:AbMNvC+tBlPyoKnYc1XO9MNF/

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks