General

  • Target

    6324a542dae6120db2212607a1224010_JaffaCakes118

  • Size

    162KB

  • Sample

    240722-n5c7bawemd

  • MD5

    6324a542dae6120db2212607a1224010

  • SHA1

    d8ea96c72af2807ba66a0a04f3f4157074955180

  • SHA256

    bde90c06e586e72b8139ebccc122f533a283c81ed6df4372ebfc62b56caa66a0

  • SHA512

    5720f33a6985b9243c43197e7fae15a59aa0ea02f9930f9c4840ce5a7fcccc1884b6302f11127faab7d5736b434ff888b84c26e072a8c549bb648aefde0102a8

  • SSDEEP

    3072:GbarHr7T5VK8xiCHtJlqkVYd9jEiAdY9wywJczivSi/o:GurLZtJlqk66dY9wyUczi6Ko

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      6324a542dae6120db2212607a1224010_JaffaCakes118

    • Size

      162KB

    • MD5

      6324a542dae6120db2212607a1224010

    • SHA1

      d8ea96c72af2807ba66a0a04f3f4157074955180

    • SHA256

      bde90c06e586e72b8139ebccc122f533a283c81ed6df4372ebfc62b56caa66a0

    • SHA512

      5720f33a6985b9243c43197e7fae15a59aa0ea02f9930f9c4840ce5a7fcccc1884b6302f11127faab7d5736b434ff888b84c26e072a8c549bb648aefde0102a8

    • SSDEEP

      3072:GbarHr7T5VK8xiCHtJlqkVYd9jEiAdY9wywJczivSi/o:GurLZtJlqk66dY9wyUczi6Ko

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks