General

  • Target

    6373450b041a6baebd243c32899c1c23_JaffaCakes118

  • Size

    227KB

  • Sample

    240722-rbaqwa1bpb

  • MD5

    6373450b041a6baebd243c32899c1c23

  • SHA1

    2400be9b30b00d0f7c41227130f4886ea34bd3f6

  • SHA256

    a62fcb3ae52c25681b2ee552f35d93a6de340c69fd66d9d8271c4fd6cc94e2b8

  • SHA512

    7bd3a311e64d7fec23f1261be8c6a38f7008a1b060c549138f0a42d49e56a94c74ab72a395c06acb63083a44e30075e134dc97b419467043453399987b0e94af

  • SSDEEP

    3072:KkG4Ek8Ws+KJiotj+74J5luk/xHy7Znb8ivS+f9vgUTQz3uRAaYh3di:lG4Q++oEbIbPvS+fJgzP5di

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      6373450b041a6baebd243c32899c1c23_JaffaCakes118

    • Size

      227KB

    • MD5

      6373450b041a6baebd243c32899c1c23

    • SHA1

      2400be9b30b00d0f7c41227130f4886ea34bd3f6

    • SHA256

      a62fcb3ae52c25681b2ee552f35d93a6de340c69fd66d9d8271c4fd6cc94e2b8

    • SHA512

      7bd3a311e64d7fec23f1261be8c6a38f7008a1b060c549138f0a42d49e56a94c74ab72a395c06acb63083a44e30075e134dc97b419467043453399987b0e94af

    • SSDEEP

      3072:KkG4Ek8Ws+KJiotj+74J5luk/xHy7Znb8ivS+f9vgUTQz3uRAaYh3di:lG4Q++oEbIbPvS+fJgzP5di

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks