General

  • Target

    637f7cfaff1bca03dcd61c4038826104_JaffaCakes118

  • Size

    266KB

  • Sample

    240722-rkj1xa1fqe

  • MD5

    637f7cfaff1bca03dcd61c4038826104

  • SHA1

    9921310fa81c7d6cd1fa8a828cb5e312fc5de723

  • SHA256

    731c0b3b7f3a54b6ee5d666b714eacf7c888b6652e9557088704bbf6181ce080

  • SHA512

    95e44ac9c039a9f7ae2d65149880581439a085d3db05248b560a4256933a1f16a2039b771450126669934d861a4ab2b5d542716f00121e558a87b77ad3f3410d

  • SSDEEP

    3072:lA+SELsvLvfADStEvuexgoSRGqkNhjH3OnhpJwhS8l2VI6+:l74LWvmPRqTjefM16

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      637f7cfaff1bca03dcd61c4038826104_JaffaCakes118

    • Size

      266KB

    • MD5

      637f7cfaff1bca03dcd61c4038826104

    • SHA1

      9921310fa81c7d6cd1fa8a828cb5e312fc5de723

    • SHA256

      731c0b3b7f3a54b6ee5d666b714eacf7c888b6652e9557088704bbf6181ce080

    • SHA512

      95e44ac9c039a9f7ae2d65149880581439a085d3db05248b560a4256933a1f16a2039b771450126669934d861a4ab2b5d542716f00121e558a87b77ad3f3410d

    • SSDEEP

      3072:lA+SELsvLvfADStEvuexgoSRGqkNhjH3OnhpJwhS8l2VI6+:l74LWvmPRqTjefM16

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks