General

  • Target

    638244d5f5e8399fadc11ab312f64454_JaffaCakes118

  • Size

    259KB

  • Sample

    240722-rmaj9asfnk

  • MD5

    638244d5f5e8399fadc11ab312f64454

  • SHA1

    db91fad9be1dfc986269000ab3c99c013c140169

  • SHA256

    d7f86053d2b017c34be231f4efde631c24babd941ec0808151472846774f505f

  • SHA512

    c1939f7a4b50a8d46ff8ca6f225cce95ceccedb69412e48c15b84d93cb211ac5728eb6b15c372caba50a7f392a4732a1b0f0575f801d9fb378bfb9c756d5593b

  • SSDEEP

    6144:r4kXDuXkhZHneC+j8uT6enLzVEGnmgOl1p1s+6W1E+Yi:rPT8k7He8uTfL7Epj6W7

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      638244d5f5e8399fadc11ab312f64454_JaffaCakes118

    • Size

      259KB

    • MD5

      638244d5f5e8399fadc11ab312f64454

    • SHA1

      db91fad9be1dfc986269000ab3c99c013c140169

    • SHA256

      d7f86053d2b017c34be231f4efde631c24babd941ec0808151472846774f505f

    • SHA512

      c1939f7a4b50a8d46ff8ca6f225cce95ceccedb69412e48c15b84d93cb211ac5728eb6b15c372caba50a7f392a4732a1b0f0575f801d9fb378bfb9c756d5593b

    • SSDEEP

      6144:r4kXDuXkhZHneC+j8uT6enLzVEGnmgOl1p1s+6W1E+Yi:rPT8k7He8uTfL7Epj6W7

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks