General

  • Target

    6383d59b5b66a420bd0d3d6d5f1f9601_JaffaCakes118

  • Size

    257KB

  • Sample

    240722-rng1qasgjj

  • MD5

    6383d59b5b66a420bd0d3d6d5f1f9601

  • SHA1

    4363188e3440aa0e8ed3ea3a7ef4730e7648d6a1

  • SHA256

    180d259d7dbce511d557aad3313c7f5abe046a85582dfc3b2ad4d3676fc73d35

  • SHA512

    074e794047eec8e03eb2adc7f231895bf3f4d491382e3d7f25d542473b4c85b22700ddaa19bdfe607e0f1a7488a58e0d4fd5526547b77457cf8dbaad817d0602

  • SSDEEP

    6144:vw4visptXOMkxqkK3i5UqAPChSkTFuMgZCUSWgJX:4w/ptXOI3TqAcXTFuMghSWgZ

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      6383d59b5b66a420bd0d3d6d5f1f9601_JaffaCakes118

    • Size

      257KB

    • MD5

      6383d59b5b66a420bd0d3d6d5f1f9601

    • SHA1

      4363188e3440aa0e8ed3ea3a7ef4730e7648d6a1

    • SHA256

      180d259d7dbce511d557aad3313c7f5abe046a85582dfc3b2ad4d3676fc73d35

    • SHA512

      074e794047eec8e03eb2adc7f231895bf3f4d491382e3d7f25d542473b4c85b22700ddaa19bdfe607e0f1a7488a58e0d4fd5526547b77457cf8dbaad817d0602

    • SSDEEP

      6144:vw4visptXOMkxqkK3i5UqAPChSkTFuMgZCUSWgJX:4w/ptXOI3TqAcXTFuMghSWgZ

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks