Extracted

• • Target

    a61e41bf23d358c06b49ed609769b908_JaffaCakes118

  • Size

    148KB

  • MD5

    a61e41bf23d358c06b49ed609769b908

  • SHA1

    d217a18a4f87562d2bc9e944a4c4c76284b06c3b

  • SHA256

    0ec1d093cfdeffaef6247a6afaf4bc0429a1d9e2ea3319390cff7b1915f9b73c

  • SHA512

    2053197f329b53bcef1be7ac9175926ba57a5cc9c40a010eefab036fa8203df14bf4c9acfdddf058eb9d259bd73919544b93c5345249e2d9e0ec91fb3838fdfb

  • SSDEEP

    3072:LoixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:0W5jOA96xrRd

  Score

  10^/10

  metasploitbackdoordiscoveryevasionpersistenceprivilege_escalationtrojan

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies security service

    evasion

  • Windows security bypass

    evasiontrojan

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Looks for VMWare Tools registry key

    evasion

  • Modifies Windows Firewall

    evasion

  • Deletes itself

  • Executes dropped EXE

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2