vobfus | b945453f44671ddd85464d4d6831879eb0fab2fc5cc270d48fc7546aa012cd81 | Triage

Submit
Reports

Overview

overview

Static

static

3

bf5137a869...18.exe

windows7-x64

bf5137a869...18.exe

windows10-2004-x64

Sharing

General

Target

bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118
Size

269KB
Sample

240824-yye3fayenq
MD5

bf5137a8691cf5d59d4d0359648ef90d
SHA1

7c13db66a92798f1412c8bf599a116e9cf0797c6
SHA256

b945453f44671ddd85464d4d6831879eb0fab2fc5cc270d48fc7546aa012cd81
SHA512

2296c1e53ae29d2ce72d0a971cb6ecd465cc4ac6b15db30e59167f247c951febbf986581604d253991d50ad9f9f262ea963ed95e81bd85e40dfa95c4264ab7d2
SSDEEP

6144:bAiU9siB9LdRGEjXfO5T1ERn+Q6JqZgDiCP9tbsXkJn2IoS:bAHLXG4PO5TaR+QnZgDi7XIoS

Score

10^/10

vobfus discovery persistence upx worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe

Resource

win7-20240729-en

vobfus discovery persistence upx worm

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118.exe

Resource

win10v2004-20240802-en

vobfus discovery persistence upx worm

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  bf5137a8691cf5d59d4d0359648ef90d_JaffaCakes118
- Size
  
  269KB
- MD5
  
  bf5137a8691cf5d59d4d0359648ef90d
- SHA1
  
  7c13db66a92798f1412c8bf599a116e9cf0797c6
- SHA256
  
  b945453f44671ddd85464d4d6831879eb0fab2fc5cc270d48fc7546aa012cd81
- SHA512
  
  2296c1e53ae29d2ce72d0a971cb6ecd465cc4ac6b15db30e59167f247c951febbf986581604d253991d50ad9f9f262ea963ed95e81bd85e40dfa95c4264ab7d2
- SSDEEP
  
  6144:bAiU9siB9LdRGEjXfO5T1ERn+Q6JqZgDiCP9tbsXkJn2IoS:bAHLXG4PO5TaR+QnZgDi7XIoS
Score

10^/10

vobfus discovery persistence upx worm
- Vobfus
  A widespread worm which spreads via network drives and removable media.
  worm vobfus
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

vobfusdiscoverypersistenceupxworm

behavioral2

vobfusdiscoverypersistenceupxworm

© 2018-2025

Terms | Privacy