Extracted

• • Target

    d4423546116f52e7d8c6b871ae09766a_JaffaCakes118

  • Size

    255KB

  • MD5

    d4423546116f52e7d8c6b871ae09766a

  • SHA1

    bfc7641da8554acad29cd8dd073da42a58a6f4e7

  • SHA256

    d96612e554c0881095fe528df5241defe2d3daf825a675292098bf5f5463d05b

  • SHA512

    3e9e8cb9c6da821523f6f0d02f1fa4935eb6b02248b8aac520aeec1cd20a65d686f4457e07d256172b8feca6a733318b9abc5f23617c6600be523f73fd958e6e

  • SSDEEP

    6144:Jgw3L+3kUKOALinrGAf38QJaElUBxXcA0JmBdYtk7ce:Jb7IkUKOrrGYsaZWzvi4J7c

  Score

  10^/10

  metasploitbackdoordiscoverytrojanupxevasionpersistence

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies firewall policy service

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2