Overview

overview

10

Static

static

3

dd311b9496...18.exe

windows7-x64

10

dd311b9496...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dd311b9496cfb87a07d7990e7a3127b8_JaffaCakes118

  • Size

    213KB

  • Sample

    240912-2vcdxszbrj

  • MD5

    dd311b9496cfb87a07d7990e7a3127b8

  • SHA1

    817b1e70a94203221e4901740c0e4c915b5c7777

  • SHA256

    b20b391c2d32ee1d3609db547888e894c09161f5933c521e194edb3ca6301586

  • SHA512

    8b0cacf1a10183e9e91fd4402b85b05f333d06f23f22bdbddc85efd2f64eaa611865034c4bf8e5c8ce50e3f834bcc39e2320246418c391f56699d70488bfe5a0

  • SSDEEP

    3072:WWtDChHWBzQHLiudSxdTItA6D3ddUv5Jt0i2rWYf3jIVvanH4I3pGlgoXM:WADxzQC9lMIN72S4OrGAGoXM

Score
10/10
metasploitbackdoordiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      dd311b9496cfb87a07d7990e7a3127b8_JaffaCakes118

    • Size

      213KB

    • MD5

      dd311b9496cfb87a07d7990e7a3127b8

    • SHA1

      817b1e70a94203221e4901740c0e4c915b5c7777

    • SHA256

      b20b391c2d32ee1d3609db547888e894c09161f5933c521e194edb3ca6301586

    • SHA512

      8b0cacf1a10183e9e91fd4402b85b05f333d06f23f22bdbddc85efd2f64eaa611865034c4bf8e5c8ce50e3f834bcc39e2320246418c391f56699d70488bfe5a0

    • SSDEEP

      3072:WWtDChHWBzQHLiudSxdTItA6D3ddUv5Jt0i2rWYf3jIVvanH4I3pGlgoXM:WADxzQC9lMIN72S4OrGAGoXM

    Score
    10/10
    metasploitbackdoordiscoveryevasionpersistencetrojanupx

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies firewall policy service

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks