General

  • Target

    e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118

  • Size

    171KB

  • Sample

    240916-gna73a1hqb

  • MD5

    e423dd0f0183644c8d9839f0cdd6ed51

  • SHA1

    2d31683a62d02f0ee051228d2ddbf11d3a695813

  • SHA256

    5aa72f698a2226a6faccd818f6499b5962458b9aec96fc86e8c45eca2635d3ac

  • SHA512

    963654a7345ca907083b27701c549ec93a740bf1fecc2ba798b0768297c81a77ca0a6f89a1c97aec2596522dd4c799c0b6b3b9670360a3781611b7e353993d11

  • SSDEEP

    3072:a3C/x9UL+MRjcCMY8RdPBVyvnKfO1kwpYgn8jhl2nVA4h7Bfeaf6GO:aS9QVt8LP+e5wdnuh2jj/6GO

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      e423dd0f0183644c8d9839f0cdd6ed51_JaffaCakes118

    • Size

      171KB

    • MD5

      e423dd0f0183644c8d9839f0cdd6ed51

    • SHA1

      2d31683a62d02f0ee051228d2ddbf11d3a695813

    • SHA256

      5aa72f698a2226a6faccd818f6499b5962458b9aec96fc86e8c45eca2635d3ac

    • SHA512

      963654a7345ca907083b27701c549ec93a740bf1fecc2ba798b0768297c81a77ca0a6f89a1c97aec2596522dd4c799c0b6b3b9670360a3781611b7e353993d11

    • SSDEEP

      3072:a3C/x9UL+MRjcCMY8RdPBVyvnKfO1kwpYgn8jhl2nVA4h7Bfeaf6GO:aS9QVt8LP+e5wdnuh2jj/6GO

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks