Extracted

• • Target

    f1129037e562d6241392df37d9490ff4_JaffaCakes118

  • Size

    167KB

  • MD5

    f1129037e562d6241392df37d9490ff4

  • SHA1

    978f49d06feb7c70eb4b4719a07bc2c86bc6f9cf

  • SHA256

    2213f202c0b355a5f92217f0e976ad3f80f1ef858e3ecb0601f5133f372e1fb0

  • SHA512

    1af03435beccaa38b763ad558bcc4ad8bcc72f71f5628b91771038b9eb1c4e209090ded05723ca1e8b3e9a027d0972233e82312f942de074b43aab94e8c6deab

  • SSDEEP

    3072:kG5bIr0kr9Ujx5g72mu1Z+MLaRmU06EtNHyREg/aIV0:d5Kr35zMamU060pwEgW

  Score

  10^/10

  metasploitbackdoordiscoveryevasionpersistencetrojanupx

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies firewall policy service

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2