Extracted

• • Target

    f1b5362511582421a0fa96bbf837793d_JaffaCakes118

  • Size

    276KB

  • MD5

    f1b5362511582421a0fa96bbf837793d

  • SHA1

    7fc82376891910c566a228f6b9cb40ed2e422620

  • SHA256

    0cbf8e687d24688de6125777abe75a1304287b97a68af4f388c3345bee510df5

  • SHA512

    60634862683cec1b855cc7672987c084eefa06c6feadfa290baaf6c186b46077010fbe87907aa78da2efa7d097e3296eb33d55ab8c328a414bd902cba15096a8

  • SSDEEP

    3072:D8cG/y5jmiMqUDihnrLUmctNsFDkabY5okQVHyN23di5BF9bNufyIWUBFYlz:D8c5a1wrhFDka/hyNKi5B9uSUXY1

  Score

  10^/10

  metasploitbackdoordiscoveryevasionpersistencetrojanupx

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies firewall policy service

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2