General
-
Target
f40d87607d01ff64db79e48bfb2bfc2b_JaffaCakes118
-
Size
200KB
-
Sample
240924-ty2h8ashpl
-
MD5
f40d87607d01ff64db79e48bfb2bfc2b
-
SHA1
f4e3b162f39845c76e4b70c57b3399df2d611a85
-
SHA256
8ad04e05485c56e8d900ccdcd4abf4aeb7367f41a294a58b67053c466f5fbc0c
-
SHA512
8be81a97b392721bc5b2e7b3f684e34278e89e313475ae0fd3950c0afeba6e7e30f449cf949d8c903b2bbee54d910a9c2a3ec0d4174ff60bc1b330d9b57a660a
-
SSDEEP
6144:HP3zOHz2jHL/F9B0KY5nIukyqBvXDbv3MG8dL9:HiiTL/Ff0KY5n5kyqNTD3MG8dp
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Targets
-
-
Target
f40d87607d01ff64db79e48bfb2bfc2b_JaffaCakes118
-
Size
200KB
-
MD5
f40d87607d01ff64db79e48bfb2bfc2b
-
SHA1
f4e3b162f39845c76e4b70c57b3399df2d611a85
-
SHA256
8ad04e05485c56e8d900ccdcd4abf4aeb7367f41a294a58b67053c466f5fbc0c
-
SHA512
8be81a97b392721bc5b2e7b3f684e34278e89e313475ae0fd3950c0afeba6e7e30f449cf949d8c903b2bbee54d910a9c2a3ec0d4174ff60bc1b330d9b57a660a
-
SSDEEP
6144:HP3zOHz2jHL/F9B0KY5nIukyqBvXDbv3MG8dL9:HiiTL/Ff0KY5n5kyqNTD3MG8dp
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2