Extracted

• • Target

    b3e63de0ee2812b92c280e2ae78808cd_JaffaCakes118

  • Size

    81KB

  • MD5

    b3e63de0ee2812b92c280e2ae78808cd

  • SHA1

    0cc3966cd4a307f84b6a69c1aa59998e1fafd66d

  • SHA256

    e2fe63ffbe9f45034849ecb306e5399eb70a219758e421b3dc368be9aa4da307

  • SHA512

    f9a871880ebaa7c89fd9e6418310bf6876ffee12ec7a9974c0132a27cf55f452a3d4caf4cfc3ee12bb52e204895c256d140ee28d00ed3d2f258af9563b6fb646

  • SSDEEP

    1536:r7Xl6xlLXtJbru/+nxylEu4y44aj9QQCVWnfr0525p:r7XlkJXHK/+nxjy4dxCqVn

  Score

  10^/10

  metasploitbackdoordefense_evasiondiscoveryevasionexecutionpersistencetrojan

  • Disables service(s)

    evasionexecution

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Modifies firewall policy service

    evasion

  • Modifies security service

    evasion

  • Windows security bypass

    evasiontrojan

  • Disables use of System Restore points

    evasion

  • Drops file in Drivers directory

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Impair Defenses: Safe Mode Boot

    defense_evasion

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2