General
-
Target
bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118
-
Size
79KB
-
Sample
241203-mvnpmaxmbp
-
MD5
bd0802393b51f7b88fd1caf18cfb9d59
-
SHA1
dfca89f012d85280a32517e8541ce219dbc1cf84
-
SHA256
f42ee437ef9c0ca78a4cead554f84704b79b9092284db57923f5a480c3ac0065
-
SHA512
3c5ac1a277ace1e98052968f02a8e724327146c6b9c9aab73f6a594b43bc5a40f7200e6e15d69abd43a8b2db932c53ee7df44fd8ba42f7ab73685b93f900bb2d
-
SSDEEP
1536:GVodbBqHbWtYEmf7OuP6Bm4PERnDq/r/YFRwEdH8N2Ss/2kNSjAnJgzb:GVGNQrEmf7Rh4yYGSK8/sekNSjAJ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Targets
-
-
Target
bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118
-
Size
79KB
-
MD5
bd0802393b51f7b88fd1caf18cfb9d59
-
SHA1
dfca89f012d85280a32517e8541ce219dbc1cf84
-
SHA256
f42ee437ef9c0ca78a4cead554f84704b79b9092284db57923f5a480c3ac0065
-
SHA512
3c5ac1a277ace1e98052968f02a8e724327146c6b9c9aab73f6a594b43bc5a40f7200e6e15d69abd43a8b2db932c53ee7df44fd8ba42f7ab73685b93f900bb2d
-
SSDEEP
1536:GVodbBqHbWtYEmf7OuP6Bm4PERnDq/r/YFRwEdH8N2Ss/2kNSjAnJgzb:GVGNQrEmf7Rh4yYGSK8/sekNSjAJ
Score10/10-
Disables service(s)
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Disables use of System Restore points
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
1File Deletion
1Modify Registry
5