Overview

overview

10

Static

static

3

c881277196...18.exe

windows7-x64

10

c881277196...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c881277196e98d396fcc6ddb4d2ebdc6_JaffaCakes118

  • Size

    242KB

  • Sample

    241205-trarxsyjgk

  • MD5

    c881277196e98d396fcc6ddb4d2ebdc6

  • SHA1

    aa8ee793fe5fa8d7252bdcab4fef2b34dc3f9b2f

  • SHA256

    ede63458a70e893bb2f4bf38384b0c50d6303b746b2c477b04899622bfd8464b

  • SHA512

    6e7100f737c75a39070a7bff153fb616aaec34b212463474d8e24be7a1f92b2c01fea4fa6ad59560214e1644ad2b8bb4345aa58a4f5fc4d1e4e7def8bc028ec3

  • SSDEEP

    3072:34u5Jwdk07up1MTmGgbky7HerR3ke9EKX1ZeMXFcq4G+aLwfndrRqh:35wJ+BvH7+7RcVAendr

Score
10/10
metasploitbackdoordiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      c881277196e98d396fcc6ddb4d2ebdc6_JaffaCakes118

    • Size

      242KB

    • MD5

      c881277196e98d396fcc6ddb4d2ebdc6

    • SHA1

      aa8ee793fe5fa8d7252bdcab4fef2b34dc3f9b2f

    • SHA256

      ede63458a70e893bb2f4bf38384b0c50d6303b746b2c477b04899622bfd8464b

    • SHA512

      6e7100f737c75a39070a7bff153fb616aaec34b212463474d8e24be7a1f92b2c01fea4fa6ad59560214e1644ad2b8bb4345aa58a4f5fc4d1e4e7def8bc028ec3

    • SSDEEP

      3072:34u5Jwdk07up1MTmGgbky7HerR3ke9EKX1ZeMXFcq4G+aLwfndrRqh:35wJ+BvH7+7RcVAendr

    Score
    10/10
    metasploitbackdoordiscoverytrojanupxevasionpersistence

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • Modifies firewall policy service

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks