Extracted

• • Target

    cc9994c73fb6eec72b51256f7015110b_JaffaCakes118

  • Size

    5.0MB

  • MD5

    cc9994c73fb6eec72b51256f7015110b

  • SHA1

    40a1cac85ec14eca254d3efed9d36f59cae704fa

  • SHA256

    815a071218fc73dbfc2452deb03954ba2b195ea8d8bf8e8a31fd1a29be7314df

  • SHA512

    52ae14e4899e79e66e071468d8a6634b8264b3222fceb034df400bd712024c8378c432db0608f54a4d984d18ebc8a67746e76192610b2af429413c54ee070bf0

  • SSDEEP

    49152:Lh8EVJ/qGjE4C9zBEVzWZnJYGS74rdC72VYHF68nrORQFjI8um9CKrOiyb6IDT3M:Lh8EHqGjEIWZht

  Score

  10^/10

  metasploitbackdoordefense_evasiondiscoveryevasionpersistencetrojanupx

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Drops file in Drivers directory

  • Looks for VMWare Tools registry key

    evasion

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • System Binary Proxy Execution: Rundll32

    Abuse Rundll32 to proxy execution of malicious code.

    defense_evasion

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2