Extracted

• • Target

    d8533ccbf7de982ba95445ae0aeabf47_JaffaCakes118

  • Size

    2.1MB

  • MD5

    d8533ccbf7de982ba95445ae0aeabf47

  • SHA1

    df9b8bc0821caf68a946c1ba2a72ab9ae6a16e45

  • SHA256

    e1ca920a34c19f7bed50f9e852cb5fd803be85a24abc9f305e3061d2e3d55bd0

  • SHA512

    529825e2296b796c83eed7f9626581c2411c9a58bee552f8256889984af0f364e8a0dde800bb8e5283fda53f3652800f82ed587321e956ee8d1ec1d0a333f387

  • SSDEEP

    49152:RYDL4UAzbauAn2sEVoHeNAL5rUvurR6sj7mrXMxuw:RNLaT2sJe2L5rUcQsj7UXi

  Score

  10^/10

  metasploitbackdoordiscoveryevasionpersistencethemidatrojan

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2