Extracted

• • Target

    f044339e51ab2e9d9ef0f7130484f31d_JaffaCakes118

  • Size

    164KB

  • MD5

    f044339e51ab2e9d9ef0f7130484f31d

  • SHA1

    09b4666815f0af3cdd7253161c53886bca3affe3

  • SHA256

    eed4df729d3e1786e82d0121eecb10a30f05dfc0d531aa5e23673a91f3b8f68d

  • SHA512

    29dac14088af6b74099e90d1c2311ee0bac70afee8a07ab158ab0c52f3e86b8272b6d06d8345c00707e6e2ab143ea820dec5ef2865e044437a4353993e714774

  • SSDEEP

    3072:AGFXLh0gooaqBd3oW+GxWBAgnMRDkS2D9nj5asA21V9crS6:dhyoaqBd3KxBAgnMRD5aA217y

  Score

  10^/10

  metasploitbackdoorbootkitdiscoverypersistencetrojan

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2