Extracted

Extracted

• • Target

    JaffaCakes118_6158c6bc46c4c2ff6d20b5393ae86b81

  • Size

    4.5MB

  • MD5

    6158c6bc46c4c2ff6d20b5393ae86b81

  • SHA1

    3bcea54356be388fe60fd14315f55933c9713077

  • SHA256

    74379c7c3960ebe4d18c7617d118fb4d4e3f307faa1059ac7007d7bedfe31402

  • SHA512

    3725b226ec94344cc2d3d8c3a633be52441e09ec84ca0cbec578bf59aed0bd8d6e3f0a8c153b56296097f4782b8ec40f1eee41e0a92ca37cf9ee18ce021e1077

  • SSDEEP

    49152:qHgzHgUNghs8bBlKaEotaj7yg3AsZKlQc3MPsYMKZ9wsPma/oAlEHj9jt14X8qWX:qHgzHgUihs8blmfh3AQSKZGsgnzKX8Ff

  Score

  10^/10

  metasploitsalitybackdoorbootkitdefense_evasiondiscoverypersistencetrojanupx

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Modifies firewall policy service

    defense_evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Sality family

    sality

  • UAC bypass

    defense_evasiontrojan

  • Windows security bypass

    defense_evasiontrojan

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2