Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-03-2024 02:34
General
-
Target
3170bcf7de646f8612910ab98f6d1861_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
3170bcf7de646f8612910ab98f6d1861
-
SHA1
71d81b3dd1747cf1c0e744fcb1809d6522eab902
-
SHA256
bea9da3ee504f62fc074963332e96297c7fff5efb2999efc946bc518a3765c00
-
SHA512
f232d67902f1b7fc3eb73efc7df575dcac83f5943e613e61982c78c9d4c47b18eadd6d87f2b4d040ec4125f4770a33f03b5743b3b18c34ab622b258f913b91c5
-
SSDEEP
98304:OcaOt2a4P7cEg9j1rQT6YHyV4QWfjmRbM4rmqof6+oO+e:x4a4ndrE4QWfjm1M4rm1fqFe
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3170bcf7de646f8612910ab98f6d1861_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3170bcf7de646f8612910ab98f6d1861_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bd_dvnlr.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F9C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7F9B.tmp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7F9C.tmpFilesize
1KB
MD57f4c5cb8e45901a61f403e78440cc413
SHA1f47cc515eb7d3fdd6d3d35be522d131618ac9a5a
SHA256547395c865a4c3b919d2dd9b91a2e3067f067b3b53ae176fbe3bc0043faba6c9
SHA512f65d4f77ebdf7297fe52c55cb2486070d416fbe4f0fbea70255fec51125ea7c3bd3e7b5a7625e473fce3db8e3be2b49c0e76018fd518b58e345b3793b1f28c7e
-
C:\Users\Admin\AppData\Local\Temp\bd_dvnlr.dllFilesize
3KB
MD599bb3cc30d2685ddf41a4684048501d3
SHA19eec612c75b98a9723bed956563a7797decf998a
SHA256ef9d84d2381c00665360056398fdff8c0b5b8a5cc141c38c3b06a671dfee9211
SHA5129ceef880aea88577c62d322e47f145bc40fbc4e193547297c2a4d241097e038b19a12f81df6aea8d4f2ca7cf9bba9df093bfa94f9a3ff1ce53583762600d1795
-
C:\Users\Admin\AppData\Local\Temp\bd_dvnlr.pdbFilesize
7KB
MD56a96d46756d38fedf07a604bd14bb295
SHA198c4dc27ec98ca0efbc62ecb2574887089ec8619
SHA256d5bf21fcd67b7573dc5931b113fd99120f34e677a74a357ab5af448d109f61c1
SHA512530ec7cfaa82cac3d3d82f54e8982fe502a3f893384a7da64fd11d715372ed4f24b61694a9d791b7c49b44c93d7348ab73abf5fcc950db68c34134d18e6344fe
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1Filesize
2.5MB
MD5794bf0ae26a7efb0c516cf4a7692c501
SHA1c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA25697753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA51220c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5ff71cc3adc8818e1f65a998cb3cde44c
SHA1726c8f510b7dbea9b1385877f2b3c9899bd68e0b
SHA2560ca8dceac969d17fe13915f29115ccb4ba81dec33bdeece8c4cadfe68a9a9247
SHA5124f132e4b40ae579543fa0d737516e54a95d869c4e8c9d1f77a656af8ec6b510cdb43568d5704a6d2313e1d01cb4009b3a6080592aafe041b938d7e78d51f5d3e
-
C:\Windows\SysWOW64\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC7F9B.tmpFilesize
652B
MD5f47c804de7cc6c1c31b86aac86598ae0
SHA1e522d497159159ab8f103ca5374eeff1bd280a23
SHA25621f145c0ea6df722b6de01e927753c2672da8807f8f3e104a67cdff8a2d109d1
SHA512456321ad6ad5761840b12524f178e169785947ac2a99b533d3182c951fd2c41b9855b1f28692a0174645dc70daba9ae503da5fd9f8220fbe4251e755785edc48
-
\??\c:\Users\Admin\AppData\Local\Temp\bd_dvnlr.0.csFilesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\bd_dvnlr.cmdlineFilesize
309B
MD56e072fd69c669bcb1cd0a992a3b994ef
SHA1ceaf94674d832d7bd482be965721326254170292
SHA256472e48de0ee4bda307861939df0fcef7cfa30083440a23b2c8d00e8b391f3ee4
SHA512d7c1f7b84d5f93a258582b7cb4fccf91699f7ba654b80078ea514fc162fc9ee8756203a156b379d06937faedad6106a3821557e9b08b7dea7157fa2fab2170f4
-
memory/1220-13-0x0000000003620000-0x0000000003A27000-memory.dmpFilesize
4.0MB
-
memory/1220-1-0x0000000003620000-0x0000000003A27000-memory.dmpFilesize
4.0MB
-
memory/1220-17-0x0000000003A30000-0x0000000003E32000-memory.dmpFilesize
4.0MB
-
memory/1220-56-0x0000000006790000-0x00000000067D0000-memory.dmpFilesize
256KB
-
memory/1220-48-0x0000000006790000-0x00000000067D0000-memory.dmpFilesize
256KB
-
memory/1220-42-0x0000000006790000-0x00000000067D0000-memory.dmpFilesize
256KB
-
memory/1220-7-0x0000000006790000-0x00000000067D0000-memory.dmpFilesize
256KB
-
memory/1220-6-0x0000000006BD0000-0x0000000006FD4000-memory.dmpFilesize
4.0MB
-
memory/1220-5-0x0000000006790000-0x00000000067D0000-memory.dmpFilesize
256KB
-
memory/1220-4-0x0000000074960000-0x000000007504E000-memory.dmpFilesize
6.9MB
-
memory/1220-3-0x0000000000400000-0x0000000001AC1000-memory.dmpFilesize
22.8MB
-
memory/1220-2-0x0000000003A30000-0x0000000003E32000-memory.dmpFilesize
4.0MB
-
memory/1220-36-0x0000000074960000-0x000000007504E000-memory.dmpFilesize
6.9MB
-
memory/1220-0-0x0000000003620000-0x0000000003A27000-memory.dmpFilesize
4.0MB
-
memory/1964-67-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/1964-71-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/1964-69-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/1964-70-0x0000000002590000-0x00000000025D0000-memory.dmpFilesize
256KB
-
memory/1964-68-0x0000000002590000-0x00000000025D0000-memory.dmpFilesize
256KB
-
memory/2456-43-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2456-44-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2456-45-0x0000000002750000-0x0000000002790000-memory.dmpFilesize
256KB
-
memory/2456-46-0x0000000002750000-0x0000000002790000-memory.dmpFilesize
256KB
-
memory/2456-47-0x0000000002750000-0x0000000002790000-memory.dmpFilesize
256KB
-
memory/2456-49-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2512-16-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2512-75-0x0000000002730000-0x0000000002770000-memory.dmpFilesize
256KB
-
memory/2512-85-0x0000000002730000-0x0000000002770000-memory.dmpFilesize
256KB
-
memory/2512-14-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2512-77-0x0000000002730000-0x0000000002770000-memory.dmpFilesize
256KB
-
memory/2512-76-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2512-73-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2512-18-0x0000000002730000-0x0000000002770000-memory.dmpFilesize
256KB
-
memory/2512-15-0x0000000002730000-0x0000000002770000-memory.dmpFilesize
256KB
-
memory/2644-55-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2644-59-0x00000000027A0000-0x00000000027E0000-memory.dmpFilesize
256KB
-
memory/2644-57-0x00000000027A0000-0x00000000027E0000-memory.dmpFilesize
256KB
-
memory/2644-58-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2644-61-0x000000006F8F0000-0x000000006FE9B000-memory.dmpFilesize
5.7MB
-
memory/2644-60-0x00000000027A0000-0x00000000027E0000-memory.dmpFilesize
256KB