Analysis
-
max time kernel
54s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 19:34
General
-
Target
5c375467509255e045544819c517aa26_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
5c375467509255e045544819c517aa26
-
SHA1
910e1c81b5403997747d8e97ecdf140f619359bf
-
SHA256
4906dabe18713cfb2c7e2920efef762579ef0ef285eed98098639b7f22fe32fc
-
SHA512
ce8233ad76e1cc8f962a6810fa9d1b4a2657b1ce1b32ca3cb386a8450cbe43e115308aafb693b9db7ae109b07b182ef1cf381e869360a040a0097d2c09dec320
-
SSDEEP
6144:cTkbhEh9DbFZdCsKg8SVAKtVSVeB/yN7ARppUc:h9qhWg8SO0SVG/9ppUc
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5c375467509255e045544819c517aa26_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5c375467509255e045544819c517aa26_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\system32.exeC:\Users\Admin\system32.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\System32.exeFilesize
1.6MB
MD55c375467509255e045544819c517aa26
SHA1910e1c81b5403997747d8e97ecdf140f619359bf
SHA2564906dabe18713cfb2c7e2920efef762579ef0ef285eed98098639b7f22fe32fc
SHA512ce8233ad76e1cc8f962a6810fa9d1b4a2657b1ce1b32ca3cb386a8450cbe43e115308aafb693b9db7ae109b07b182ef1cf381e869360a040a0097d2c09dec320
-
C:\Windows\SYSTEM.INIFilesize
257B
MD533f02634b0f0044ea10367008d433c44
SHA1441fa92ec12108de6ea6b5e56520bfe34a899d2c
SHA256e0c4a79377281025859e7ac45d9cfaa124c3dc6a73c258aaeba0d4087fe0a174
SHA51290738bf801c002740007573615849ef0f2ebce842e1e2a90cdba088e0da73210913255c8444590c48820df23498b7c87b55c34710e4086aee5a89a0e93a3a397
-
F:\odjfxo.exeFilesize
100KB
MD5618e254a67a93c832189db01238ca035
SHA1d6378911498cf8ffe24803353c6ac0dc7db723ec
SHA2562234e39ef617876efe202d4b995c2240b4c41adbd2fbcc7774c1d3ca22a11f0c
SHA512793055c6c62649b8d49a316c112936b1597a1ad6789ad7d555243e0efccf8601eb16544842eb7c6347c13ae8502e56e62e552b77360a59e25d78ddf5ff6d0be4
-
memory/3912-15-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-17-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-9-0x0000000002A80000-0x0000000002A81000-memory.dmpFilesize
4KB
-
memory/3912-11-0x0000000002280000-0x0000000002282000-memory.dmpFilesize
8KB
-
memory/3912-12-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-13-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-14-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-0-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3912-16-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-7-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-8-0x0000000002280000-0x0000000002282000-memory.dmpFilesize
8KB
-
memory/3912-18-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-27-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-38-0x0000000002280000-0x0000000002282000-memory.dmpFilesize
8KB
-
memory/3912-34-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-43-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/3912-5-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/3912-3-0x0000000002BE0000-0x0000000003C6E000-memory.dmpFilesize
16.6MB
-
memory/4784-47-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-64-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-51-0x0000000000760000-0x0000000000762000-memory.dmpFilesize
8KB
-
memory/4784-46-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-52-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-53-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-54-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-55-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-56-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-57-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-58-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-59-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-60-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-61-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-62-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-49-0x00000000020F0000-0x00000000020F1000-memory.dmpFilesize
4KB
-
memory/4784-65-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-66-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-74-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-78-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-81-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-83-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-86-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-87-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-89-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-91-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-149-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB
-
memory/4784-150-0x0000000000760000-0x0000000000762000-memory.dmpFilesize
8KB
-
memory/4784-44-0x0000000002D10000-0x0000000003D9E000-memory.dmpFilesize
16.6MB