Extracted

• • Target

    9c3e078b4506224ea8070d01294de9ac_JaffaCakes118

  • Size

    5.7MB

  • MD5

    9c3e078b4506224ea8070d01294de9ac

  • SHA1

    7816a2f30124873106386e8b5b0dfb476d1debef

  • SHA256

    8418c39d82911d39bae75090677ce1f259382a64d784e86acf31a6d9ba0ce3d9

  • SHA512

    46e44917d8d1abe4228dc3f73b8cfb5507d99766fffa2b4a798e805e506aceed531bfa5b27a1e6f87fb59b71e32f21e75846ad300d8dc77ffcd2a0ff5a273bd4

  • SSDEEP

    49152:aEs7HCrb/T/vO90dL3BmAFd4A64nsfJdBOGm5K6UVJ9eLZNVj/lHoRQ1wYr9MYEd:aEQjgGHmAQQQQQQQQQQQQQdC

  Score

  10^/10

  servhelperbackdoordiscoveryexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Sets DLL path for service in the registry

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2