Overview

overview

10

Static

static

3

cb3cc55156...18.exe

windows7-x64

10

cb3cc55156...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118

  • Size

    4.0MB

  • Sample

    240405-fe1kxsda24

  • MD5

    cb3cc551561883ab8fc4fb6fc837a469

  • SHA1

    f74ae6d243342099d3fa500cbc630f4a244a8d82

  • SHA256

    ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

  • SHA512

    b97782f7835949ec41da357cfba598936bc2542fa53c0c8da7f35168f4f0fe19158a5946a297dcc540b7ce0dda8aeacd06f69ac209bd562e58fb31924e8fd7d1

  • SSDEEP

    49152:MgG+0nnFa5xF1Azk6GehC1Vm6ctA6Ty0pQJb4Qate1YdM1TGHgzBut:M

Score
10/10
servhelperbackdoordiscoveryexploitpersistencetrojan

Malware Config

Targets

    • Target

      cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118

    • Size

      4.0MB

    • MD5

      cb3cc551561883ab8fc4fb6fc837a469

    • SHA1

      f74ae6d243342099d3fa500cbc630f4a244a8d82

    • SHA256

      ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

    • SHA512

      b97782f7835949ec41da357cfba598936bc2542fa53c0c8da7f35168f4f0fe19158a5946a297dcc540b7ce0dda8aeacd06f69ac209bd562e58fb31924e8fd7d1

    • SSDEEP

      49152:MgG+0nnFa5xF1Azk6GehC1Vm6ctA6Ty0pQJb4Qate1YdM1TGHgzBut:M

    Score
    10/10
    servhelperbackdoordiscoveryexploitpersistencetrojan

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

      trojanbackdoorservhelper

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

      exploit

    • Sets DLL path for service in the registry

      persistence

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks