General

  • Target

    f19b9d6b74f65125623613a334baba76_JaffaCakes118

  • Size

    7.0MB

  • Sample

    240415-v46wkaed2y

  • MD5

    f19b9d6b74f65125623613a334baba76

  • SHA1

    8b1428daa9a7d2231663784c2e0457034dbdd468

  • SHA256

    c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90

  • SHA512

    f993b7002c952cc754d86726031052fde8dcdda6ce29b35aca9f8318e390c86b370f2519cb4ec2374e24645772ef6dfbbb4bcf25c49587e4b5d678588c5a3fd4

  • SSDEEP

    196608:9gwCUo86gyVJHh22fiIUrKqJGZdwInqqwgrSPn:9pv6g+JHhu1WVZdwIqqdr

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

    • Target

      f19b9d6b74f65125623613a334baba76_JaffaCakes118

    • Size

      7.0MB

    • MD5

      f19b9d6b74f65125623613a334baba76

    • SHA1

      8b1428daa9a7d2231663784c2e0457034dbdd468

    • SHA256

      c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90

    • SHA512

      f993b7002c952cc754d86726031052fde8dcdda6ce29b35aca9f8318e390c86b370f2519cb4ec2374e24645772ef6dfbbb4bcf25c49587e4b5d678588c5a3fd4

    • SSDEEP

      196608:9gwCUo86gyVJHh22fiIUrKqJGZdwInqqwgrSPn:9pv6g+JHhu1WVZdwIqqdr

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

    • Sets DLL path for service in the registry

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks