Analysis
-
max time kernel
65s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27-04-2024 07:50
General
-
Target
02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe
-
Size
283KB
-
MD5
02c33e220ec6a0df5a71cf30866e879f
-
SHA1
00e8a11a3720b25df09884eaabb55986f4fb927a
-
SHA256
7ce6ddee9192d4d51b389cf8da8d226b51082378253b1c36716fe50b039dea32
-
SHA512
eb1fe26a5221eaed7057d284eee39d93e01e8375aafc818a5f3b317cd1544940837927d010bafe8b6b419e044b6c7208edf15dce3cd7d494ab8cada9f808c559
-
SSDEEP
6144:TvEk52U+T6i5LirrllHy4HUcMQY68wzVdUsBbr/5Q:TEk5N+T5xYrllrU7QY68wzX/i
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02c33e220ec6a0df5a71cf30866e879f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 07:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2244 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2468 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5204 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
283KB
MD55e618bda3a55a3fe5d0826a3f02c2d0e
SHA1dced93c2dafca8d9cb30b89118703a5c152215fc
SHA256cc77abea462794703534b06c04a96bc215112c09eee576a19d1554a41a96e778
SHA51254835f80d31eae194576767f8111d72203df3465d3b4e3dd32a5a64d81fd4faae2c6a0c040280a954654963e4deb96e4368c13b8a4feb1bd7534f037834150e1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD55971ae769f54d79619b6c793c5507f40
SHA1acc3d75397ba64cd3e056375be2658c3d0187b3b
SHA25683bae8f9dab9145f980117eb6e56f1ea006b239089994f2f0f7be57e946be4ce
SHA51284da67a8e520e0b3385ff06f4058d0c574ecb63bb3b31e73303e5325efb77dc8b77384a5eae3a73a7da34345b8792ea70dd03986eb932dfec1e8fa844565a346
-
C:\Windows\System\svchost.exeFilesize
283KB
MD5aca872e7fca0cb4b3dedded848aa1479
SHA1cd4a6dad640047c342eeae1038c768d2aaa0b10c
SHA256c396f5f8698bfa68c3802eba29004014d936604dcd2d4622e7dc4ea874646efc
SHA5128b3780de953eba99309455f364a09f9fb5fbc9c52b9f6f826ff1af7d3ee27606317d20ad7ddb93c799d62e69e22d26c91fb8b50299a4a1bf6e6661c09977515d
-
\??\c:\windows\system\explorer.exeFilesize
283KB
MD57c4ab2ad634181cefda1f26884a68080
SHA1aa01491844cc314d345d552edd9ee0430e31055e
SHA256c75aa5a6f211d91f60151da6f2ae8c23bd3fa427f079c9789eb314e36a2e7931
SHA512753603d778ac5703b8a8eeb380db8bd7e910849b9caac1b9b8a521c1596eb386e8cccae64a84daae394134087bbaeafd2e97314c2337f7d84944872e2037a0d4
-
\??\c:\windows\system\spoolsv.exeFilesize
283KB
MD52e3eaeec0e09157dd0c6a35f1b6aa3ae
SHA1558c028707524f0cf36d7c0858dd356c9ef02ec1
SHA2566bfcb0611a214d2953bd0218c38f1bb81fadecb6265b567b23d0619cc6890580
SHA512b99d95ef03f98cf289b8f36ab30c9430c46ffb4d12aebe268c2540a15d8d8d38447f593d229c662ee4aa060ba2ee2057b5b75c7ec777a87340c6fe17bc3ba697
-
memory/1072-58-0x0000000003810000-0x0000000003812000-memory.dmpFilesize
8KB
-
memory/1072-55-0x0000000003960000-0x0000000003961000-memory.dmpFilesize
4KB
-
memory/1436-86-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1436-57-0x0000000002030000-0x0000000002032000-memory.dmpFilesize
8KB
-
memory/1436-53-0x0000000002040000-0x0000000002041000-memory.dmpFilesize
4KB
-
memory/1436-34-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1436-83-0x0000000002030000-0x0000000002032000-memory.dmpFilesize
8KB
-
memory/1592-60-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1592-66-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4136-56-0x0000000000600000-0x0000000000602000-memory.dmpFilesize
8KB
-
memory/4136-88-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-107-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-105-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-23-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4136-104-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-102-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-101-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-100-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-99-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-98-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-92-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-91-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-95-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-97-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-51-0x0000000002B40000-0x0000000002B41000-memory.dmpFilesize
4KB
-
memory/4136-96-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-94-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-93-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4136-90-0x00000000038F0000-0x000000000497E000-memory.dmpFilesize
16.6MB
-
memory/4416-9-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-0-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4416-71-0x0000000004790000-0x0000000004792000-memory.dmpFilesize
8KB
-
memory/4416-5-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-1-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-67-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-6-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-7-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-12-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-13-0x0000000004790000-0x0000000004792000-memory.dmpFilesize
8KB
-
memory/4416-15-0x0000000004790000-0x0000000004792000-memory.dmpFilesize
8KB
-
memory/4416-82-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/4416-14-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/4416-22-0x0000000004790000-0x0000000004792000-memory.dmpFilesize
8KB
-
memory/4416-11-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-40-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-8-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-38-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-35-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-4-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-25-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB
-
memory/4416-24-0x0000000002B20000-0x0000000003BAE000-memory.dmpFilesize
16.6MB