Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
17-05-2024 22:35
General
-
Target
51d4001a30b815ebc92ea0503fc629fb_JaffaCakes118.exe
-
Size
17.4MB
-
MD5
51d4001a30b815ebc92ea0503fc629fb
-
SHA1
c3a3f26c92fada102e534c61aa1fc7893c4020f2
-
SHA256
4d86068116442ca9d3773bfb8d53d980a35d7d205bfb939dfabf702d0026f646
-
SHA512
e8a84565d73fd45e5cbadedab0c108a379b8a3992a564012c5d9f27f6854bc865c5027727c9b0d59fea2e77e6504f20b20d7b4d439bda9d54b2af0988ed48947
-
SSDEEP
393216:upPdsKbSuiniV0Qz2Ezs+R+Uk68b6JaYQUwQw5TaXzo/SsB:WmKbSuiniVRDs8+UkJ6JO7Qw52zo9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\51d4001a30b815ebc92ea0503fc629fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\51d4001a30b815ebc92ea0503fc629fb_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F760D0B_Rar\51d4001a30b815ebc92ea0503fc629fb_JaffaCakes118.exeFilesize
17.3MB
MD5be5ac85ca83a972399661c1afcd03f8c
SHA1e96b4c6a6fd04182643a32b6f2042e1e691ec914
SHA256d68b0ce99bd31fdc8af60aaf9a61fb9b6f785c40e0b4885d6ac102ae3940737e
SHA512e41c6ef46c2aafcc13223b7eac611242526976180728b520019b89b4d2dcfc66f65645f97c1a2d2e4e33a246446d87b465b8eb6f3a6f79bbaf540d04c207c329
-
C:\Users\Admin\AppData\Local\Temp\c3\effect\other\girlassist_thi\1.ddsFilesize
64KB
MD51994ab46cd110278ad992cb924f6f7f2
SHA11361b3423bb40001ca5e458c2252e30bdca81610
SHA256c9704ce6887a8c6dd8854f97af04b64d4a775e13d005deebe0bde0cc81fa48a9
SHA51242205931b925d3bc0f7f84ffc0bd7dbcf450e02a56013b9b07a31d22c883990bc72b26cba1d9df6b1ca313b8f38ba88f5f629a339c46e933d58daca12e4fb12c
-
C:\Users\Admin\AppData\Local\Temp\c3\mesh\001182200.C3Filesize
47KB
MD590aa1bc146aa9c9ec8fcbb44b8c939ed
SHA16168271aa3926f88fabedd2bdefb93be0c2a6888
SHA256c3eb7ecda7b36e2694ff63cdf20f396883b5226d2135fe73a6336754a891f3d8
SHA5129aeef065280faab26d997c4cc6a60f99b1719c29f94fbb13c0b69ad0e79662dbe1e1ca044fa41edf7944c11f03f7e96a83f9a1a5d9def03b64fd3968248cfe5f
-
C:\Users\Admin\AppData\Local\Temp\c3\mesh\002182200.C3Filesize
48KB
MD5fc4be749332594db02bf065c7ff1d1d8
SHA17cfa049110f79e6aca78ea4322282a7bac270ff0
SHA256040f2697d4ea1c668087e7fb2a62d80191079d2412fbe3b2412ceea5247a6eef
SHA512930e7ee6e26ecb545ffec18249a76a16b1ec3f398721f8861c7f7beae124043e8b63280e1829cd8bff8b271318d0057d96109d7df08dbc5fd0246d262194dede
-
C:\Users\Admin\AppData\Local\Temp\c3\mesh\003182200.C3Filesize
37KB
MD5acd1049110cdc79bffdedff0a8759544
SHA15ae9e9c912083e3962c0eb88ebd9ba56eca2869b
SHA256d46acc17459753f7da0323d9796aa22269650da0235baad1a06b6fa5c439f3c2
SHA5120888f4cfc665fbb7df20658bf36fd712924899e890605d43a7d486deb8697148fb25e5a505919bc31212e9758edce7b6140de0834068abc4183aebfb950a22fb
-
C:\Users\Admin\AppData\Local\Temp\c3\mesh\004182200.C3Filesize
36KB
MD5863d33fb67123794dd5b8099ee979a82
SHA17f85b8494b45cefa6a4b92a7c0682a9b2c432a0f
SHA256a48d2ca8c62f1b24f003aa474115e522dc29a2f2e1c72a1c34150b0be204ce8d
SHA51251f2ba9f01cfdc4aac64d0a5533c469747f13cb81dc51351ad54fd837617c40021fa9145b13e4d92aa0a0890141c1fc8cdde1436371fa77aec89a4397cca75dd
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\001187425.ddsFilesize
64KB
MD5221eef0294448dbaa6ff06e66946ed7f
SHA1e150415331eaa1841eadc5fee4f5471706281b0f
SHA2568c066f735b68a13bb97f108c70aac54abe4abe830fbcdf8e69c1124f17060bb1
SHA5121dc24e54cdce7c803a89b93c789e1c7d74cbbf07a7e91832e1abf039fe9406bc9d54c65f7b6d8f885b6fbacecba609f4c4ecc19bbfcc3694c7dff623705c2ec5
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\002187425.ddsFilesize
64KB
MD54e6e923f3b6107349ec9a8abe8e60c76
SHA1ced7e0dcbfe09cadea27f8c61f9af0fa5afcd472
SHA256d7831c62c5af5d76d7fa16d4398cadf2ff3aaa8d538c059fa8c8f6211d81641c
SHA512e236018ac7f3ff280b811fd9554cf4ea113639e4b50b84db560115c08256b619db806112564104d23a80bb779b0285a410cb1497e5f600d3fa3d17458bf8b112
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\002191420.ddsFilesize
64KB
MD5dbd733df973ed504354cb2e4143cab5a
SHA18afe96535d8fa40f70ea2a32fb74c962edacdf34
SHA2561d2084bdaa8f9747ac36227397c8ae8ccb766990f6a22e098cb26876ca3ebf98
SHA512e6a23605ed5f6592f0a7e74bda256231e4d0f0f2b47901f167d3cdfff9995e35711d54b5a85773929cf406769e5765a6f49b5b639e3e1333ec2f4e552e1d57b8
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\002191440.ddsFilesize
64KB
MD54aeb54fd751ef3162c444131ecfd7684
SHA10da149bef3281033f8aeaca3360e7ffae8994c7a
SHA256c4c1cad8883edb8532074917dfe28a79b6385abb86e13cd1633ab983346839cf
SHA5129e69f6c334b7ef9b25c32641b57e1d743a1e3e569435ad7dae064c596cf8aa706e7d631265c9c2228d7208341f9938e7f234ca7bd60310c13514ff6907489010
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\002191450.ddsFilesize
64KB
MD56d95c9cffacded55dd46e01ddea25797
SHA10fa83a1f1f6b4ff3e4dcc74c488fd2ea2433c054
SHA256ff68873bef96d72cc60f45551fe206901b7de8744db979c8aa5fc601d2d77f94
SHA512b368e807773eec6e28fd8d70f781741672abf6fef4d07bcb81e09f5d3c0ebdbe387af107ac75c1e775f1d7c7e858f71de53eedb0cb8145625d5b51965918274f
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\002191490.ddsFilesize
64KB
MD500cdfd14037592d170ca094c9ba052b1
SHA12f8eb59437dfd2ff75962e05be3b98b0a98fe70a
SHA2563db035b33339c461edc0820f835ae72614cf9f8a44cf24297dc0472c8543143e
SHA5129a7716c3d3e7426341b4078d3dc095b951406582dcb9b45965fd0ee609a3955673f2af00b561ccb370e1c18e1ff1d4eed9c11650c4658a0fcb83909f683235d1
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\002191500.ddsFilesize
64KB
MD5c920cad1f0bc405495fe15300131c37f
SHA129e0009df995b2622230920cc2905c0fa5e52d5f
SHA2568e374463ea952c0b5281f8336d1c25dacced871dcd5ac20b3a1f33a1ebaf2592
SHA5124c76329f5595b0e02b849bbf4b0a435469a4f171fca03fcdf41e46a82abc89350cf0b959be02e7a8cdb36e96a087086c9ad32e87ba7c45868efe7e6e1b1a39f4
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\002191510.ddsFilesize
64KB
MD5c3e67b03561ba17806fe88479bf4ab5e
SHA1f28e5f14f17e9affa6232fb52d22d235293b409d
SHA2565679fdb60e7cce10eb3c6b839d32a85c371ea84d20786050a1abd6098462fe11
SHA51295e3f1adc81d7f0c46826fec4c4ba0141ea0a35d4431a6ce65db5d3f5dd539f3c3cba1df1b69cc88648a2890261f0b2476a402e41c66d472edeedb6dc3d0370c
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191410.ddsFilesize
64KB
MD5600addd36ec61aec3998da1049261e57
SHA1a6968396ddfb33ec16df3b87c51c2000322aafbc
SHA256e2d539d03ce3994a6135106f20234494f6edb0834a1488ae6b4f83caa69636a5
SHA51204441d6dc995df51310e92299922ca8b8ada9e87fcce49ae4e84d21cf8c4ca9ca497a7d507dcd8e6b4374f5775c37ca9ffee735a9d658955d9df4a0db005d82d
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191420.ddsFilesize
64KB
MD5e4c04c182518a5030add13a1679a6310
SHA13642f0ae20de9e1eb75d29e2f43c270ae43ab206
SHA2567d3beb889a07c77c6771a233f35cf246f18a87cf4c6ee7e5cf0b82c2d6c99e23
SHA512c77786a3bcf70940f53325c7c79ad9ff18f4988e0582f7f1196e9b8b973357c9b82c3aa3f63b23a3bf05b47b694bd7eac8c44f07091b20a86f3809ab35b7b08b
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191430.ddsFilesize
64KB
MD58ffc473c0acdf7d59eadb10496e37cef
SHA1d923aa3a535dee5b47fe2ed922bf7b211ba54e49
SHA256617a16853649430648fb7ac2d8d21ca4afa7323a10764b423a8f00d391fc0890
SHA512c451ea379510930cc9182a6d676befd48b7d37a98a86e61f847444e20b82c9f0c3ad2db80824fb3b740e279d83370814aa0546af9e6e423e3cedff77af6c7774
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191450.ddsFilesize
64KB
MD503df3bf5f814b9a1c40d5cd5d8af98b2
SHA1cac062b159a07685f98002122961e7ee9f506c81
SHA256fb259fee4de01d9e0585805cabb8f66442a3afc447ca0e18f9927a42dd48d8dd
SHA512158e650914fb6edd0fa01050c9a5dddaa922e5385d835db778522e57346ae841d16ee1304d43f01a349eef5543220f047d62f30e862c2fe960fb44d97542ee11
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191460.ddsFilesize
64KB
MD51e6dfa166a387627d003038b1ea92daf
SHA1e4e06a66e343b543b8b498de3bfa3f6c9b77db58
SHA256facddde5ed4f00af7a80c8bd6299a1860a94d22a69f26e1ef04ac68433234c39
SHA512b65108e4ea0bcc707919d3a468c1c5e4e3a41e4300f2b44bd14588c3031d4a11b80e24b7b9e330e7ed5cb9deb9ad243eb9c717ee2f5a0c0388d413c841ae5925
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191470.ddsFilesize
64KB
MD5a96fff285ea73be2e99433dc75dbf0f9
SHA1444f5a30b2589692d84566df49a36c395b8a8537
SHA25663a95751d6ea33a739b1cf508d1dfe79398e6fdae14de17b2f517abc51efb046
SHA512586255924aa52f83ed0fe4e75660c06d468177d989a18656894f9a10299b285f133f4dcaffb26059b8e3bc4401040897f04e084c6b5678558bb8648b4f4c223a
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191480.ddsFilesize
64KB
MD54791f2044d2fd18a6d6555dc978701b9
SHA19942064a565b53bc9705c91d9a4dcdaa8b8732bd
SHA2561e78ee9f5a41de8d35f9f90edfd0c85ab2e8ba8230154acbaa029cb4e955e2d0
SHA51235749e1db69478f5186220b6f5faac6e2d3087cc2acf35f046e2b6e30675acff05c37d7328938701904e34d3a421303d5c25fcf11743ccea4c7461b860bbad29
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191490.ddsFilesize
64KB
MD539311dc287867a81d7779fe4fe87e9ff
SHA1aa60d30140ef826135551294297f01bf52d7304c
SHA2560022bd763461284361bdde37a1d78144c1f7a7ba047549e924b73f845ebb9845
SHA512e84a59d0356a65e5b7d0aba7cd5765c81ce823534f89fb26e15d548f4b18fce8106a3cf89645c1752b39d7419a88404fc88cd5929c6c4d1b440c16f595052179
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191500.ddsFilesize
64KB
MD5ae98518bf5610e1354341e2e0da00319
SHA182664177e484681a238476df23c9683acffefec7
SHA256296cd71633a599db4f972dd606f3cf3a7bc63d1e2823807fc8e7022e6f96c2f6
SHA512e33a4f4cbd00f4178cb06abae2580577b0f9d16e56e471d84473eeb363d628027cc06e8fdd3e0345d2a739c97a3bfa22334082fcba008dc54b984101b138b4a3
-
C:\Users\Admin\AppData\Local\Temp\c3\texture\004191510.ddsFilesize
64KB
MD59182c208977f38c9dccd3c8ca4718d33
SHA182d796a9032ead9b298905683a174a0958f036f7
SHA256ea8ea1325a4f25762b7debe1a04adc03a22a58411fa7647886cc17dad1273796
SHA5127588686a45fcaf17237e3f6e85dd32c10f769971234ee667274660e73865fb9bdf2e2beef5a8e172dc337ca34c3db66ac7e33e23cb6c12d00251c2b8a9392149
-
memory/1044-25-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2972-6-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-34-0x00000000037E0000-0x00000000037E1000-memory.dmpFilesize
4KB
-
memory/2972-1094-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-42-0x0000000003690000-0x0000000003692000-memory.dmpFilesize
8KB
-
memory/2972-43-0x0000000003690000-0x0000000003692000-memory.dmpFilesize
8KB
-
memory/2972-12-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-11-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-9-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-4-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-3-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-22-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-0-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/2972-36-0x00000000037E0000-0x00000000037E1000-memory.dmpFilesize
4KB
-
memory/2972-13-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-33-0x0000000003690000-0x0000000003692000-memory.dmpFilesize
8KB
-
memory/2972-444-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-449-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-15-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-10-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-1775-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-1782-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-1903-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-1904-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-1907-0x0000000003690000-0x0000000003692000-memory.dmpFilesize
8KB
-
memory/2972-1924-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/2972-1923-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB