servhelper

Sharing

Copy URL

Twitter E-mail

General

Target

b22a7f7748f329f11f883697f71f22df_JaffaCakes118
Size

2.8MB
Sample

240616-hdy2taxcnr
MD5

b22a7f7748f329f11f883697f71f22df
SHA1

172f2ec1b31de3237e24eeba79084bcd18b50f22
SHA256

9227a139da1fb0755d0cf08d242726bc56633753897948b732878e58db15d6ca
SHA512

98867ae1c352ff8ebd2be803fdccdffe5a55fceb2d701245147bdcc9242837ce6f4ff379a68e44c7b36606245b1c84ad1d550cd2b94e05aeeaac4b29179322fb
SSDEEP

49152:RYHxMRZpyfuJL7HKgXU+mtElp9F0FKk+M/k3wyBS4/OBYllWZG+/kEgV1:qHxMRZAsL7HKgXE61g+M83n8SlW4+/kb

Score

10^/10

Malware Config

Targets

- Target
  
  b22a7f7748f329f11f883697f71f22df_JaffaCakes118
- Size
  
  2.8MB
- MD5
  
  b22a7f7748f329f11f883697f71f22df
- SHA1
  
  172f2ec1b31de3237e24eeba79084bcd18b50f22
- SHA256
  
  9227a139da1fb0755d0cf08d242726bc56633753897948b732878e58db15d6ca
- SHA512
  
  98867ae1c352ff8ebd2be803fdccdffe5a55fceb2d701245147bdcc9242837ce6f4ff379a68e44c7b36606245b1c84ad1d550cd2b94e05aeeaac4b29179322fb
- SSDEEP
  
  49152:RYHxMRZpyfuJL7HKgXU+mtElp9F0FKk+M/k3wyBS4/OBYllWZG+/kEgV1:qHxMRZAsL7HKgXE61g+M83n8SlW4+/kb
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fbe295e5a1acfbd0a6271898f885fe6a
- SHA1
  
  d6d205922e61635472efb13c2bb92c9ac6cb96da
- SHA256
  
  a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
- SHA512
  
  2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
- SSDEEP
  
  192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/blowfish.dll
- Size
  
  22KB
- MD5
  
  5afd4a9b7e69e7c6e312b2ce4040394a
- SHA1
  
  fbd07adb3f02f866dc3a327a86b0f319d4a94502
- SHA256
  
  053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
- SHA512
  
  f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
- SSDEEP
  
  384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsUnzip.dll
- Size
  
  146KB
- MD5
  
  77a26c23948070dc012bba65e7f390aa
- SHA1
  
  7e112775770f9b3b24e2a238b5f7c66f8802e5d8
- SHA256
  
  4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
- SHA512
  
  2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065
- SSDEEP
  
  3072:3imoHcJg67rm+2X7jiYwJAmcxaw2VvnCNizd9XER4I6CAZJPtAY3:3I8Jlrm7SnjCNizdhER4I3kP3
Score

3^/10
behavioral7 behavioral8