General

  • Target

    0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118

  • Size

    274KB

  • Sample

    240625-tqcvwszfje

  • MD5

    0eb8467d4cb3e4c7a04409ba67ac0360

  • SHA1

    96e6ba4f69b34ad15601cdf320593f31546c204b

  • SHA256

    b6928ada9b353108cb8fe31881ad6dbafc958187ca2ad80bcd9a7ba509339ddf

  • SHA512

    718b6d17b15bad4d4ee35260a60b0d4af2a41f1d7fdb65372f78c28b94a419e69b4d976c3e93cb789178aa7e248b077abe73c98b76100d3600e0cd2ceb4d69d0

  • SSDEEP

    6144:MbPiSudrfG5TyWylMUck2Vlax0i/be+F1Kp1EFGxkZ:MjiSud4yW8NcLaxBKCcUbZ

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      0eb8467d4cb3e4c7a04409ba67ac0360_JaffaCakes118

    • Size

      274KB

    • MD5

      0eb8467d4cb3e4c7a04409ba67ac0360

    • SHA1

      96e6ba4f69b34ad15601cdf320593f31546c204b

    • SHA256

      b6928ada9b353108cb8fe31881ad6dbafc958187ca2ad80bcd9a7ba509339ddf

    • SHA512

      718b6d17b15bad4d4ee35260a60b0d4af2a41f1d7fdb65372f78c28b94a419e69b4d976c3e93cb789178aa7e248b077abe73c98b76100d3600e0cd2ceb4d69d0

    • SSDEEP

      6144:MbPiSudrfG5TyWylMUck2Vlax0i/be+F1Kp1EFGxkZ:MjiSud4yW8NcLaxBKCcUbZ

    • Modifies firewall policy service

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks