General

  • Target

    3682ae69d86e795178c38cdcd7f5f4d9_JaffaCakes118

  • Size

    148KB

  • Sample

    240710-1lb65atfqh

  • MD5

    3682ae69d86e795178c38cdcd7f5f4d9

  • SHA1

    ad6216738133a8bd746930fab9f31b8ed95d1c00

  • SHA256

    e6775fe9d0bb612dd40712b634cb7782371f3fb3a27dc594ad2a8d2d1b93727c

  • SHA512

    3fc49bb7e9fb9341ceed17df3c6ebb663fb2f0f0b26734fc40e6b54fcc6b3d17a7d0d5207c4383c275dbaecb31215cbc6533b7376c792f7c9adf283512548371

  • SSDEEP

    3072:wEjCFqdW7KeEwYJUZVaqB2fJJf8V1ere4HoahAuqYJX5mZtKzZH8W:wEjC4c7KeEwYJUZVa42zfKMvALYJkZtm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      3682ae69d86e795178c38cdcd7f5f4d9_JaffaCakes118

    • Size

      148KB

    • MD5

      3682ae69d86e795178c38cdcd7f5f4d9

    • SHA1

      ad6216738133a8bd746930fab9f31b8ed95d1c00

    • SHA256

      e6775fe9d0bb612dd40712b634cb7782371f3fb3a27dc594ad2a8d2d1b93727c

    • SHA512

      3fc49bb7e9fb9341ceed17df3c6ebb663fb2f0f0b26734fc40e6b54fcc6b3d17a7d0d5207c4383c275dbaecb31215cbc6533b7376c792f7c9adf283512548371

    • SSDEEP

      3072:wEjCFqdW7KeEwYJUZVaqB2fJJf8V1ere4HoahAuqYJX5mZtKzZH8W:wEjC4c7KeEwYJUZVa42zfKMvALYJkZtm

    • Detect XtremeRAT payload

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks