Overview

overview

10

Static

static

7

38a081e3a3...18.exe

windows7-x64

10

38a081e3a3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2024 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38a081e3a3c30afe98da847545b85c25_JaffaCakes118.exe

  • Size

    375KB

  • MD5

    38a081e3a3c30afe98da847545b85c25

  • SHA1

    445ef50c91475fffd8130db61a20dc60641c5754

  • SHA256

    3a9eb9047595ee4bce4168e9191ab2ba48b9e75b6c5e4a33a5f96e045b21216c

  • SHA512

    2403da5ad356da30be165acd92ca93776309c1927d9ef6dbdb57236e8925eee00367545527f22b45e87d66fb739ecd31bc47b6683be5d89a3c894949975c53f1

  • SSDEEP

    6144:3dvuKYNGOmhnqgu6FiidUogu6FXAb0qwR6l3T6N++CPy9QKoE54T6V:ktOqgu6F7Uogu6FX+C23ON++CPyboE51

Score
10/10
salitybackdoorevasionspywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 13 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of SetWindowsHookAW 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1164
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1220
          • C:\Users\Admin\AppData\Local\Temp\38a081e3a3c30afe98da847545b85c25_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\38a081e3a3c30afe98da847545b85c25_JaffaCakes118.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookAW
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1688
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1396
          • C:\Windows\system32\dllhost.exe
            C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
            1⤵
            • Drops file in Windows directory
            PID:2724
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2852
          • C:\Windows\system32\SearchIndexer.exe
            C:\Windows\system32\SearchIndexer.exe /Embedding
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\system32\SearchProtocolHost.exe
              "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:3064
            • C:\Windows\system32\SearchFilterHost.exe
              "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
              2⤵
                PID:1996
              • C:\Windows\system32\SearchFilterHost.exe
                "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
                2⤵
                  PID:2088

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Replication Through Removable Media

              1
              T1091

              Execution

              Persistence

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Privilege Escalation

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Defense Evasion

              Abuse Elevation Control Mechanism

              1
              T1548

              Bypass User Account Control

              1
              T1548.002

              Impair Defenses

              4
              T1562

              Disable or Modify System Firewall

              1
              T1562.004

              Disable or Modify Tools

              3
              T1562.001

              Modify Registry

              5
              T1112

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Peripheral Device Discovery

              1
              T1120

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Replication Through Removable Media

              1
              T1091

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\7-Zip\Uninstall.exe
                Filesize

                118KB

                MD5

                68dad9c4358efe3d6e4bd0f670d430c0

                SHA1

                de8c07e849fbf21e8c47bd7af4e713c793691288

                SHA256

                90e8df72d254f9c4e79346ff9620eec7c6bc54da30de3b085ccc5a988575e91a

                SHA512

                4eef6ed1f6adc7c6e67aaf39e603364f23cb4ffdbd0bd0345c6b654a6e776c71a1c503f4c5c219775998b74b0a28ed6fa50b1084324a7d286682e8dfbdaf3ba4

                Download Submit

              • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
                Filesize

                1024KB

                MD5

                05a5cc4f1e1e617e5b968d684a91fcc3

                SHA1

                2194d2e97be7b90764327d222abc5dbafe2a1fc4

                SHA256

                e9fcc50ea1217cdaff7bf29ad0fcdb27f596ef5a82f2f74214e8dd41c3e8605c

                SHA512

                1cb191b53d396880786cf7fd899859563d5769cc923764bdc60e80f93019a641206f8c0b9fb417dadfaafef02c5e2265f7c058b6154950ee7f21bd32d6d94513

                Download Submit

              • F:\mwgq.exe
                Filesize

                96KB

                MD5

                494daf36ecdc3fbfca70a68bca3c04b4

                SHA1

                cc3a94238f275db3563be26372db0e1c259d158e

                SHA256

                66fc2b35ac75fa0b2512296847cdff8fec10901075fbd1bee4911493bcbf76b7

                SHA512

                fe0ef14224885185838eb983d489a32e416accb24b02ee4fb826f5971882061887a9724822e9048f5e65de26785993f4251c3e505236099d763ea525e714aeca

                Download Submit

              • memory/1108-11-0x0000000000310000-0x0000000000312000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1688-17-0x0000000000620000-0x0000000000622000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1688-180-0x0000000000620000-0x0000000000622000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1688-18-0x0000000000630000-0x0000000000631000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1688-26-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-1-0x0000000001000000-0x0000000001086000-memory.dmp

                Filesize

                536KB

                Download

              • memory/1688-9-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-8-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-7-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-6-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-5-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-33-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-3-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-0-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-24-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-25-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-4-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-32-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-47-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-10-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1688-22-0x0000000000620000-0x0000000000622000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1688-23-0x0000000000620000-0x0000000000622000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1688-21-0x0000000000630000-0x0000000000631000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1688-171-0x00000000025D0000-0x000000000365E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/2616-97-0x0000000002700000-0x0000000002708000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2616-91-0x0000000002700000-0x0000000002701000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2616-90-0x0000000004240000-0x0000000004248000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2616-64-0x0000000002F40000-0x0000000002F50000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2616-48-0x0000000002E40000-0x0000000002E50000-memory.dmp

                Filesize

                64KB

                Download