Analysis
-
max time kernel
122s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-07-2024 16:49
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240705-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe
-
Size
205KB
-
MD5
46adca4a892dc48862ba393d45d27745
-
SHA1
2bb1fb8c9f907fdfaea108f5cec438a416c83a6e
-
SHA256
2466475118603cf9ac0f193d48a9971783b8911a50238c55894909d2e09cce75
-
SHA512
5fe136a3de59093670a838099ddb4e548afc69cfe61ec3c255c3a78088f06cae073de2b1e0fce829855a972a7149cf8a913d583ad001d918ee85f772384cdd85
-
SSDEEP
6144:ltZ9O0jcNFPwWW3V4gCrV8g88YMG9YccWpL80fj:7OacNFIFatrg9YccWpD
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe -
Deletes itself 1 IoCs
pid Process 2360 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 Au_.exe -
Loads dropped DLL 4 IoCs
pid Process 2516 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe -
resource yara_rule behavioral1/memory/2360-42-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-24-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-43-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-41-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-35-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-25-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-23-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-26-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-21-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2516-13-0x0000000002400000-0x00000000034BA000-memory.dmp upx behavioral1/memory/2360-44-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-60-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-59-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-61-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-63-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-62-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-65-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-66-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-68-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-69-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-72-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-73-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-82-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-83-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-85-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-88-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-90-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-94-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-96-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-99-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-100-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-101-0x00000000023B0000-0x000000000346A000-memory.dmp upx behavioral1/memory/2360-108-0x00000000023B0000-0x000000000346A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Au_.exe File opened (read-only) \??\Q: Au_.exe File opened (read-only) \??\R: Au_.exe File opened (read-only) \??\H: Au_.exe File opened (read-only) \??\N: Au_.exe File opened (read-only) \??\O: Au_.exe File opened (read-only) \??\U: Au_.exe File opened (read-only) \??\E: Au_.exe File opened (read-only) \??\G: Au_.exe File opened (read-only) \??\K: Au_.exe File opened (read-only) \??\M: Au_.exe File opened (read-only) \??\P: Au_.exe File opened (read-only) \??\S: Au_.exe File opened (read-only) \??\V: Au_.exe File opened (read-only) \??\W: Au_.exe File opened (read-only) \??\X: Au_.exe File opened (read-only) \??\I: Au_.exe File opened (read-only) \??\J: Au_.exe File opened (read-only) \??\T: Au_.exe File opened (read-only) \??\Y: Au_.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf Au_.exe File opened for modification F:\autorun.inf Au_.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe Au_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Au_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Au_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Au_.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Au_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\f76a499 Au_.exe File opened for modification C:\Windows\SYSTEM.INI Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0007000000016d21-7.dat nsis_installer_1 behavioral1/files/0x0007000000016d32-28.dat nsis_installer_1 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe 2360 Au_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2360 Au_.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe Token: SeDebugPrivilege 2360 Au_.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2360 2516 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2360 2516 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2360 2516 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2360 2516 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2360 2516 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2360 2516 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2360 2516 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 30 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 PID 2360 wrote to memory of 1112 2360 Au_.exe 19 PID 2360 wrote to memory of 1168 2360 Au_.exe 20 PID 2360 wrote to memory of 1216 2360 Au_.exe 21 PID 2360 wrote to memory of 832 2360 Au_.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:832
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD52051a9e046a3960a56283448f8e0938f
SHA124e09f7dcbff832c61698eab56dec42ba6f173e2
SHA2569b938cc81d62e435b3f244faec359e57dec68a6ab7c2661c6b86184902ebb6ec
SHA512eedd8468941fc7793861d56df6307922e405ea6653397f7a20199d310755ed1bbc914099c020bf7ed65530972d3f33f5a0b0e2563c604af699bfb483b4627788
-
Filesize
97KB
MD569f11f80c74fcfe253d6f235cd72a13e
SHA178576949da5c4388c99bf6397a7b8bd405a12e08
SHA256f880699edcba5a9f2784f7ae2ece24ef0e0397bef762ba9338bc3fb621cbee93
SHA51206a8d016182a9702ea3eeb4d18d6ab5559f6685bc7a88ac51cbd70f7622dcf59dd4bd0aae4428e3269571c5da0d3fef44f8da6b1eaf6fcdc64655df8728e018e
-
Filesize
205KB
MD546adca4a892dc48862ba393d45d27745
SHA12bb1fb8c9f907fdfaea108f5cec438a416c83a6e
SHA2562466475118603cf9ac0f193d48a9971783b8911a50238c55894909d2e09cce75
SHA5125fe136a3de59093670a838099ddb4e548afc69cfe61ec3c255c3a78088f06cae073de2b1e0fce829855a972a7149cf8a913d583ad001d918ee85f772384cdd85