Extracted

• • Target

    4854d8c74fcf1aeb5138075a5b029f91_JaffaCakes118

  • Size

    5.7MB

  • MD5

    4854d8c74fcf1aeb5138075a5b029f91

  • SHA1

    375a02de564add94066335e4daa8e7233f0b4c05

  • SHA256

    1826d874e7b2798a9c7e12af91f4ab3466c798ca7c26b6a1ac76bbdfc221cb1f

  • SHA512

    1e47dd787053bf2963b8760d93daffbe9f285f8d60a6264ca6f90cd9dad5701cdc4f8c44461dcc15105b9b8a23cdc83dea985df7611e3a9451a4c4cce41c959a

  • SSDEEP

    49152:UsAnsrrb/T/vO90dL3BmAFd4A64nsfJ13Dd95+bC+dTfixrrAq/n55SyZuKnyed7:UsPQzdtmAQQQQQQQQQQQQQ

  Score

  10^/10

  servhelperbackdoordiscoveryexecutionexploitpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Server Software Component: Terminal Services DLL

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1behavioral2