Analysis
-
max time kernel
14s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
16-07-2024 09:42
General
-
Target
4dc3056d771e553df08b4f1fd1ec1c9c_JaffaCakes118.exe
-
Size
2.4MB
-
MD5
4dc3056d771e553df08b4f1fd1ec1c9c
-
SHA1
eb8c8106f5f86b0b28b803e73d2558c59072de8c
-
SHA256
9d8e918ee0cc27fa240659a022b23a542b83dae95bf86d341f89582f619b557c
-
SHA512
aa58ecebffb250cf749082098177e3de945e9c4e35e7674f6f7456fc7d48426d65a2be3d92390557dafc0781825ee4613dee84c7b7bbcd888da76d65736182d0
-
SSDEEP
49152:M0r+eSD+HTaRbHRAaLlzRIBrLbakBen7z4JA3iOCjLyGD0H/Mw:M0ZSDcOhNpqBrncou3i1m7
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detects Strela Stealer payload 1 IoCs
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc3056d771e553df08b4f1fd1ec1c9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4dc3056d771e553df08b4f1fd1ec1c9c_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD53f18a5a90407c2031ebc82a1180d4650
SHA1dd2448f8d7ea325b49ad515db1235c7fc9c12617
SHA256cdc4d30c679097135fc6167998b9b359a74dee6a90f311c165021a92d770a9cc
SHA5127dde674f35d88da63f7b9eda9c9981d806ccf9ab5d1a056f1b7b2df7dae9fca18cdd3e6395bbd3c7f50cad1ba8ae0d7f628880ffb9e9c82af6bdbf9b04f48926
-
Filesize
257B
MD540f6020647f15be713442169c28831c1
SHA12f5acfdb0c4c6f9dee1098a9088fadb16bc1bda9
SHA256a5de767c835f77d39e02c7cbd4da49c0076c40ada83fb352b7baa37105541f73
SHA5122c619e228b7805e95e5f1b78753b086be89d7b0c38d08f8707a71c96288a6321cc98ff39ae7da1e0642c777b2e0a617388c99aa0f2e31cc7214d9c5062a1f0b1
-
Filesize
100KB
MD5679d002b447941a98fe2c05e5c85e01d
SHA1ba752c2817bc7e16b3be86f49b906b21ba920c46
SHA2563e15fb4aa1722eb937c9060ccb8a7314a901b5c42c21f63e7380269c9c8e9c23
SHA512487c2a2b378b6a5d092ad211b08365f050e7afc910622ccbf5de2bc8294cac754fda2c6e1136dca5e66ad7b9d69645fd464162de2b72a389fb136b59358e8964
-
Filesize
5.8MB
MD52e13e03b7cf2d8c8338bbc3d29fd3e07
SHA1173e6e67c5315474765dcd303b3214d5600c48ea
SHA256ea1552de423ed1768bace344d9a07bf529845c75fe6fc6ce3c4ba91d4aae5409
SHA51294220a07aea2f4a45ef6b7566baba5a9ce73e70236bf97fc2489bee50b662f3fd05824d7804dd544eef85d73e69091aaae5de3094f0866bf51521024eb3d168d
-
Filesize
792KB
MD58fea8fd177034b52e6a5886fb5e780bd
SHA199f511388a2420d53b8406baed48ba550842eaad
SHA256546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de
SHA5125d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696
-
Filesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
Filesize
2.4MB
MD54dc3056d771e553df08b4f1fd1ec1c9c
SHA1eb8c8106f5f86b0b28b803e73d2558c59072de8c
SHA2569d8e918ee0cc27fa240659a022b23a542b83dae95bf86d341f89582f619b557c
SHA512aa58ecebffb250cf749082098177e3de945e9c4e35e7674f6f7456fc7d48426d65a2be3d92390557dafc0781825ee4613dee84c7b7bbcd888da76d65736182d0
-
Filesize
1.0MB
MD51fd3f9722119bdf7b8cff0ecd1e84ea6
SHA19a4faa258b375e173feaca91a8bd920baf1091eb
SHA256385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823
SHA512109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6
-
Filesize
340KB
MD5ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.4MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.4MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
816KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB