Overview

overview

10

Static

static

3

96faee621b...18.exe

windows7-x64

10

96faee621b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 17:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe

  • Size

    689KB

  • MD5

    96faee621b3bd4b492fd7fe7656cab47

  • SHA1

    ae86bcc70b10e6f5486c6582a3a052ce1bb0a26c

  • SHA256

    3db3bdab9b5bb686e68c2c4697b3c24be21ea3d9584da3c171211aefd5a59751

  • SHA512

    92a426b7c1477156bfe21dc9d169abe692736b5a648c9dee6c270c7cd7766bf0b96fc2c610785b6296002f175a7a9130b2c007f86b255707c043c5d3a8167b94

  • SSDEEP

    12288:4aA8GifKcqKCoVxug3YC5fva3I/zLmt6is6jgCLpcres/NSWW24H6t:4aA8GifKc1CoVUufi3I/zCt7jFarfEjQ

Score
10/10
salitybackdoordiscoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1104
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1192
          • C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe"
            2⤵
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2252
            • C:\Windows\svchost.exe
              "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2668
              • C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe"
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Loads dropped DLL
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops autorun.inf file
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2812
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1672
          • C:\Windows\svchost.exe
            C:\Windows\svchost.exe
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2684

          Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Replication Through Removable Media

                1
                T1091

                Execution

                Persistence

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Event Triggered Execution

                1
                T1546

                Component Object Model Hijacking

                1
                T1546.015

                Privilege Escalation

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Event Triggered Execution

                1
                T1546

                Component Object Model Hijacking

                1
                T1546.015

                Defense Evasion

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Impair Defenses

                4
                T1562

                Disable or Modify System Firewall

                1
                T1562.004

                Disable or Modify Tools

                3
                T1562.001

                Modify Registry

                5
                T1112

                Credential Access

                Discovery

                Peripheral Device Discovery

                1
                T1120

                Query Registry

                2
                T1012

                System Information Discovery

                3
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Replication Through Removable Media

                1
                T1091

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\MSOCACHE\ALL USERS\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
                  Filesize

                  1.2MB

                  MD5

                  501e69a8ed8eefc4023ec5e7cf0c634d

                  SHA1

                  6a688e9543f34de154a4e323d13f20b77d432275

                  SHA256

                  8f808c746a3eeae33f4abbef14ec46004f5a69534c0885e48d431ce226680b9a

                  SHA512

                  3a7c9266ffc484626896cc6d114b9dc554d16ea9f8d2059b36614f068799fdf39d5bf11eca25eb8b8d1108731433210958d76fec8d6ac5b2215b80a800236ec5

                  Download Submit

                • C:\MSOCACHE\ALL USERS\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
                  Filesize

                  922KB

                  MD5

                  461482d079e06cc8cd6c62ac521b1390

                  SHA1

                  f8d197b3d8d16cb4081d8ff47cb807d4ab3d9fd5

                  SHA256

                  92a0401be747b8f269013b3c5b1fffafdb8fe50a5157bff55f74b4a291352f8f

                  SHA512

                  d3f45d874f62943d745b08451b98ec0c1cfb5eb855a1d1de82296e49123759933bba42b954ec22d13ffef48f902bde1bb222145f6e6abed4df640c7b28658384

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe
                  Filesize

                  653KB

                  MD5

                  ee4d4710f36f8e9f4609e564fa451eca

                  SHA1

                  65e0197ca7fc31a8414fc12b1469a4f429a94dfb

                  SHA256

                  7f1f5df1bcc6eeb884082d32594fc760dc7e1eec577ae78906eee1eea2801bd4

                  SHA512

                  7bba7c1b8fdf02053dbb99210fbc891f2d9fbd035e3498bf46ef8ea98bc116453bae46ebf034689078b8b45207d165ff7473fd55305286c7efbe887909784105

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\nsy173A.tmp\UtilsPlugin.dll
                  Filesize

                  10KB

                  MD5

                  73ee934f37fc4d3dfa890ea5ec30db1d

                  SHA1

                  ede6561cb69c3b9c6dc6a05b82cbee9b48e487cd

                  SHA256

                  23be0b6141f07696b5ac41dbf633c5f18592b5c15d39a3eb8b5ffb65c7eb6aac

                  SHA512

                  a0ee0b3ad08240ee20b154a5237471c46bcaf7f9753fca3428a48ccb9a31c05054d469dc87b96e5d44a15370ca45ae4d255db5cbc750e49aaa1fae4610c36568

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\nsy173A.tmp\ioSpecial.ini
                  Filesize

                  1KB

                  MD5

                  e5d27a2c4563b83ed3c0770de07a9630

                  SHA1

                  fd5347c641a7bd372af3fc20dd7954e76ddf7b6b

                  SHA256

                  5ccc34e737411b2bc4f2ba93487acad695ee383fc81c465a3743747a43a2e086

                  SHA512

                  f6c53e3e905930e63e53a99add915ef26ddead0610749c254082b71cecbb7c0c48f862802b1b302031f37db400560671b177a7e16339fea884f0c4538e0751d9

                  Download Submit

                • C:\Windows\svchost.exe
                  Filesize

                  35KB

                  MD5

                  9e3c13b6556d5636b745d3e466d47467

                  SHA1

                  2ac1c19e268c49bc508f83fe3d20f495deb3e538

                  SHA256

                  20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

                  SHA512

                  5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

                  Download Submit

                • F:\btvj.exe
                  Filesize

                  100KB

                  MD5

                  1fbb7b197c36eed264618a46f170b63b

                  SHA1

                  5296d760c3bb9f806cf8dff3d50e22038188dfe3

                  SHA256

                  0ee956703c2246a591c715669a60e06d77b97945a28ed502cb4ddbb9405b5236

                  SHA512

                  3bdeedcc62e4953a06474728e6acd71945cb87af20ef342c8467b90ede0e7091c2475c17a143c09a6963a22307c59c9ed28ec3c7f8b65a52485d40b2961733c4

                  Download Submit

                • \Users\Admin\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx
                  Filesize

                  168KB

                  MD5

                  8848c71c4195d1f5c1c4a0190b2650d5

                  SHA1

                  ff722087919ebb2e5da5ff759401062f24f42432

                  SHA256

                  fdc509bd26642700e71ff9c0d508e2d5275581f0896b90a2408f6c67730eb702

                  SHA512

                  3ecf9b2d0ed1c0d9b974eaae2404156885f065b97882e8f94cf46eca08092b64afe6c399e8c4c14c3ed171b4d9090d29ebffa506453897aad43f7b3443cdbbfb

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nsy173A.tmp\InstallOptions.dll
                  Filesize

                  15KB

                  MD5

                  605878b664b6c4ddefd73918fc45a440

                  SHA1

                  68328d6a9ce62a668bbe12878af26c1f1d0e3f82

                  SHA256

                  7b3a3bf008489b61de83b94a63db4556cae5de80701a2e1ebdf9a025b3b631c4

                  SHA512

                  c83eea75288272c3fb72aca2486581127dc4875ee80165511c38d32d3cb7e553836249df79358fc5d0ec5d7aef183c888c2df03ea688d163984cdd919255da26

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nsy173A.tmp\System.dll
                  Filesize

                  11KB

                  MD5

                  d0d7d2799802f7cddf8db7a2d8ae1e23

                  SHA1

                  ae8d8cfd9f1a7104036a9e8658f50f9c35c7a1c6

                  SHA256

                  828819614dc0dbfb73f22d4c3712e6369230eab92819c5d4efe75870ee109a5a

                  SHA512

                  2b5af0e34720eb2f5b0aa04b589b46fb4b4d344b5c5d23fdd382348b051ac9766ff80f6a2455ef66da78ba880e8ce41b23daf741033de7701ca3f17f1adde408

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nsy173A.tmp\UserInfo.dll
                  Filesize

                  4KB

                  MD5

                  13a689123cebd31c1d1862e05981beca

                  SHA1

                  0430094a1a0f639ba9bf5831c24f1f4330762a6d

                  SHA256

                  386933bdaf4774e88670e21abbebdeddf64b1e87b1681f85ac5b3ec1cac8dcdf

                  SHA512

                  0663148e80f4703000bbfc8ede2bcc7cad19877585a5cc46aa13a7003377d7315d33f01c1d311d38bcf5e3782e4b361510214f09a9f6537b856c5ad9bc41fdae

                  Download Submit

                • memory/1104-52-0x0000000000320000-0x0000000000322000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2252-5-0x0000000000400000-0x0000000000443000-memory.dmp

                  Filesize

                  268KB

                  Download

                • memory/2668-18-0x0000000000400000-0x000000000040D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/2668-14-0x0000000000320000-0x0000000000396000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/2684-190-0x0000000000400000-0x000000000040D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/2812-24-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-181-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-45-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-25-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-29-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-26-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-21-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-27-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-177-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-22-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-19-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-64-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2812-65-0x00000000043B0000-0x00000000043B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2812-15-0x0000000000400000-0x0000000000476000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/2812-67-0x00000000043B0000-0x00000000043B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2812-68-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2812-180-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-23-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-182-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-184-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-186-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-188-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-71-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2812-192-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-201-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-46-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-202-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-207-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-210-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-212-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-214-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-238-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-243-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2812-176-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download

                • memory/2812-178-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                  Download