Overview

overview

10

Static

static

1

eeb519eaef...18.ps1

windows7-x64

3

eeb519eaef...18.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eeb519eaefb64bc433463231d840bf14_JaffaCakes118

  • Size

    3.0MB

  • Sample

    240921-ag2ccawdkj

  • MD5

    eeb519eaefb64bc433463231d840bf14

  • SHA1

    5139f70546eabb86a7d2ba5529037d8ee28b7e3d

  • SHA256

    ed41bd0246b8f3ff6ed065d29c2dd8507d106fb5186e0ceb0bebc6339e5375b8

  • SHA512

    ed60dfc4a3d0772a9610e1e457a1bc60101f12c54d9c2cd772e23a242852e4ffb5b489c722b958662309bc2c4d047d6566ab92383700ee9b785d22cb1e246254

  • SSDEEP

    49152:l6LEUa87XCQc/UKPJ6F+j7zH6FygD35+rgo2Oo1q:B

Score
10/10
servhelperbackdoordefense_evasiondiscoveryexecutionexploitlateral_movementpersistencetrojanupx

Malware Config

Targets

    • Target

      eeb519eaefb64bc433463231d840bf14_JaffaCakes118

    • Size

      3.0MB

    • MD5

      eeb519eaefb64bc433463231d840bf14

    • SHA1

      5139f70546eabb86a7d2ba5529037d8ee28b7e3d

    • SHA256

      ed41bd0246b8f3ff6ed065d29c2dd8507d106fb5186e0ceb0bebc6339e5375b8

    • SHA512

      ed60dfc4a3d0772a9610e1e457a1bc60101f12c54d9c2cd772e23a242852e4ffb5b489c722b958662309bc2c4d047d6566ab92383700ee9b785d22cb1e246254

    • SSDEEP

      49152:l6LEUa87XCQc/UKPJ6F+j7zH6FygD35+rgo2Oo1q:B

    Score
    10/10
    executionservhelperbackdoordefense_evasiondiscoveryexploitlateral_movementpersistencetrojanupx

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

      trojanbackdoorservhelper

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Indicator Removal: Network Share Connection Removal

      Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

      defense_evasion

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

      exploit

    • Server Software Component: Terminal Services DLL

      persistence

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks