Extracted

• • Target

    472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118

  • Size

    5.9MB

  • MD5

    472208d7ba18d4c14b7e90b9db5d6feb

  • SHA1

    ff24cc43998ff99e61b1a838e1d51c4888498935

  • SHA256

    ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d

  • SHA512

    9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15

  • SSDEEP

    49152:awptF+Srb/TkvO90dL3BmAFd4A64nsfJ9KN5/Jf/LnBqOvF319Gh7TF7meaKBdZE:awNxKDmAQQQQQQQQQQQQQ

  Score

  10^/10

  servhelperbackdoordefense_evasiondiscoveryexecutionexploitlateral_movementpersistencetrojanupx

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    lateral_movement

  • Blocklisted process makes network request

  • Indicator Removal: Network Share Connection Removal

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    defense_evasion

  • Modifies RDP port number used by Windows

  • Possible privilege escalation attempt

    exploit

  • Server Software Component: Terminal Services DLL

    persistence

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2