Analysis
-
max time kernel
26s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 21:40
General
-
Target
97572437b6a78aaaa9d7925a3e3c48a3_JaffaCakes118.dll
-
Size
252KB
-
MD5
97572437b6a78aaaa9d7925a3e3c48a3
-
SHA1
20ec3cfc185ce474f4d86bf87a6dded70183ef61
-
SHA256
815e55850982ba8ef596047737c5ee717dfbe1bc68887a46fc78ed7962201dde
-
SHA512
cd757eec776d091a4a8265d6a9be0cceb07bd618405f81b32435ba54765fdf98081cb1316526a97cfa7bc2369cc445415854eefb74994bc5a9d93fc4577b1d78
-
SSDEEP
6144:dTa12CoCckAe8a0jbUjmJmdG/i8OJQvdjl2psxtd89:ik3djbo4mAK8eQvJ4psx89
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 3 IoCs
-
Disables RegEdit via registry modification 3 IoCs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 26 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97572437b6a78aaaa9d7925a3e3c48a3_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97572437b6a78aaaa9d7925a3e3c48a3_JaffaCakes118.dll,#13⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3652 CREDAT:17410 /prefetch:27⤵
- UAC bypass
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"8⤵
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"8⤵
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"8⤵
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5004 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 6084⤵
- Program crash
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1152 -ip 11521⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5539399c9f7153f78b67cde1bcdea163f
SHA16cb6e4936d546c17549aec9431a2af7c31bb3c3a
SHA25627b9528028887b2d852cae2cb55efb965fc13dfa0882f85d6236814f7eb0ad65
SHA51211836ba1429de7d15b9eb33b4852b0c71872149e9d448959c366aca1db75796446a86ee5c40b274ac3102d5395c7197d4dc2cd11b32754538aa6883e0ebdbf17
-
Filesize
404B
MD5e8501e15064a24e323c8fd718d5e3083
SHA1904ac96b6b298efb8904bf52fdd4b6b50eefbafd
SHA25620d1d1e00d3507b68cd48cd2187b150637fe3f6149b1a9bcd07a6414afe29a5f
SHA512317499143aa7e73d0080c7d279a8317794faccbf080668be7511779523e151bc8a1813cc15e582ba93b3d13944ebbb4c69038f9a0c430b51e1d672458cdda94a
-
Filesize
5KB
MD5640e522d69ac2994690fec9ee94b28ce
SHA1df102316b81c1f643b7b64ef7807c5be214c74f5
SHA2563ed5377d387efd7f4caa1ac47406316b417a8f69c9b755334c65b56446bafcf3
SHA5127d348665698899c3460d883e60bab8e3b20db0234ae5bf6123b1c93db162f1002995a3c845b41d5c9910501b3a1e4ca6142443e6a7ffa1eac8a7c2d977af35d0
-
Filesize
3KB
MD53eea06e5652cfb88329b9e51f8adf8ed
SHA1230bbbc15266f3f9ca9d0552b48179d67a31684a
SHA256acfe597e82b850843c27d7f5e1cadf9f214259f55b39802a652274c790e61e86
SHA51238db594a83c6849897dc7d75e68a4d25ee9d4009df020096bbb1d9a4dd8345238207a12dd89ff90726e220fb414973b24e3ea8ec3ccecdf5df71f5650bca9b1b
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
255B
MD5ce78647cb79816e1a7107b364fc97d6c
SHA14af4b4786a6b1031733919ff4577b83bf7458872
SHA2568b8b0c651eb3548b24260fb0aad9bc301a5215fbd5512e3892a34e2f174428c3
SHA51239e3213534c6e84297bfb6ced9b757e03ff63a1876d117683627c3073d8f81882fba79e8ac916de2a59cae314a53efe42bcdb404048003c6b816ec28f112b924
-
Filesize
187KB
MD527fdabf7c440551ce0d41832bb40e0e4
SHA1c3a6f07789562c1edbea44197a3f6cb3f6d345c9
SHA25652f26137f9a813c374e5bca7ae97f2f31c1f8084276944fdc5e97df7a69a86c4
SHA5124c13cfe5ed6741933d83ba0af39bd9cc544033328fe015b5ec1f1eff358e54764814f60085c0b4528034e2e8ab2f94694e186b27d9e66e42e01391ba20f38df5
-
Filesize
8KB
-
Filesize
252KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
252KB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
16.2MB
-
Filesize
84KB
-
Filesize
40KB
-
Filesize
16KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
252KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.2MB
-
Filesize
4KB
-
Filesize
16.2MB
-
Filesize
8KB
-
Filesize
16.2MB
-
Filesize
4KB
-
Filesize
16.2MB
-
Filesize
132KB
-
Filesize
252KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
4KB
-
Filesize
16.2MB
-
Filesize
16.2MB
-
Filesize
132KB
-
Filesize
8KB
-
Filesize
16.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
252KB