Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d490bad709a7d91e203aaa1f22b634ba_JaffaCakes118.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
150 seconds
General
-
Target
d490bad709a7d91e203aaa1f22b634ba_JaffaCakes118.dll
-
Size
120KB
-
MD5
d490bad709a7d91e203aaa1f22b634ba
-
SHA1
4dc62b954e2d323ca36c2a870c8030ee0705d47c
-
SHA256
c6dafefda47e65567f1e1845955f2282b0c3a943f45c62bb3abc63459a8a1fb4
-
SHA512
9453ec5db32d2a6674a5f5a93748453f0e45f7986a89fe210a4683ba53230592803d821f33c35f1abf54c2e8ac13e2ac12379509e1e405eac302592dc90e4233
-
SSDEEP
1536:vEPG3K6QDzgJqiGqrEkf+rvmGd1YO3vK0kYrz+fKvt/vp4vlWiJvAECr7ksuZDo1:vEPG3GDIquEm+KAbiyz+SBEoQAECr7p
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76bcab.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bcab.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76bcab.exe -
Executes dropped EXE 3 IoCs
pid Process 1328 f76a0c2.exe 3012 f76a2e4.exe 2656 f76bcab.exe -
Loads dropped DLL 6 IoCs
pid Process 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe 1856 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76bcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76bcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76bcab.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a0c2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bcab.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f76a0c2.exe File opened (read-only) \??\I: f76a0c2.exe File opened (read-only) \??\P: f76a0c2.exe File opened (read-only) \??\R: f76a0c2.exe File opened (read-only) \??\H: f76a0c2.exe File opened (read-only) \??\K: f76a0c2.exe File opened (read-only) \??\M: f76a0c2.exe File opened (read-only) \??\N: f76a0c2.exe File opened (read-only) \??\E: f76a0c2.exe File opened (read-only) \??\J: f76a0c2.exe File opened (read-only) \??\L: f76a0c2.exe File opened (read-only) \??\Q: f76a0c2.exe File opened (read-only) \??\E: f76bcab.exe File opened (read-only) \??\O: f76a0c2.exe File opened (read-only) \??\S: f76a0c2.exe -
resource yara_rule behavioral1/memory/1328-11-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-14-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-17-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-13-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-15-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-22-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-20-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-18-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-16-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-58-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-59-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-60-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-62-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-61-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-64-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-65-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-81-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-83-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-85-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-106-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-107-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1328-149-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2656-155-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2656-204-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76a13f f76a0c2.exe File opened for modification C:\Windows\SYSTEM.INI f76a0c2.exe File created C:\Windows\f76f22c f76bcab.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a0c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76bcab.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1328 f76a0c2.exe 1328 f76a0c2.exe 2656 f76bcab.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 1328 f76a0c2.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe Token: SeDebugPrivilege 2656 f76bcab.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1856 1704 rundll32.exe 30 PID 1704 wrote to memory of 1856 1704 rundll32.exe 30 PID 1704 wrote to memory of 1856 1704 rundll32.exe 30 PID 1704 wrote to memory of 1856 1704 rundll32.exe 30 PID 1704 wrote to memory of 1856 1704 rundll32.exe 30 PID 1704 wrote to memory of 1856 1704 rundll32.exe 30 PID 1704 wrote to memory of 1856 1704 rundll32.exe 30 PID 1856 wrote to memory of 1328 1856 rundll32.exe 31 PID 1856 wrote to memory of 1328 1856 rundll32.exe 31 PID 1856 wrote to memory of 1328 1856 rundll32.exe 31 PID 1856 wrote to memory of 1328 1856 rundll32.exe 31 PID 1328 wrote to memory of 1108 1328 f76a0c2.exe 19 PID 1328 wrote to memory of 1168 1328 f76a0c2.exe 20 PID 1328 wrote to memory of 1204 1328 f76a0c2.exe 21 PID 1328 wrote to memory of 376 1328 f76a0c2.exe 25 PID 1328 wrote to memory of 1704 1328 f76a0c2.exe 29 PID 1328 wrote to memory of 1856 1328 f76a0c2.exe 30 PID 1328 wrote to memory of 1856 1328 f76a0c2.exe 30 PID 1856 wrote to memory of 3012 1856 rundll32.exe 32 PID 1856 wrote to memory of 3012 1856 rundll32.exe 32 PID 1856 wrote to memory of 3012 1856 rundll32.exe 32 PID 1856 wrote to memory of 3012 1856 rundll32.exe 32 PID 1856 wrote to memory of 2656 1856 rundll32.exe 33 PID 1856 wrote to memory of 2656 1856 rundll32.exe 33 PID 1856 wrote to memory of 2656 1856 rundll32.exe 33 PID 1856 wrote to memory of 2656 1856 rundll32.exe 33 PID 1328 wrote to memory of 1108 1328 f76a0c2.exe 19 PID 1328 wrote to memory of 1168 1328 f76a0c2.exe 20 PID 1328 wrote to memory of 1204 1328 f76a0c2.exe 21 PID 1328 wrote to memory of 376 1328 f76a0c2.exe 25 PID 1328 wrote to memory of 3012 1328 f76a0c2.exe 32 PID 1328 wrote to memory of 3012 1328 f76a0c2.exe 32 PID 1328 wrote to memory of 2656 1328 f76a0c2.exe 33 PID 1328 wrote to memory of 2656 1328 f76a0c2.exe 33 PID 2656 wrote to memory of 1108 2656 f76bcab.exe 19 PID 2656 wrote to memory of 1168 2656 f76bcab.exe 20 PID 2656 wrote to memory of 1204 2656 f76bcab.exe 21 PID 2656 wrote to memory of 376 2656 f76bcab.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a0c2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bcab.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d490bad709a7d91e203aaa1f22b634ba_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d490bad709a7d91e203aaa1f22b634ba_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\f76a0c2.exeC:\Users\Admin\AppData\Local\Temp\f76a0c2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\f76a2e4.exeC:\Users\Admin\AppData\Local\Temp\f76a2e4.exe4⤵
- Executes dropped EXE
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\f76bcab.exeC:\Users\Admin\AppData\Local\Temp\f76bcab.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:376
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD5c35bb2a7e443115b40e8eed872a365fc
SHA16c03cd207fe1264bdac38ac7249a0b1152866979
SHA2560cb1c4cf737ad3dad26918a67fa217365dc92ae412faa3912a3ed942d36e0888
SHA5126ca79129b7e67ff2fe43ed2ea42b84558c0c66eedcaf94ef96a1a02b8f5d6c35f0a115d661542a83b62f48ee1806bd9b9549395e0f998ce01ca85fdd2a92113f
-
Filesize
97KB
MD52ea5b245fd74a96d63bcb80b996b285b
SHA113af52f29d5b56ee7d2c22a59c88094a6fad6e40
SHA2562b3d643b9bfd9bc80a5cd835a6b0bbbaf75c5a356bfa01c4e665b941ca455d14
SHA5125516afeaef3c303e750f1008159676a4af7e29cff327176b74ff853b54f1424a1f67b0a050fd91297bd87f944bee60f34b33f33d097c08e3620b6a70c305db07