Overview

overview

10

Static

static

3

dc583564e3...18.dll

windows7-x64

10

dc583564e3...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc583564e351eb52bc3c24dde675570f_JaffaCakes118.dll

  • Size

    120KB

  • MD5

    dc583564e351eb52bc3c24dde675570f

  • SHA1

    7c8b82a12d9f328191bf13173596c4dccbf6bf2a

  • SHA256

    518f77c280c7b3c7761eaa9054aa19b01da68d164db16a6717789a5c947ac1f9

  • SHA512

    c5654d97044c31f98d7a3d47128b89116118f300a6180eaf9826482d5d8457fe6f1d04f1067b79b3466475d31b2934534fd339226e90da6f670d5fac5e15ff06

  • SSDEEP

    3072:sjZ6gff2+bdkKMk06LdLVHCTkWWXkP11eGXbIuGgcl:sjZF+Wl0OTMkJ+GWCl

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1196
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc583564e351eb52bc3c24dde675570f_JaffaCakes118.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2972
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc583564e351eb52bc3c24dde675570f_JaffaCakes118.dll,#1
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2528
              • C:\Users\Admin\AppData\Local\Temp\f76a92b.exe
                C:\Users\Admin\AppData\Local\Temp\f76a92b.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2668
              • C:\Users\Admin\AppData\Local\Temp\f76aaff.exe
                C:\Users\Admin\AppData\Local\Temp\f76aaff.exe
                4⤵
                • Executes dropped EXE
                PID:2744
              • C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe
                C:\Users\Admin\AppData\Local\Temp\f76c4d5.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2704
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2036

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            13d80a1a7f2c9f6228537b2937bc96c0

            SHA1

            1529d69aa965104c5f5ab6ddbe9a8563e3d27ea3

            SHA256

            453071643b0424b9f1e3f97ccbafdcaa48dca0421062a1aa21d356c221e9c1b4

            SHA512

            d6eeb71b783699ed36ad289bd2a89a55ae50ddcfb2fce05487e24d67cc1d9744afdeb687ca0f642994ad965d0f09fed80baf8f7504ddba02aec74d71964fd889

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76a92b.exe
            Filesize

            97KB

            MD5

            2b18544dc2560ef96867998ba5a1fca7

            SHA1

            d9ab5f8461f395caa3e9465473362bdf172355ad

            SHA256

            572c6d177eef06fbc589d03dcf96deadc3e6a610539763c95bb7d5ef6e5692cd

            SHA512

            113523ee51088e2cea8d12bdb45bbf025ee49c7fd7ee4c077231087e6b7ae7858f5738bb193ebf4ca37d196ea7413c00a850bd4d6425f2328d93fda31c18ab20

            Download Submit

          • memory/1108-28-0x0000000001F90000-0x0000000001F92000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2528-82-0x00000000000C0000-0x00000000000C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2528-10-0x00000000000C0000-0x00000000000D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2528-80-0x0000000000200000-0x0000000000212000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2528-46-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2528-1-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2528-4-0x00000000000C0000-0x00000000000D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2528-36-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2528-56-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2528-59-0x00000000001C0000-0x00000000001D2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2528-37-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2528-60-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2668-63-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-62-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-47-0x00000000004B0000-0x00000000004B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2668-58-0x00000000004A0000-0x00000000004A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2668-17-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-11-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2668-49-0x00000000004A0000-0x00000000004A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2668-22-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-16-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-15-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-14-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-21-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-18-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-157-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-64-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-65-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-66-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-68-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-69-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-20-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-19-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-12-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-85-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-86-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-88-0x00000000005D0000-0x000000000168A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2668-156-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2704-83-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2704-106-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2704-104-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2704-108-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2704-167-0x00000000009B0000-0x0000000001A6A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2704-212-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2704-211-0x00000000009B0000-0x0000000001A6A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2744-107-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2744-105-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2744-99-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2744-162-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2744-61-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download