Overview

overview

10

Static

static

3

e1ce1f19c4...18.exe

windows7-x64

3

e1ce1f19c4...18.exe

windows10-2004-x64

10

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    96s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1ce1f19c48d03d8e22a734dbd73b66b_JaffaCakes118.exe

  • Size

    156KB

  • MD5

    e1ce1f19c48d03d8e22a734dbd73b66b

  • SHA1

    afc3bd7008db1e4c7c378c8f34c76f1eb0519c1a

  • SHA256

    cdd200e616ced75e60ddd6ba7b58978900cb56f824011640ee313ac234a99370

  • SHA512

    daed1d7ce753e4972f202c207838378c02ae36c877d62eb7c92bd1223c7ad7777a7be0659e603feb92c73e674465fd93871162525c84dbf671f3c4cafbe6b999

  • SSDEEP

    3072:YkjAy4dDGkJ9vJYTJ/hbd/UDCi7XYbmRnSN67LYgb2bKSZ56/e:Y2cW9JblaCcnRx1KeSZae

Score
10/10
salitybackdoordiscoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:780
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:784
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:60
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2540
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2548
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2652
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3544
                  • C:\Users\Admin\AppData\Local\Temp\e1ce1f19c48d03d8e22a734dbd73b66b_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\e1ce1f19c48d03d8e22a734dbd73b66b_JaffaCakes118.exe"
                    2⤵
                    • UAC bypass
                    • Windows security bypass
                    • Disables RegEdit via registry modification
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:968
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall set opmode disable
                      3⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:2344
                    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
                      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
                      3⤵
                      • UAC bypass
                      • Windows security bypass
                      • Disables RegEdit via registry modification
                      • Deletes itself
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Windows security modification
                      • Checks whether UAC is enabled
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2248
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode disable
                        4⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2416
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3656
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3840
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3936
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4000
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:1064
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4056
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:1604
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:2808
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:4124

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Reconnaissance

                                  Resource Development

                                  Initial Access

                                  Execution

                                  Persistence

                                  Create or Modify System Process

                                  1
                                  T1543

                                  Windows Service

                                  1
                                  T1543.003

                                  Event Triggered Execution

                                  1
                                  T1546

                                  Netsh Helper DLL

                                  1
                                  T1546.007

                                  Privilege Escalation

                                  Abuse Elevation Control Mechanism

                                  1
                                  T1548

                                  Bypass User Account Control

                                  1
                                  T1548.002

                                  Create or Modify System Process

                                  1
                                  T1543

                                  Windows Service

                                  1
                                  T1543.003

                                  Event Triggered Execution

                                  1
                                  T1546

                                  Netsh Helper DLL

                                  1
                                  T1546.007

                                  Defense Evasion

                                  Abuse Elevation Control Mechanism

                                  1
                                  T1548

                                  Bypass User Account Control

                                  1
                                  T1548.002

                                  Impair Defenses

                                  4
                                  T1562

                                  Disable or Modify System Firewall

                                  1
                                  T1562.004

                                  Disable or Modify Tools

                                  3
                                  T1562.001

                                  Modify Registry

                                  4
                                  T1112

                                  Credential Access

                                  Discovery

                                  System Information Discovery

                                  2
                                  T1082

                                  System Location Discovery

                                  1
                                  T1614

                                  System Language Discovery

                                  1
                                  T1614.001

                                  Lateral Movement

                                  Collection

                                  Command and Control

                                  Exfiltration

                                  Impact

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\0E578F9D_Rar\Au_.exe
                                    Filesize

                                    84KB

                                    MD5

                                    fa4ea61cd5dc0ff3182f45987f668a69

                                    SHA1

                                    59dc21f9a700b759ffaa00e504a840717e3acab7

                                    SHA256

                                    137df35c950b8e6b0e8798fdf5250ae8b9132a9bfc2be5c0a41f1d633232b0e9

                                    SHA512

                                    170e62c7b5333f1db139c422d9678ba736da1c0ca5223cfc5efdd45a69e743d8d4220aa9531747afc5fab74a01d0f9722526e52c33bb9e0df8a12dce771f4ab1

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\nsi99FF.tmp\InstallOptions.dll
                                    Filesize

                                    13KB

                                    MD5

                                    d765c492c21689e3d9d61634371fd861

                                    SHA1

                                    ac200933671ae52c9d5544d0e2e8e9144d286c83

                                    SHA256

                                    551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

                                    SHA512

                                    9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\nsi99FF.tmp\System.dll
                                    Filesize

                                    10KB

                                    MD5

                                    fe24766ba314f620d57d0cf7339103c0

                                    SHA1

                                    8641545f03f03ff07485d6ec4d7b41cbb898c269

                                    SHA256

                                    802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

                                    SHA512

                                    60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\nsi99FF.tmp\ioSpecial.ini
                                    Filesize

                                    578B

                                    MD5

                                    fd1501d060966570ae66c46c23b97c88

                                    SHA1

                                    8f4c871ec5755896a25a8289189c2bce24015719

                                    SHA256

                                    30d7633e1b0457cfa6e24aecc48ebc7b14b5648c25517d80458e3e9f74cf9ea4

                                    SHA512

                                    febed3503c354a075dd254908b250baa0aa6e49661ec8d00d3f926e84a73bcafc74e5a0a58a9f20a0b20221fbebc0777b35bcaa5b6e22a33e52990722eef45e6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\nsi99FF.tmp\ioSpecial.ini
                                    Filesize

                                    578B

                                    MD5

                                    45f51ad52f65c33a25978bba35a7d897

                                    SHA1

                                    6f3020c0ddc67ade24d0ee5af334031fd1eea15d

                                    SHA256

                                    c0130763dd37c8c7c75db8afaa1880f2acb0658eaef24af8b97893851041c8ea

                                    SHA512

                                    aa56d6785ce0ad40a241fd0801b5d77a6799c0293eeb73ec70e6b8bfb6eab32d7efeb9398820d4a28d566a4142dc02cb65bbc1265f0ceaecea37268680648dcc

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\nsi99FF.tmp\ioSpecial.ini
                                    Filesize

                                    667B

                                    MD5

                                    c3f75077fad789f0c0d1451d64f6a935

                                    SHA1

                                    fdb19917cfcf2351d6abb9fb2dcd8646d0e1fa46

                                    SHA256

                                    5d68fadcad4c328618fb1372bcdf4994bf94dc193a005acbcfc0f50ff537fb39

                                    SHA512

                                    cd50ff74f38c9be72cca0a785ff8c6dbc9e1dd4238560dec2df5c55d61c5e70430599377d8a125d461b7767245c131dcaca2dc6e2038638144c61bdd61b5cefc

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
                                    Filesize

                                    156KB

                                    MD5

                                    e1ce1f19c48d03d8e22a734dbd73b66b

                                    SHA1

                                    afc3bd7008db1e4c7c378c8f34c76f1eb0519c1a

                                    SHA256

                                    cdd200e616ced75e60ddd6ba7b58978900cb56f824011640ee313ac234a99370

                                    SHA512

                                    daed1d7ce753e4972f202c207838378c02ae36c877d62eb7c92bd1223c7ad7777a7be0659e603feb92c73e674465fd93871162525c84dbf671f3c4cafbe6b999

                                    Download Submit

                                  • C:\Windows\SYSTEM.INI
                                    Filesize

                                    258B

                                    MD5

                                    a8b27a8d5d528d88e908efa9625ac470

                                    SHA1

                                    6a456f695d3f837d9d7fd671e551aa7f28d9abb6

                                    SHA256

                                    2a7d35963a4011cfe036c6be05142901dadea89c615dec5ca5d525eadeb3af90

                                    SHA512

                                    61d1bab056d4f4404b237edd8a2d552bddff20a3da1b2715694c50a6f4879caecc9828b9ab6baab4c7f76364f15d3a9867b3a60d14e31ee2d501203decff2c88

                                    Download Submit

                                  • memory/968-13-0x00000000005A0000-0x00000000005A2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/968-33-0x0000000000400000-0x0000000000451000-memory.dmp

                                    Filesize

                                    324KB

                                    Download

                                  • memory/968-1-0x00000000023B0000-0x00000000033E3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/968-26-0x00000000023B0000-0x00000000033E3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/968-23-0x00000000005A0000-0x00000000005A2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/968-0-0x0000000000400000-0x0000000000451000-memory.dmp

                                    Filesize

                                    324KB

                                    Download

                                  • memory/968-5-0x00000000023B0000-0x00000000033E3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/968-10-0x00000000005A0000-0x00000000005A2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/968-8-0x00000000005A0000-0x00000000005A2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/968-3-0x00000000023B0000-0x00000000033E3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/968-9-0x00000000040F0000-0x00000000040F1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2248-128-0x00000000060D0000-0x00000000060D1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2248-121-0x0000000004990000-0x00000000059C3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/2248-131-0x0000000004990000-0x00000000059C3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/2248-129-0x0000000003720000-0x0000000003722000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2248-133-0x0000000004990000-0x00000000059C3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/2248-135-0x0000000004990000-0x00000000059C3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/2248-122-0x0000000004990000-0x00000000059C3000-memory.dmp

                                    Filesize

                                    16.2MB

                                    Download

                                  • memory/2248-32-0x0000000000400000-0x0000000000451000-memory.dmp

                                    Filesize

                                    324KB

                                    Download

                                  • memory/2248-229-0x0000000003720000-0x0000000003722000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2248-237-0x0000000000400000-0x0000000000451000-memory.dmp

                                    Filesize

                                    324KB

                                    Download