Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-12-2024 03:35
General
-
Target
e9b24e07bba059b824fa58cf801a2aa7_JaffaCakes118.dll
-
Size
660KB
-
MD5
e9b24e07bba059b824fa58cf801a2aa7
-
SHA1
6a5ffe5471823ac27a1d912c9ab4e59ea331b627
-
SHA256
d58dd8cb189cda12ad2aa1913b55ed1e2dd596fa702690a60c04db8aa664396b
-
SHA512
2fb5b065feb03ca416033de18b96116559d4fbe2b14a4ec91d55dee858ba826891af7aa30f22575b69605e33da09deea4b95357fd325da2f3b208ba0cc2d170b
-
SSDEEP
12288:zZL7A5l0711g8onrOcWAqVvrDhS6kNaW3:zZL7AfYhonSr1naaW3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9b24e07bba059b824fa58cf801a2aa7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9b24e07bba059b824fa58cf801a2aa7_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 6123⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1148 -ip 11481⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5030d28178ec890f0d933359dad23da1e
SHA15fa5195ca05aea5caaf471afbcc2fd039876f3c4
SHA2561e40a11d7943a7924cacca9632fa6dd8bd24fb1072cb61e64f9033ebce74806b
SHA5120a4d2a2dc387cda5c4a2545d416aa40eaccc7f0176861c2862c0a792970282189548309263d0937913a9e8be8105074a8d7129b87e277db68a0efbc57f3030e6
-
Filesize
404B
MD51c8726f15f8d1832f917974f489c1ac6
SHA14a74171fecfe2bb79a4a2a9865f3426452a02ee5
SHA256f579dac145884503b91665a57f0090fabc601345f0e23dd9885f4be2e22cc0e9
SHA512f2d481a8a6ac006bd38b6ddb5f03d44d09a691323b6f09a608f29cc24b5777ebf9875daeb5c585be2b3f125fb5f3bc283a0a500b5e643e65dddd851a2775e184
-
Filesize
3KB
MD5674f5df276bea263701ecc631c85a757
SHA186682abd23553875b0d9b7e79e025a469680aa78
SHA2565883133c82f920f2c4e59d493917ecde8735e29fa104fb8dbef73765dd2e2e76
SHA512814ef3ed802c8434d01a952378d73a529308b040fba09c171f284c2cb5b94045ca490734721945cef00aa1ba929254cd5103a629de81ea816fcf4e5ee25f8c2d
-
Filesize
5KB
MD5ca30c1f5e7fb3d114085dd34fc140db7
SHA1caae876ff0acbbda6d038251ef76334d3af09536
SHA2564b4ace5f07e47eb2e81d45fd0bd147e6aea4fd482821e8a5021d52a7ef884dd9
SHA51277ec7e118bed71b03e3deb3c47af7dc5e749931d095a30466acbb8f88a2856dcf8aff9c38856b7c0b7e8ee82911d559f6d3ded8edc96d2441165604fc07dd583
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
187KB
MD527fdabf7c440551ce0d41832bb40e0e4
SHA1c3a6f07789562c1edbea44197a3f6cb3f6d345c9
SHA25652f26137f9a813c374e5bca7ae97f2f31c1f8084276944fdc5e97df7a69a86c4
SHA5124c13cfe5ed6741933d83ba0af39bd9cc544033328fe015b5ec1f1eff358e54764814f60085c0b4528034e2e8ab2f94694e186b27d9e66e42e01391ba20f38df5
-
Filesize
664KB
-
Filesize
664KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
40KB
-
Filesize
16KB
-
Filesize
16.2MB
-
Filesize
252KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
132KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
252KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB