Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 03:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e9bd4c8fb1cd2b62716375fe9088eb81_JaffaCakes118.dll
Resource
win7-20241023-en
windows7-x64
21 signatures
150 seconds
General
-
Target
e9bd4c8fb1cd2b62716375fe9088eb81_JaffaCakes118.dll
-
Size
74KB
-
MD5
e9bd4c8fb1cd2b62716375fe9088eb81
-
SHA1
54e408d6c2b38318e00ab8f43dcb5f27a9d1f463
-
SHA256
e0c42e1ddf6c7671c260d9a4e764a17d0b07845d9d2e7d15717d7aa9040ca553
-
SHA512
8cc1316a18d211f9b52dbc9f3812e966ccb4462a4b6ace01f7d5ddbf5c6081a57a917f80f7e8082e764293254d403770f0eaff10f0e6015deb16b2984807ff20
-
SSDEEP
1536:jc0oQJlEPEcbpnAr6+vpVxu7l16n5OpoUR2/PCfFlsehgoVr0GHSW:jfJrEP1irBHxuba5OpoUIPuFSQR0GyW
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76acb3.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76acb3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76acb3.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" f76acb3.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2420 f76acb3.exe -
Loads dropped DLL 2 IoCs
pid Process 1788 rundll32.exe 1788 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76acb3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76acb3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76acb3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76acb3.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76acb3.exe File opened (read-only) \??\L: f76acb3.exe File opened (read-only) \??\M: f76acb3.exe File opened (read-only) \??\P: f76acb3.exe File opened (read-only) \??\W: f76acb3.exe File opened (read-only) \??\Z: f76acb3.exe File opened (read-only) \??\K: f76acb3.exe File opened (read-only) \??\S: f76acb3.exe File opened (read-only) \??\T: f76acb3.exe File opened (read-only) \??\V: f76acb3.exe File opened (read-only) \??\R: f76acb3.exe File opened (read-only) \??\U: f76acb3.exe File opened (read-only) \??\Y: f76acb3.exe File opened (read-only) \??\G: f76acb3.exe File opened (read-only) \??\H: f76acb3.exe File opened (read-only) \??\J: f76acb3.exe File opened (read-only) \??\O: f76acb3.exe File opened (read-only) \??\E: f76acb3.exe File opened (read-only) \??\N: f76acb3.exe File opened (read-only) \??\Q: f76acb3.exe File opened (read-only) \??\X: f76acb3.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f76acb3.exe File opened for modification F:\autorun.inf f76acb3.exe -
resource yara_rule behavioral1/memory/2420-15-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-16-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-18-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-37-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-39-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-17-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-12-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-40-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-19-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-44-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-45-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-46-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-47-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-48-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-51-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-52-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-53-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-55-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-57-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-68-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-69-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-73-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-74-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-77-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-78-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2420-82-0x0000000000590000-0x000000000161E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe f76acb3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe f76acb3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe f76acb3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe f76acb3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe f76acb3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI rundll32.exe File opened for modification C:\Windows\SYSTEM.INI f76acb3.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76acb3.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe 2420 f76acb3.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe Token: SeDebugPrivilege 2420 f76acb3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1272 wrote to memory of 1788 1272 rundll32.exe 30 PID 1272 wrote to memory of 1788 1272 rundll32.exe 30 PID 1272 wrote to memory of 1788 1272 rundll32.exe 30 PID 1272 wrote to memory of 1788 1272 rundll32.exe 30 PID 1272 wrote to memory of 1788 1272 rundll32.exe 30 PID 1272 wrote to memory of 1788 1272 rundll32.exe 30 PID 1272 wrote to memory of 1788 1272 rundll32.exe 30 PID 1788 wrote to memory of 2420 1788 rundll32.exe 31 PID 1788 wrote to memory of 2420 1788 rundll32.exe 31 PID 1788 wrote to memory of 2420 1788 rundll32.exe 31 PID 1788 wrote to memory of 2420 1788 rundll32.exe 31 PID 2420 wrote to memory of 1104 2420 f76acb3.exe 19 PID 2420 wrote to memory of 1160 2420 f76acb3.exe 20 PID 2420 wrote to memory of 1200 2420 f76acb3.exe 21 PID 2420 wrote to memory of 1876 2420 f76acb3.exe 25 PID 2420 wrote to memory of 1272 2420 f76acb3.exe 29 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1104 2420 f76acb3.exe 19 PID 2420 wrote to memory of 1160 2420 f76acb3.exe 20 PID 2420 wrote to memory of 1200 2420 f76acb3.exe 21 PID 2420 wrote to memory of 1876 2420 f76acb3.exe 25 PID 2420 wrote to memory of 1272 2420 f76acb3.exe 29 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1104 2420 f76acb3.exe 19 PID 2420 wrote to memory of 1160 2420 f76acb3.exe 20 PID 2420 wrote to memory of 1200 2420 f76acb3.exe 21 PID 2420 wrote to memory of 1876 2420 f76acb3.exe 25 PID 2420 wrote to memory of 1272 2420 f76acb3.exe 29 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1104 2420 f76acb3.exe 19 PID 2420 wrote to memory of 1160 2420 f76acb3.exe 20 PID 2420 wrote to memory of 1200 2420 f76acb3.exe 21 PID 2420 wrote to memory of 1876 2420 f76acb3.exe 25 PID 2420 wrote to memory of 1272 2420 f76acb3.exe 29 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1104 2420 f76acb3.exe 19 PID 2420 wrote to memory of 1160 2420 f76acb3.exe 20 PID 2420 wrote to memory of 1200 2420 f76acb3.exe 21 PID 2420 wrote to memory of 1876 2420 f76acb3.exe 25 PID 2420 wrote to memory of 1272 2420 f76acb3.exe 29 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1104 2420 f76acb3.exe 19 PID 2420 wrote to memory of 1160 2420 f76acb3.exe 20 PID 2420 wrote to memory of 1200 2420 f76acb3.exe 21 PID 2420 wrote to memory of 1876 2420 f76acb3.exe 25 PID 2420 wrote to memory of 1272 2420 f76acb3.exe 29 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1104 2420 f76acb3.exe 19 PID 2420 wrote to memory of 1160 2420 f76acb3.exe 20 PID 2420 wrote to memory of 1200 2420 f76acb3.exe 21 PID 2420 wrote to memory of 1876 2420 f76acb3.exe 25 PID 2420 wrote to memory of 1272 2420 f76acb3.exe 29 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1788 2420 f76acb3.exe 30 PID 2420 wrote to memory of 1104 2420 f76acb3.exe 19 PID 2420 wrote to memory of 1160 2420 f76acb3.exe 20 PID 2420 wrote to memory of 1200 2420 f76acb3.exe 21 PID 2420 wrote to memory of 1876 2420 f76acb3.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76acb3.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9bd4c8fb1cd2b62716375fe9088eb81_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9bd4c8fb1cd2b62716375fe9088eb81_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\f76acb3.exeC:\Users\Admin\AppData\Local\Temp\f76acb3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2420
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1876
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277B
MD5ff15126c5ac9617291999e937757084d
SHA1e03e9f365807533f0fb0f2edcb844b5cec788f4d
SHA2564a0e4114b084b0b0ab117c40471b3bc4c2c03ea5a8091648f9897cea0b0de287
SHA512a3a012142baee0c3d4fc8de7d3beb58af9855d148f011018926aad669d87f6727462d60206d62f33db70934587c9680b19ad8443defd7b8783b33a3c0f5c4db8
-
Filesize
100KB
MD53fed79a452507a9c32dc152071adb37e
SHA1292d95ea80a726ba350f2f49946fa750ccacf88b
SHA25674600c6bbd2553c69896839e746af67368a2607ff4931ef10aa9fa9e4bbc33c0
SHA51217be2bfc1cebc058e51e192a24953eb8620ad1cc7ee67d53cd1ad538b6307cfcea6b04724b1207db60464ae2957408ab62f0a7c703365178e6093ed1da24fefb
-
Filesize
69KB
MD5e52feaaced158e387af2c3557044ddea
SHA1da3ab811aba1f950e4d135a5372166cbec55378b
SHA2564dccbed4aaa3056131c23b7c4a83d46dbfe0602e8bfe42fc003f2a59a12a75dd
SHA512bccbd21f77dcf44be6bea2365b168a6c09361a365f30811144443d7ac4e5734e6bd07d8fb562493a47e758a29786815eee8d1cf3db2c8f3c9ed9371c8076c872