Analysis
-
max time kernel
10s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-12-2024 04:47
General
-
Target
e9f57b5816146eeca3c78b57ce61dc24_JaffaCakes118.exe
-
Size
156KB
-
MD5
e9f57b5816146eeca3c78b57ce61dc24
-
SHA1
756f3ba117cf66f46ee0d0453282b4d4238f3637
-
SHA256
71934a7113476b16f9ad047e4a6422918a4e3bb35f4714b8e4110f483c05caa5
-
SHA512
311d90a316ee441140a8826bde42c817a7d6a665cad453274b3ae1e8f45f2561f1c7f1d3d3942d6ead7f05dc16bc26a1197a545e2847f6d6b752225289da80b4
-
SSDEEP
3072:TT2xNfzEmPUac0yCRS9EK0TLml3E8ttaLHHgDNI5ftyL:nkPpe0ml3EsaTHgpwfG
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 48 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e9f57b5816146eeca3c78b57ce61dc24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9f57b5816146eeca3c78b57ce61dc24_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5da895bb1399d70dc34a48d8fa13fbda1
SHA1a341c46596da2bd05bbcc248db601874d05649e3
SHA2569ccd14f47173d9717fde8e055b2148cb866b29bc42c4d30817786bcb49a48283
SHA512df5a136a7804a1654062edeaf622db494963bdb7c665cb60d7105487d28360839fa8149be2ac6fdb66c773c45dbede4d480a6ccdbabed28eced4e6f65b3107a2
-
Filesize
342B
MD509cf4d0cd32f4ce5122be7933f933d80
SHA1c485a955a7dc22c63729663880875d0d5c68d895
SHA256fb8d69be02b47c0172bd7e40607bb4a03545bd337a08122282594eaebb8d066d
SHA51285e1b7d7e148e3d004f6aa742fb1721764885107cbe6bf07086a16f4efa9b7f7fcc3db8eedd42da29dc4238da4d1df132fcb1a3f98a396ab5e600dfea8ecf1a1
-
Filesize
342B
MD5fe19b056e11e8a51a29b9b1710f5cbe7
SHA124679a44c0273d6d4936a321a85ea225383cc950
SHA2562f8cb94d5cb85166753219cb26a4750af977fb6c26b1b72959a5fef4541d6921
SHA5127a78167d1d2213580b130a8901089d0e98b1860b47e3f7768cf0147f915209f1a7b4943612980242227c85853e42aa269f26d5b85ac2d5ce078c74b09094f88a
-
Filesize
342B
MD54a2a05b17071cc878402cefb6bb18f95
SHA11c56a6723e8038c6271ea20a1e5dc39a5016cde0
SHA256f0f33b2c4b527d7ce8345a0bb281ca7ce76559530b9cee5eb5318635babfd734
SHA512b1061538585ae7bec8b9ce1b96eebccd9f96059bbfa7a1259c86ca8d7470d1cf22abd985b547966b2179f5747d74cb54451954db1a2be5a81ee9488907b242b1
-
Filesize
342B
MD533e63e355a6249e1e6f78edb3a67e037
SHA15fadf4f5fbc1e911cc6cf5ddbd7a4bce453a0c02
SHA2561e7cca361cee4179cd5c918a1ec3c53fcc8219a3f72ec305600d9283218dbfd2
SHA5124299aff2726a2062157bfff07a944d1df4b92e2a455cd1f8f52d2dbe3dfd77f88c48df24670c733754feb474f38d90281c3cfdcb77ab7158bfc219694a88549b
-
Filesize
342B
MD598cb0453c693028e499f4a3b170f144a
SHA1bbe8a29ee0ef137aa2835bc2d4d001f42d5c0e06
SHA2567cc023286488708fa93b0da9dceae488f8449a7eaf19b28032588b015111b845
SHA512bc6d36f5508c52f1611b96052e04f6318f4499c5c92823952629296f74430afda0a47db149e4c0fc4d26b5921eeed774611c4844b56632c1ff84dec3092a44ce
-
Filesize
342B
MD5f443b54e907705da8e31f0484419f364
SHA172e3219c7c11d3093350ca6f91b05379bb4451b9
SHA25642d74516ae4ed3b6f87727b7d3ba6cee0b0de7de74ca9dadbcd10c9881c5b2c7
SHA51247347694ea2b2b9d5be87814042438252f5abddcc3125648d4eb612272cb47dc024e98aafd4ea2634bcc3edd2b0e97ca9667aa092eaabdd83955c5d51e116da8
-
Filesize
342B
MD5f704deb987ca556afc4d277b4b2bb927
SHA1477550fb8f1712f247fbb9f76e8d403e30833150
SHA25622b38c55e7eb71fa6b7b7cce2060298997ab38de684f7abe3a6e73d874a68202
SHA51200bc78f40d3ec8824172cb75e01cb5c228c73cc43f51c433555a031e0ff3c6c3f87fa9878935339a2bf8abd574eb41c8b4c2a5b633b53791fdc0217b666165b5
-
Filesize
342B
MD5743ed9bf67683c4e58a8d337f2ddca52
SHA1cdf4529a923dc4ce43ebd72bb285193786e978ac
SHA256ec58c8f7fdf3f82f58a2da0a2e115b98f15fd5cf47a365595d6b14809b339e09
SHA512a81731052e32a99fd266169998950b4f1faf333cabab5f3fd0d5ccb78e9816b675ea9aa123b363975668ca0f1731bd21fc61edc563ba470d80362b0701ec91de
-
Filesize
342B
MD535fb50b25ee966951908f171e362b235
SHA11363f5f94284354988385f2735c77639b1d76e0b
SHA256fedf41cb7fb93fc297d254739b4c54a40ea7aa514fd258cb57a0d5d05c961a4a
SHA51264e8f8c743f94ed7b773ca4cb17617f4f20c637c9ae1dff822f3ce5c343e8df17884c21465326368bb5ef67106d73bdece1fed233fe80d63b05b4f1df799955a
-
Filesize
5KB
MD5746fd46c51d20002bce4a1d92d9a5a77
SHA1dfb70905df71c656d048dc58ca91c4f7cb1d2982
SHA25655d6751f988c592d4c93b681a858cf680466673b927c8ab37cd1b53965a684f4
SHA51228fd843536b1df80d59e4f8b6e40885085460aff11832535c61240eeec490ef42ae762e07366c53d91f401d706c0371133f84dd8d7333055dec807035ecc3978
-
Filesize
4KB
MD574dddcb26973a46ac6e2512b66ec100f
SHA10eb0ccdecee5422e91a9ed3763eae02dd5fd6ddf
SHA256fbce975f853143e74290a04db279a67d85600d1371e470842b174e4c8d250c1e
SHA512531721539cc1eb812dade044be45df9fa8d0697e4ccfe47452dbd5cc34c5981916901e8921ee4d3624a0856d922d9548b7f3c44cd39575bf20956756ffe819ac
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
257B
MD567c11f5eb003f7a007878666fee59927
SHA14607eac55d514310503b903837ee807b3bf7b6a4
SHA256eb4046508d536541e5269202bf1e81b9d4ef58e3267298a5965a763a191597d2
SHA5129b90b232947da11e4606113209a9b92c28f3d6ec0a12f6897e133eaa2607eed441f5243d4056d4a0f4b804fd66a3d13e1e93f9a016dec257b0b72d01df7adae8
-
Filesize
100KB
MD551f8a0299ad67a8c89a63cced5208888
SHA1832611e9cf272d2e36caff1a72d9419d096e8f47
SHA2569613057198cd2dbfb52993566540d3e4ea64d619906b3b88c03275134017e0cd
SHA512c7070e850f4f35ffa4b2506aa7288b06feb66fc3cc8649c9008b8798f7c0cda63755cafd52ae3d300cfe6d60e32be29657903dac05176f5f45b6ec242ee8962c
-
Filesize
156KB
MD5e9f57b5816146eeca3c78b57ce61dc24
SHA1756f3ba117cf66f46ee0d0453282b4d4238f3637
SHA25671934a7113476b16f9ad047e4a6422918a4e3bb35f4714b8e4110f483c05caa5
SHA512311d90a316ee441140a8826bde42c817a7d6a665cad453274b3ae1e8f45f2561f1c7f1d3d3942d6ead7f05dc16bc26a1197a545e2847f6d6b752225289da80b4
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
200KB
-
Filesize
8KB
-
Filesize
200KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
200KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB