Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13/12/2024, 06:13
General
-
Target
ea460c4a2450ec14303121428373edde_JaffaCakes118.dll
-
Size
120KB
-
MD5
ea460c4a2450ec14303121428373edde
-
SHA1
47f567b5828584b50d312fcaf9361605359a187d
-
SHA256
58f1a7cc1e5eb288c17d9964c3022f43863cac9ccf4b7374aedc90884fdd5636
-
SHA512
29fbede23abd82210ec6fe15493d2141b1f614ea86debe2349e1a5584f55031e41677d51cd7810babaf58558816a2d33e5df5bba831d31f7aed4b17ce96cb1ff
-
SSDEEP
3072:5toYSkw47n4GxHN17PZLoWdcYvw+ExYfz5Sh:5tHn4wHNVVld8+E+z0h
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea460c4a2450ec14303121428373edde_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ea460c4a2450ec14303121428373edde_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76951e.exeC:\Users\Admin\AppData\Local\Temp\f76951e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7696d3.exeC:\Users\Admin\AppData\Local\Temp\f7696d3.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76b04c.exeC:\Users\Admin\AppData\Local\Temp\f76b04c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5e677627c2134ea7be4a2681a5ddfed32
SHA1c1bc045ff9685ff2568e79b798a4ff45e1b6867d
SHA2561c2c57bbb8dd8c45203790a25b7aabc00e4c4b06ab3c39ea388539b667103a92
SHA512d389114b15d34b5a232bc43c7e47b3e2dcbadee9aed487653342c13792e80a13902966c37c680a9601e4b5522fd82200edab57ab6e57dfd8383eba3a87d63fd4
-
Filesize
97KB
MD5d436dfd3b2a8ba38bebdc15d6f37b417
SHA1cdeb8266bca8392882db4414c3bedf63a927a199
SHA2560723591e06e3ed6ef199cdab378ea63dad26e2144ddf27b03a4073906a625219
SHA5125a20f0dacca85f6c4dfb9486e7fe81085015d37a195a8350bd598df6ae578f5e1fecd92a53cd6a3d96f19dad3b38adfc7935bb0b0db7eb65ec6894cfce1161ef
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB