Overview

overview

10

Static

static

3

f2632bd49f...18.exe

windows7-x64

3

f2632bd49f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2632bd49f37cdf681b187438e4f6173_JaffaCakes118.exe

  • Size

    3.2MB

  • MD5

    f2632bd49f37cdf681b187438e4f6173

  • SHA1

    13b11925bc8f7c0a3f76eca2d70fe06b44e3e245

  • SHA256

    11f71273e6d5522c3551ab840e062442de9328ed2b2117b98ab3adb80f7cc822

  • SHA512

    08b2d1b400fd625cd997b3046db49189563419ef4ae9c47bfb28ee9a622d51450bd01613f8f549a88fa7bf4229c476b1e18369fe2088956dc00de0ad530347ef

  • SSDEEP

    49152:ghPg95YC1yRr5R+jzA66ymAu1Rg48D9d5VGoemcYVeGaY0uWV355FXw/+fuWV35j:EgXt1yRr8zA6POvwga

Score
10/10
salitybackdoordiscoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:788
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:796
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:332
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2700
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2788
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:3060
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3420
                  • C:\Users\Admin\AppData\Local\Temp\f2632bd49f37cdf681b187438e4f6173_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\f2632bd49f37cdf681b187438e4f6173_JaffaCakes118.exe"
                    2⤵
                    • UAC bypass
                    • Windows security bypass
                    • Disables RegEdit via registry modification
                    • Windows security modification
                    • Adds Run key to start application
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:432
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall set opmode disable
                      3⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:1768
                    • C:\Users\Admin\AppData\Roaming\taskhost.exe
                      C:\Users\Admin\AppData\Roaming\taskhost.exe
                      3⤵
                      • UAC bypass
                      • Windows security bypass
                      • Disables RegEdit via registry modification
                      • Deletes itself
                      • Executes dropped EXE
                      • Windows security modification
                      • Checks whether UAC is enabled
                      • Drops autorun.inf file
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3236
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /A /C "cmd.exe"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1472
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          5⤵
                            PID:4912
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe
                            5⤵
                            • System Location Discovery: System Language Discovery
                            PID:1116
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall set opmode disable
                          4⤵
                          • Modifies Windows Firewall
                          PID:4004
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 76
                            5⤵
                            • Program crash
                            PID:1364
                        • C:\Windows\SysWOW64\NOTEPAD.EXE
                          "C:\Windows\system32\NOTEPAD.EXE"
                          4⤵
                            PID:1816
                          • C:\Windows\SysWOW64\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE"
                            4⤵
                              PID:1312
                            • C:\Windows\SysWOW64\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE"
                              4⤵
                                PID:3956
                              • C:\Windows\SysWOW64\NOTEPAD.EXE
                                "C:\Windows\system32\NOTEPAD.EXE"
                                4⤵
                                  PID:4564
                                • C:\Windows\SysWOW64\NOTEPAD.EXE
                                  "C:\Windows\system32\NOTEPAD.EXE"
                                  4⤵
                                    PID:5056
                                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE"
                                    4⤵
                                      PID:3192
                                    • C:\Windows\SysWOW64\NOTEPAD.EXE
                                      "C:\Windows\system32\NOTEPAD.EXE"
                                      4⤵
                                        PID:652
                                      • C:\Windows\SysWOW64\NOTEPAD.EXE
                                        "C:\Windows\system32\NOTEPAD.EXE"
                                        4⤵
                                          PID:1632
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                    1⤵
                                      PID:3540
                                    • C:\Windows\system32\DllHost.exe
                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                      1⤵
                                        PID:3716
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:3804
                                        • C:\Windows\System32\RuntimeBroker.exe
                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                          1⤵
                                            PID:3900
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:3984
                                            • C:\Windows\System32\RuntimeBroker.exe
                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                              1⤵
                                                PID:3884
                                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                                1⤵
                                                  PID:3180
                                                • C:\Windows\System32\RuntimeBroker.exe
                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                  1⤵
                                                    PID:5044
                                                  • C:\Windows\system32\backgroundTaskHost.exe
                                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                    1⤵
                                                      PID:4728
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4004 -ip 4004
                                                      1⤵
                                                        PID:4796
                                                      • C:\Windows\system32\sihost.exe
                                                        sihost.exe
                                                        1⤵
                                                          PID:3668
                                                          • C:\Windows\explorer.exe
                                                            explorer.exe /LOADSAVEDWINDOWS
                                                            2⤵
                                                              PID:5040

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Reconnaissance

                                                          Resource Development

                                                          Initial Access

                                                          Replication Through Removable Media

                                                          1
                                                          T1091

                                                          Execution

                                                          Persistence

                                                          Boot or Logon Autostart Execution

                                                          1
                                                          T1547

                                                          Registry Run Keys / Startup Folder

                                                          1
                                                          T1547.001

                                                          Create or Modify System Process

                                                          1
                                                          T1543

                                                          Windows Service

                                                          1
                                                          T1543.003

                                                          Event Triggered Execution

                                                          1
                                                          T1546

                                                          Netsh Helper DLL

                                                          1
                                                          T1546.007

                                                          Privilege Escalation

                                                          Abuse Elevation Control Mechanism

                                                          1
                                                          T1548

                                                          Bypass User Account Control

                                                          1
                                                          T1548.002

                                                          Boot or Logon Autostart Execution

                                                          1
                                                          T1547

                                                          Registry Run Keys / Startup Folder

                                                          1
                                                          T1547.001

                                                          Create or Modify System Process

                                                          1
                                                          T1543

                                                          Windows Service

                                                          1
                                                          T1543.003

                                                          Event Triggered Execution

                                                          1
                                                          T1546

                                                          Netsh Helper DLL

                                                          1
                                                          T1546.007

                                                          Defense Evasion

                                                          Abuse Elevation Control Mechanism

                                                          1
                                                          T1548

                                                          Bypass User Account Control

                                                          1
                                                          T1548.002

                                                          Impair Defenses

                                                          4
                                                          T1562

                                                          Disable or Modify System Firewall

                                                          1
                                                          T1562.004

                                                          Disable or Modify Tools

                                                          3
                                                          T1562.001

                                                          Modify Registry

                                                          5
                                                          T1112

                                                          Credential Access

                                                          Discovery

                                                          System Information Discovery

                                                          2
                                                          T1082

                                                          System Location Discovery

                                                          1
                                                          T1614

                                                          System Language Discovery

                                                          1
                                                          T1614.001

                                                          Lateral Movement

                                                          Replication Through Removable Media

                                                          1
                                                          T1091

                                                          Collection

                                                          Command and Control

                                                          Exfiltration

                                                          Impact

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Temp\0E57D2F0_Rar\taskhost.exe
                                                            Filesize

                                                            3.1MB

                                                            MD5

                                                            bae045fd16ff23762ed5763dacf7e26b

                                                            SHA1

                                                            072559fab360fd5afdea9d88fb1d0b2f703ea5d5

                                                            SHA256

                                                            ed667fab0d7a2b52a766b8fa13a2e12090d9cc229f94d784756c1fb2b36ab38d

                                                            SHA512

                                                            a453c765e11765a31446e47fcb31c27329943a595652d9486ae2e67def2220c2be0e19feaff86cb8d02598cd7b900aed4cd690503ce486348c66fdfb7a262c2a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\taskhost.exe
                                                            Filesize

                                                            3.2MB

                                                            MD5

                                                            f2632bd49f37cdf681b187438e4f6173

                                                            SHA1

                                                            13b11925bc8f7c0a3f76eca2d70fe06b44e3e245

                                                            SHA256

                                                            11f71273e6d5522c3551ab840e062442de9328ed2b2117b98ab3adb80f7cc822

                                                            SHA512

                                                            08b2d1b400fd625cd997b3046db49189563419ef4ae9c47bfb28ee9a622d51450bd01613f8f549a88fa7bf4229c476b1e18369fe2088956dc00de0ad530347ef

                                                            Download Submit

                                                          • C:\Windows\SYSTEM.INI
                                                            Filesize

                                                            258B

                                                            MD5

                                                            e3ae01c9fd9a9805f8374d45ea4f71ac

                                                            SHA1

                                                            737c655c5e77c6c17ec2d873f9f7ae219c65c0f5

                                                            SHA256

                                                            da4843c832a943a88428b32209af908c432b23bfdfba5e00ea611e46f069a3b0

                                                            SHA512

                                                            15f30b3f2410017fa5d22980757c03548adc6ff4f7225be17a724bb91ce531fa68cc42b8f874bd661807264bcfbb2700ff54c60b9dbadfcf0da4344c0d525d65

                                                            Download Submit

                                                          • memory/432-0-0x0000000000400000-0x0000000000628000-memory.dmp

                                                            Filesize

                                                            2.2MB

                                                            Download

                                                          • memory/432-35-0x0000000004C10000-0x0000000004C20000-memory.dmp

                                                            Filesize

                                                            64KB

                                                            Download

                                                          • memory/432-8-0x00000000006C0000-0x00000000006C2000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/432-14-0x00000000006C0000-0x00000000006C2000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/432-3-0x00000000025B0000-0x00000000035E3000-memory.dmp

                                                            Filesize

                                                            16.2MB

                                                            Download

                                                          • memory/432-18-0x00000000048B0000-0x000000000498A000-memory.dmp

                                                            Filesize

                                                            872KB

                                                            Download

                                                          • memory/432-9-0x0000000003A70000-0x0000000003A71000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/432-78-0x00000000025B0000-0x00000000035E3000-memory.dmp

                                                            Filesize

                                                            16.2MB

                                                            Download

                                                          • memory/432-13-0x00000000006C0000-0x00000000006C2000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/432-6-0x00000000025B0000-0x00000000035E3000-memory.dmp

                                                            Filesize

                                                            16.2MB

                                                            Download

                                                          • memory/432-27-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                            Download

                                                          • memory/432-48-0x00000000025B0000-0x00000000035E3000-memory.dmp

                                                            Filesize

                                                            16.2MB

                                                            Download

                                                          • memory/432-19-0x0000000010000000-0x0000000010011000-memory.dmp

                                                            Filesize

                                                            68KB

                                                            Download

                                                          • memory/432-91-0x00000000006C0000-0x00000000006C2000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/432-102-0x0000000000400000-0x0000000000628000-memory.dmp

                                                            Filesize

                                                            2.2MB

                                                            Download

                                                          • memory/432-12-0x00000000025B0000-0x00000000035E3000-memory.dmp

                                                            Filesize

                                                            16.2MB

                                                            Download

                                                          • memory/3236-208-0x0000000000400000-0x0000000000628000-memory.dmp

                                                            Filesize

                                                            2.2MB

                                                            Download

                                                          • memory/3236-53-0x0000000002A60000-0x0000000002B3A000-memory.dmp

                                                            Filesize

                                                            872KB

                                                            Download

                                                          • memory/3236-62-0x0000000002570000-0x0000000002580000-memory.dmp

                                                            Filesize

                                                            64KB

                                                            Download

                                                          • memory/3236-70-0x00000000026C0000-0x00000000026D0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                            Download

                                                          • memory/3236-47-0x0000000000400000-0x0000000000628000-memory.dmp

                                                            Filesize

                                                            2.2MB

                                                            Download