Overview

overview

10

Static

static

3

f58d57fefc...18.exe

windows7-x64

10

f58d57fefc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f58d57fefcff95ae50128b67c6c05126_JaffaCakes118.exe

  • Size

    229KB

  • MD5

    f58d57fefcff95ae50128b67c6c05126

  • SHA1

    495cb4b9e816e5c18fb1e1c5aa87dda20b11c2f4

  • SHA256

    dbaeae6c483469f8da8954bee601a142594e9356212c43e04268598ea6213932

  • SHA512

    45aae65291ea12c17fe75be9735477cc193263aeed73ba09d8e5ab60c9d403a00b7a77aa1a063dfa342aaa3ac7d9df9256ec080360aa96bf86c3f71842a40e4a

  • SSDEEP

    6144:rkpNGUTubXZdvLLgploNzkizOIHxJrY8OH:5U6bXZxgplo5ki5S82

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 35 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1196
          • C:\Users\Admin\AppData\Local\Temp\f58d57fefcff95ae50128b67c6c05126_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\f58d57fefcff95ae50128b67c6c05126_JaffaCakes118.exe"
            2⤵
            • Modifies firewall policy service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1820
            • C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
              "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Enumerates connected drives
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2432
              • C:\Windows\splwow64.exe
                C:\Windows\splwow64.exe 12288
                4⤵
                  PID:2976
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1192

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Replication Through Removable Media

            1
            T1091

            Execution

            Persistence

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Hide Artifacts

            2
            T1564

            Hidden Files and Directories

            2
            T1564.001

            Impair Defenses

            4
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            7
            T1112

            Credential Access

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Replication Through Removable Media

            1
            T1091

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\0F77E62A_Rar\f58d57fefcff95ae50128b67c6c05126_JaffaCakes118.exe
              Filesize

              157KB

              MD5

              6f96e098214a8bc078de6b7f22ce7dfa

              SHA1

              5782ded4cfb116799f23d880cd83739efbbae836

              SHA256

              0ffa09a41c63bf331c60dcfc5ed1470daff2fea97f9eeddb403be2d2bc4c0d40

              SHA512

              7529b4ff57e03325028090f7cc6f5e4ff5bc1a4006b9446052a03507de606b14fffb7ee9a13335c5c0c11d9438d8c20546d020330d2555a55f213cc092531ccb

              Download Submit

            • C:\Windows\SYSTEM.INI
              Filesize

              257B

              MD5

              a55d9e4787d0dac76443726c1c832563

              SHA1

              138a027537d5d59d254f39a20f7c06da632fa1ed

              SHA256

              7ddfb2ec36b4610a97db62b5dcf3c544a9aedc390248cd53122f295b388b3a2e

              SHA512

              9d6b6b97d073549ea6d40456864bbbd14b90da7c81eecf1587f2654e5f44639eaa7fdbc012c67f72c6bbda9c3f9ce86ce407e64ea2aa20c5e42a7208224ae2e6

              Download Submit

            • C:\autorun.inf
              Filesize

              126B

              MD5

              163e20cbccefcdd42f46e43a94173c46

              SHA1

              4c7b5048e8608e2a75799e00ecf1bbb4773279ae

              SHA256

              7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

              SHA512

              e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

              Download Submit

            • C:\vanmyy.pif
              Filesize

              97KB

              MD5

              b96502dd451b9b425e642bd95b2c9695

              SHA1

              316e58f45c6664ad719a709eb81de96d14b56791

              SHA256

              455c51056277ad0f374dea20fd2491d542fd3bbed7e286060e877fb0319092c3

              SHA512

              eeae54049ce69c9e50b8a254c2d7c0948579fb144e0f4bf52d1adac4526a6702ac5ff084afcddf18de7b9cb07e0b50f6ae60769ce20dee64e573631b4184a008

              Download Submit

            • C:\zPharaoh.exe
              Filesize

              157KB

              MD5

              b7697d0199d0e795f843dbda51bab755

              SHA1

              8259f008a8c9f82f58fe1a358f11a62a5552d0e3

              SHA256

              d8ade236d9d7cb99fe312b6c4ea48a297ea384f7b493ad884f8fd9cc61f7a352

              SHA512

              f2971d6c09c78622bcbcbe2f1fc4fc78b9fa5843958c349410afb33614640ea2b723da64c09e26c3305ad9eb0ce288e311bcdd9b4064e8fb4f49db2fabcce5d4

              Download Submit

            • F:\zPharaoh.exe
              Filesize

              157KB

              MD5

              d8f3f219955c37041fb77a70ea45c546

              SHA1

              393fe2a05ff654766c5394169ea94c2d1c3ff65f

              SHA256

              83d0e92548170ea28be6c1675e4ffe09b427bf89da0a6f612159f27f48f1aae2

              SHA512

              d68f336a7521e64295adb331da937c557b48048b31a3e8f7de851e0191b327cf24e746b151b230b5242d764b6cb2dd704da4b4417b8a55f7153f13d8bba38176

              Download Submit

            • memory/1116-37-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1820-59-0x00000000003E0000-0x00000000003E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1820-69-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/1820-61-0x0000000001E30000-0x0000000002EEA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1820-56-0x00000000003E0000-0x00000000003E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1820-0-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

              Download

            • memory/1820-49-0x00000000003F0000-0x00000000003F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1820-47-0x00000000003F0000-0x00000000003F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1820-46-0x00000000003E0000-0x00000000003E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1820-11-0x0000000001E30000-0x0000000002EEA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1820-10-0x0000000001E30000-0x0000000002EEA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1820-36-0x0000000001E30000-0x0000000002EEA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1820-1-0x0000000001E30000-0x0000000002EEA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1820-2-0x0000000001E30000-0x0000000002EEA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-55-0x0000000000400000-0x0000000000401000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2432-104-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-35-0x000000002F6A1000-0x000000002F6A2000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2432-79-0x000000007175D000-0x0000000071768000-memory.dmp

              Filesize

              44KB

              Download

            • memory/2432-60-0x00000000003F0000-0x00000000003F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2432-83-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-81-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-94-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-96-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-82-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-103-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-95-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-97-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-57-0x00000000003F0000-0x00000000003F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2432-105-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-107-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-106-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-108-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-109-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-110-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-112-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-113-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-114-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-116-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-133-0x0000000006ED0000-0x0000000007F8A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2432-70-0x000000007175D000-0x0000000071768000-memory.dmp

              Filesize

              44KB

              Download

            • memory/2432-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download