Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-12-2024 06:10
General
-
Target
fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe
-
Size
951KB
-
MD5
fa678b54bc6dc42ca74ab104203475fe
-
SHA1
151df3753808b3d44b5a5255c820c8b928658c1c
-
SHA256
38e98d7bea3c4297e939f8940dc3c2855caecea427156dbe001ea43d03d4a947
-
SHA512
e893d49a446900fbfda12b1a2540a478132db22214fa849e3d95b7b6b8be6783a4e116e614fcde7afe731323492963219aec0cbd21797905ecea74af5b142af2
-
SSDEEP
24576:SUFa7K4Jy/fVtktVGPrfO/WxvaXUTcLHFpSYiVtktVGPrfO/WX:jqMlSyfO/WxyXukHFISyfO/W
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 4 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 9 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 39 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Automatic Updates"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Automatic Updates"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe"5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\ping.exeping www.putera.com -t -l 30005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.tourism.gov.my -t -l 30005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\ping.exeping www.miti.gov.my -t -l 30005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1060273723-1122523742-257317447322808777-1541576926-1732244811-9982284001705354810"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1469088327-20900574821631448363-1323879241-10821526271527667982-483964690-1253865902"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12762673072026294056-1517337404-1703614001379621296-361454646-84773501068573310"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
2Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
808B
MD5f9144a29af9775feb89b66bc8679dff7
SHA186a1246436e2f6c26a7de1a36f7a94cfd6e8202b
SHA25637dd8b6797dc589dbaebb4c6db3b4f343389caf3c68a298b56a8f4faae1d0284
SHA5120c13f645591e85bb8ce4e43bde458e0c2ea771382d1738a495c20d21580a22d6b194a7e1c543c3fa395e2e2c9fc27710cccc1af5742037733b8398ee8dcdd74a
-
Filesize
8KB
MD5cf07b3218b7a13466a3ab1abd929dc04
SHA10357e87e477c6c91af0dae6c7528089112bc4adb
SHA2560f19bef5cf2a0d134e2a8845caf5f8a57925c57c5bcc70b671fdf2dd71f52990
SHA51242e79e6bc3a1b183219fd327531402dd16dab72f1b6a4dd5475ffd5c556ee7a5564962a10880551d9bc27f989fd90beae3756349512e383eae9b3bd5b0bd1cbd
-
Filesize
176B
MD5fc0e51b62b341213d142b5061fe88606
SHA1a36c06ee541061a30ae14702c6d422366f1efda3
SHA256ef820d65689bda87756d2b775f286d992717289bb2e9bb2843903e05a87df3ef
SHA5125f44293217227a29f8031837ff87d7777cb425fb7b3684e925b349c54084d1a52bc1be6b19678c7dd20ed885c34dcafd063676549cdaaa93f1685d7ae8e9a70f
-
Filesize
18KB
MD5ed6b628f8fcc9e5b4634047546b78091
SHA151d55b389381a84205ce07526b606f353e64a8dc
SHA2568aaa8cc5cee89de645ddc34bbaa4fe00274c4802ebda7120d1904fec1137fa33
SHA512ac97820615e26bd51cbc989fcbf3a028f2e5b12658449b4b6692f3cd82b2df08967118ee05aa7fd5063e439d1a0afbb611aa19f11a28d830612512a5438f63c7
-
Filesize
267KB
MD53814086d561a22ed9005ba4f35c5987c
SHA130f3059629c123223208659be7ab45c234aa9434
SHA2565d918c11a0efcfaaea5981aa4b25520584e33d09e4e940c65078ca0581673387
SHA51255197cc81b499b35e14aa80f84a44449335fc85f3b2d757dcea2b1b172ceb7cb0ed4805dd1503d2fb1c3e680f4df0a9487e70b0fa270d4c5cb88e3a00370c9cd
-
Filesize
20KB
MD5d982ae777e8e44019b24bc272d84d582
SHA1a490d6472e8ee57fe7f6046a911dfdf6a5e4ed95
SHA256b9681ebd6aaa8276d307c2e5243eecfea97e045b9ffd432ad75974fb818cac82
SHA51225321a7325e330d37323e05a9a045fcd515cacd9555ba413eab1709cd59db92fbcfbb424ed150199720a338e0017331f4e1fbfcaf5763b64280d9ea29bcf06b2
-
Filesize
2KB
MD5b023650f83ebe604181f657c0d8a4be1
SHA128b808d1fb4e9a6022c8a7de29248fcdb583eea9
SHA2561b12ded49161bc6bf18bf521fe233be4f41a4107d0c76fa2fa66a8023828fa36
SHA5128c4b703a19ab8be5c1c7fdafa1380e4c83f99370afae6dd938ef78066458665668ef4076740d151b6ad53eedc94b5934f486090058ead456d474e96fb7efeeff
-
Filesize
951KB
MD5fa678b54bc6dc42ca74ab104203475fe
SHA1151df3753808b3d44b5a5255c820c8b928658c1c
SHA25638e98d7bea3c4297e939f8940dc3c2855caecea427156dbe001ea43d03d4a947
SHA512e893d49a446900fbfda12b1a2540a478132db22214fa849e3d95b7b6b8be6783a4e116e614fcde7afe731323492963219aec0cbd21797905ecea74af5b142af2
-
Filesize
2KB
MD505e9217895f13d8b004c83d8223957cc
SHA15655ea6576dceaff14b7b27f4b347e85f322f9b1
SHA2560b767361d3dfbaa8ab7748eb0aecb104f394b4473b228e269addaebe95e2a4d6
SHA5128188c722a25d45a857712be7673a1b9bf43d1f4e64d891004d6b71ba6a20894f0fb833e877230b5cfc833b4d05a0d1a44c930aee6c9fcd3c712e149496482bf8
-
Filesize
257B
MD5be08ac42d40ff3076757cf63998c8da7
SHA1c53d1cd6e82b3a4bf34aabbe31fe73185c55d594
SHA25654da05ff7e8a4c96c7aca38e9cd32574390bca3e85dabc6b9814e7c37d637de0
SHA512e0bf548daea0b1d93029f52ab534dc642108e38faef2384a414197eafb16c9817376e847a0955fed01cfd8d03ea1d5773173d70ff05bd8b00ab00f9399ff0982
-
Filesize
563KB
MD581cfac8335822ba4bea1e50c46adf967
SHA1ea360da28b5aff7112b6f42404dc2ee2610e640c
SHA2561829bf1ccae25c61dca8eb1b4fea10c47276157cc619efb6ab8a8804592770a7
SHA51224dee2758eda2facb07c814737e4f20ea718a4ef42294dfc97a61c1af7b271df5ef0a0d414199ee89c8c496a1063d217173e32bcf4f305c3b41dca1ccf30c738
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
8KB
-
Filesize
1.8MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.8MB
-
Filesize
1.1MB
-
Filesize
1.8MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
1.1MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
1.1MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB