General

  • Target

    fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118

  • Size

    1.1MB

  • Sample

    241218-xewemsynbj

  • MD5

    fcb5ec96e3734ba744f85a82a323fe5f

  • SHA1

    9e5ea5c38281d581230b43d84f08a16590b84d86

  • SHA256

    f6b7aed9c264e53bbaf001e40205d1b38feafe5f51484ab9977fb9b2f4189bd9

  • SHA512

    ddc651f3b81503c7cbd979d26b96ef896eabac41aff4ed7705975c5f2b64710f15b7f2f00f52ccdba71a0e404166e2c2eb0f2f978f0435170871fcc8480c9ed4

  • SSDEEP

    24576:Zr4EwQDvqEuT76GOrfmvLNMWqiIhf80DdMhu1c/WyVvQodu:+cyf7DNMW0DK01lR

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118

    • Size

      1.1MB

    • MD5

      fcb5ec96e3734ba744f85a82a323fe5f

    • SHA1

      9e5ea5c38281d581230b43d84f08a16590b84d86

    • SHA256

      f6b7aed9c264e53bbaf001e40205d1b38feafe5f51484ab9977fb9b2f4189bd9

    • SHA512

      ddc651f3b81503c7cbd979d26b96ef896eabac41aff4ed7705975c5f2b64710f15b7f2f00f52ccdba71a0e404166e2c2eb0f2f978f0435170871fcc8480c9ed4

    • SSDEEP

      24576:Zr4EwQDvqEuT76GOrfmvLNMWqiIhf80DdMhu1c/WyVvQodu:+cyf7DNMW0DK01lR

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Sality family

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      14KB

    • MD5

      325b008aec81e5aaa57096f05d4212b5

    • SHA1

      27a2d89747a20305b6518438eff5b9f57f7df5c3

    • SHA256

      c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

    • SHA512

      18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

    • SSDEEP

      192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo

    Score
    3/10
    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      9384f4007c492d4fa040924f31c00166

    • SHA1

      aba37faef30d7c445584c688a0b5638f5db31c7b

    • SHA256

      60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

    • SHA512

      68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

    • SSDEEP

      48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2

    Score
    3/10
    • Target

      $PLUGINSDIR/OCSetupHlp.dll

    • Size

      438KB

    • MD5

      b5ec60121dee1a742202d32089dfbdac

    • SHA1

      3a03722c994f0fdaf69eb07db7c93502ee99dc72

    • SHA256

      6b3483c1ab83ed1324cdcff141c96421c25fe1e1667f6d624861ce462778659e

    • SHA512

      eb4cb4a587bd5449f6d36f96be1c2f79250fee50b9605fcf2ee074db3e2cd2e33fe35f56297d438b45106b1cd68d7de5995097609bacb18f94bed71df4d106f3

    • SSDEEP

      6144:/Vhp3y+QqV5epuEAwXDf//3/rP/cqx7kMK9RdkXbRsSfFedkTmWBQFJd62WCvGi4:9ozXDf//3/D/15kM8sLFGUmWB6JdTG8o

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      c17103ae9072a06da581dec998343fc1

    • SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    • SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    • SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • SSDEEP

      192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw

    Score
    3/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      c10e04dd4ad4277d5adc951bb331c777

    • SHA1

      b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    • SHA256

      e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    • SHA512

      853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

    • SSDEEP

      96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420

    Score
    3/10
    • Target

      $TEMP/FileUnlocker_Installer.exe

    • Size

      726KB

    • MD5

      eafabf4ce7fe59b179962c4746e1e42e

    • SHA1

      42f3fd854c7506e6b2179992055ac79801a05e88

    • SHA256

      3e79c1b5192b44c30973d4982088180b067e0f05affb2315c0471130ab73ae97

    • SHA512

      99f4163a1fd066225104234eba70f306050d0ca16c07498759cd79b65f30d13d774e4911176c90a306c04707ea0fcd5129db48476d3596cc9740ae5939caaf52

    • SSDEEP

      12288:zg84ghC5/4AdYHjfdyygoFBPdCxlnoP189Bh86+u1+4kS12cV:zg84gq/4ryyfFPIlnoPWCQ+Vs

    Score
    3/10
    • Target

      $TEMP/QuickStores_Unlocker.exe

    • Size

      425KB

    • MD5

      13e66d856d535b6739c1c634d915e0a8

    • SHA1

      8b8a2b930b31fbde7243d64fa03073fbfdfd85fd

    • SHA256

      40ad334f59cf5d27fb60cf3ce0e2ce423c781ec00b9e2a8d98aca91c6db7ecf2

    • SHA512

      921398bdfb0e1a755adf228fb0b8f29404c1bc8c7d784618ae3223af85625510c0c5d42020368f3b0def70403bf62752bbafd8f62e86e9ad05001182aa923cb7

    • SSDEEP

      6144:x/20g715fltZaDXy6VhYYFpPuZaSHQwNrj15WHMokC6ml6x8gtV81ohySfS:p20g7JtZaNzYworj1Ysokk6ig81ifS

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Target

      OpenCandy/OCSetupHlp.dll

    • Size

      438KB

    • MD5

      b5ec60121dee1a742202d32089dfbdac

    • SHA1

      3a03722c994f0fdaf69eb07db7c93502ee99dc72

    • SHA256

      6b3483c1ab83ed1324cdcff141c96421c25fe1e1667f6d624861ce462778659e

    • SHA512

      eb4cb4a587bd5449f6d36f96be1c2f79250fee50b9605fcf2ee074db3e2cd2e33fe35f56297d438b45106b1cd68d7de5995097609bacb18f94bed71df4d106f3

    • SSDEEP

      6144:/Vhp3y+QqV5epuEAwXDf//3/rP/cqx7kMK9RdkXbRsSfFedkTmWBQFJd62WCvGi4:9ozXDf//3/D/15kM8sLFGUmWB6JdTG8o

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      Unlocker.exe

    • Size

      92KB

    • MD5

      51dfaf518abe1b24aa409cef12d7d0ab

    • SHA1

      1120d0e1b8623f7687f1836640541a4bd0a7d170

    • SHA256

      9acec97ccabadffcf774b58b0b12de531ab541c6530069b1664270bdedc1051f

    • SHA512

      b4fd522340ea3da23db09eb7d4101c735f59986b45df296587cc457cba0f505a4b36c74e0efc237e35fd5d2971448fc6e55929aa2cc175af3bc0d9b64625651a

    • SSDEEP

      1536:2ju3Mk1QeAWFHiUzyJBGMXW6hlFTaBpSwUFbFdqHwRz/Yv+fJBYNQw72/E:/dAWJiUzTMXW6MlKqQRz/Yv+vV/

    • Target

      UnlockerAssistant.exe

    • Size

      17KB

    • MD5

      255e405d801cf01247390f38f92d8042

    • SHA1

      5c80e7b634c10629b63d43083542a4b1b8603318

    • SHA256

      b0a4c2b6f40d7ad177dbd40c26b579d67cc9a95552970d9f6f0c7de372ce2a2f

    • SHA512

      a8cb3500c80b29a8f646dccf1b48baeac2c86ce2abca71b845b732dbf47f8603ff6d51b319217c2ad1f1314c5ff27bde5a9ad7d2a56363f74eefd275c9970b41

    • SSDEEP

      192:nkf2W/OThExEPYqRWJa+De9zf8pRvBpD3FMXKv+abac5WrYm7+TJ8OLQPF8VlmY:npM+Q3Pe9z0pRb3h+ab1HLU8VE

    Score
    3/10
    • Target

      UnlockerCOM.dll

    • Size

      10KB

    • MD5

      49b6af547ed4ba1fb07bf6f384fda841

    • SHA1

      d865b17ead0c92339eeaa651c03a629ae5a5e031

    • SHA256

      86e8e34cfb71100cda06fe96573d832049cd18b1b251823139e935a1faefcbe8

    • SHA512

      6ea392a740bef18a770f3b86f691125dad7dcebf7972fcbacf06fdf04e09cd0717fb0705a303a6b245f66d399b4f4f31013b82cd6f0b0b52f90b88a9c5c18889

    • SSDEEP

      192:2BNzky6fIAt/KNn8JZ1QfnMP1aFQ4179BUjAPeJjIKT2Z:2HzzAt/0n8JrQfnMP1aFQ4NBw

    Score
    3/10
    • Target

      UnlockerDriver5.sys

    • Size

      4KB

    • MD5

      bb879dcfd22926efbeb3298129898cbb

    • SHA1

      cee6b0a5cc1651448b827e55b87d73030b15c287

    • SHA256

      2a24e6cd5d6e0cea3082c0699a2371084cc1268b31bc714098ea0d0c11b3afac

    • SHA512

      49978bb3450330319827ff9c0f373bceaacf7a7f24bbbab6eaa3615604fbb6079c70d873e161bd3a42b16f75d0f5231696774c3a354ddc4c703b00952a8d447e

    Score
    1/10
    • Target

      UnlockerHook.dll

    • Size

      4KB

    • MD5

      abbee3e367f6e6ed415d33c78121ffa9

    • SHA1

      72ed524e769a9f8e72804c019a1cbf58f0d305a7

    • SHA256

      af36ab81c5befe41140a5da5f605361be18b55d6410da1cbf1bf7e0dcf52bc92

    • SHA512

      a01c955f3f60325c4aba28ea6c4c8c0d9f0b1a46928fccb37d38ad676eeaee8814fb15ca15ccb79739d63802bd850940e365cf542d2de1381276d22796f62c63

    • SSDEEP

      48:C5H6MDvlw43mN6MJmxolFuTUyJaeGA9TKziUFvQ4wZK0E8ee1kAosky4+q+O:AH1ln4J9FwzKBkEtjJ+DO

    Score
    3/10
    • Target

      uninst.exe

    • Size

      167KB

    • MD5

      cc7070ed9f50f897645a4739b40b6342

    • SHA1

      26b37c29001269f8c126d2e5f9abf177fe50e4e6

    • SHA256

      161364c13a5ddf5384bae33b7954641955794618997ab5bd83b633c18a0417ec

    • SHA512

      b58bfeca73e86f4d887884d1bfcb39921e3b27dc79140353035efa531613d55b4dff335ad1ae637be1f0cd841cc423065d5376d311fc0683dcb475cd29db32b8

    • SSDEEP

      3072:9Lk39rhYXJ5wK4psZskP9LrmCEyaJ9ft5T/vd10LGl97XRMJnL:9QQjr4uZsIWCEpnv3FlJRM1L

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Sality family

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Windows security modification

    • Checks whether UAC is enabled

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      14KB

    • MD5

      325b008aec81e5aaa57096f05d4212b5

    • SHA1

      27a2d89747a20305b6518438eff5b9f57f7df5c3

    • SHA256

      c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

    • SHA512

      18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

    • SSDEEP

      192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

salitybackdoordiscoveryevasionpersistencetrojanupx
Score
10/10

behavioral2

salitybackdoordiscoveryevasionpersistencetrojanupx
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
7/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

adwarediscoverystealer
Score
7/10

behavioral16

adwarediscoverystealer
Score
7/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
7/10

behavioral19

discoverypersistence
Score
8/10

behavioral20

discoverypersistence
Score
8/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

salitybackdoordiscoveryevasiontrojanupx
Score
10/10

behavioral30

salitybackdoordiscoveryevasiontrojanupx
Score
10/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10