Analysis
-
max time kernel
51s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
18-12-2024 18:46
General
-
Target
fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
fcb5ec96e3734ba744f85a82a323fe5f
-
SHA1
9e5ea5c38281d581230b43d84f08a16590b84d86
-
SHA256
f6b7aed9c264e53bbaf001e40205d1b38feafe5f51484ab9977fb9b2f4189bd9
-
SHA512
ddc651f3b81503c7cbd979d26b96ef896eabac41aff4ed7705975c5f2b64710f15b7f2f00f52ccdba71a0e404166e2c2eb0f2f978f0435170871fcc8480c9ed4
-
SSDEEP
24576:Zr4EwQDvqEuT76GOrfmvLNMWqiIhf80DdMhu1c/WyVvQodu:+cyf7DNMW0DK01lR
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 13 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 2 IoCs
-
Modifies registry class 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Sets service image path in registry
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe"C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\FileUnlocker_Installer.exe"C:\Users\Admin\AppData\Local\Temp\FileUnlocker_Installer.exe" /silent3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5abbee3e367f6e6ed415d33c78121ffa9
SHA172ed524e769a9f8e72804c019a1cbf58f0d305a7
SHA256af36ab81c5befe41140a5da5f605361be18b55d6410da1cbf1bf7e0dcf52bc92
SHA512a01c955f3f60325c4aba28ea6c4c8c0d9f0b1a46928fccb37d38ad676eeaee8814fb15ca15ccb79739d63802bd850940e365cf542d2de1381276d22796f62c63
-
Filesize
1.1MB
MD55efff574689b66e52a0911beb11d1e71
SHA18ed39e4a8942f0cf4949875d13d2b3a5d94c862c
SHA2566fa46018fb22414f6b384d416884fa52e2dfedc2e3672022091f086f65ae7eab
SHA512be94cdf2f1d7edd40b6081e7f0a266891dca2c1548d9a6dafb83d2222285329730c6479b87e3e4e86d5b1180bb8c30a4e2f72ebbe35fc681cc38b569c90317ea
-
Filesize
558B
MD5618f3cbeb01b7537095e94d734e724ed
SHA12e3222565cd197cf90059321f6502a93ca81e234
SHA2565e0f56fae9c0de1727e62ae37b8b7ce56d260b7676c376f47aa5fbe4362238fb
SHA512d828ab067df7f88ea890ed813331511a93c329d55f8dace2a6d2a02513365ba2e3f8af3f28aed8ea2ff29126777596617a376d6243c08576e60cec82f6008849
-
Filesize
696B
MD5c195b2bb108d2787d0081fec7a9665d1
SHA12714e8ae2ed68379b684251a75430d31194cc398
SHA256df872ebe37d76a2f695215928feb1d9eed97ab2a17ba56568598b12227157b1b
SHA512be3314d71e0187261cdb10c0efd654aa767a0f6a4e1c3d27b7b6937d0673e318e4adf11ca53b8a5aa7879b6fd24f5dc932ebd223dd0daef3dfc439c33df6f56f
-
Filesize
735B
MD587dba0d81441a2adbd0e2fe4702cb420
SHA1183e2f7c236f12c1143b1c165aea57bf5019d749
SHA25661b470459b9359732895b9a283e3fe44898849cf264f9cd502c376772f575a61
SHA512f8c63040891a68803e6b5ce058f2ad35748bf088a6f6acf21280d00fb43199cce39b1cfaabc46d83a93529a455d787958ff454587b293c9ed3e063fc69fcafb4
-
Filesize
257B
MD5d56f18e062da12efd1f68c9a3f085aec
SHA19d0f71ede288a4476a3f0bfb1f7958d23c582929
SHA256a4bc57c12d50f88d2360ea58ece4bbe0029e154a77ccf38b7dfbd6200ffa376f
SHA51245dc35fbe38a853f623056d121aa5eb8e573f454d2d8402b977de6033a4a4c988b2b6cea3506ca8428f8322f751c174a558bcabc39a60f9f1a3422ae40f09a85
-
Filesize
100KB
MD5886a8b0616e98eb5a250d1562b52574b
SHA13ef40ce78cd5c732e10caebbea586f16519e27e4
SHA2564e565dcd9e41cb0316a9969e2e14a773a8a234bee174a64e1c1dbf1a49344069
SHA5124dc3f5a6bf7732396dc6abcdee751b6eb92e7a504724ff761ab8f2b380395f1baf8170b5ea14160d3db60ea800a7eba41a2de8007cb2625768952e2c200fd5f8
-
Filesize
92KB
MD551dfaf518abe1b24aa409cef12d7d0ab
SHA11120d0e1b8623f7687f1836640541a4bd0a7d170
SHA2569acec97ccabadffcf774b58b0b12de531ab541c6530069b1664270bdedc1051f
SHA512b4fd522340ea3da23db09eb7d4101c735f59986b45df296587cc457cba0f505a4b36c74e0efc237e35fd5d2971448fc6e55929aa2cc175af3bc0d9b64625651a
-
Filesize
17KB
MD5255e405d801cf01247390f38f92d8042
SHA15c80e7b634c10629b63d43083542a4b1b8603318
SHA256b0a4c2b6f40d7ad177dbd40c26b579d67cc9a95552970d9f6f0c7de372ce2a2f
SHA512a8cb3500c80b29a8f646dccf1b48baeac2c86ce2abca71b845b732dbf47f8603ff6d51b319217c2ad1f1314c5ff27bde5a9ad7d2a56363f74eefd275c9970b41
-
Filesize
10KB
MD549b6af547ed4ba1fb07bf6f384fda841
SHA1d865b17ead0c92339eeaa651c03a629ae5a5e031
SHA25686e8e34cfb71100cda06fe96573d832049cd18b1b251823139e935a1faefcbe8
SHA5126ea392a740bef18a770f3b86f691125dad7dcebf7972fcbacf06fdf04e09cd0717fb0705a303a6b245f66d399b4f4f31013b82cd6f0b0b52f90b88a9c5c18889
-
Filesize
726KB
MD5eafabf4ce7fe59b179962c4746e1e42e
SHA142f3fd854c7506e6b2179992055ac79801a05e88
SHA2563e79c1b5192b44c30973d4982088180b067e0f05affb2315c0471130ab73ae97
SHA51299f4163a1fd066225104234eba70f306050d0ca16c07498759cd79b65f30d13d774e4911176c90a306c04707ea0fcd5129db48476d3596cc9740ae5939caaf52
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
438KB
MD5b5ec60121dee1a742202d32089dfbdac
SHA13a03722c994f0fdaf69eb07db7c93502ee99dc72
SHA2566b3483c1ab83ed1324cdcff141c96421c25fe1e1667f6d624861ce462778659e
SHA512eb4cb4a587bd5449f6d36f96be1c2f79250fee50b9605fcf2ee074db3e2cd2e33fe35f56297d438b45106b1cd68d7de5995097609bacb18f94bed71df4d106f3
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
292KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
292KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB