Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe982c3c0a9998190a5da76f9965ed07_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
fe982c3c0a9998190a5da76f9965ed07_JaffaCakes118.dll
-
Size
120KB
-
MD5
fe982c3c0a9998190a5da76f9965ed07
-
SHA1
a818ada4517f108dab490db25f7eaf08a87682dd
-
SHA256
4e30c5eeb1866a8ef3b1dc0618c6080b34bf7fe77c72645005b31d9d43ce0415
-
SHA512
d22b36f82ca48987de6db872029708da4f788966e3dd0da49d74a3bb22c39189bef17e3d186996c08a6afedac8a5e7c0d17959807c5dd755ec9c226d194d3bd4
-
SSDEEP
1536:mxqNa4gnPlNQtYs2cp5KPnRp/NDGi7/4u3JqP0k0KwlATzzNRlWp11hLQAE:Ysa5nPlOmM+PRzDn7r3JqsjbAr6r
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a969.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c504.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c504.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a969.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c504.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a969.exe -
Executes dropped EXE 3 IoCs
pid Process 2052 f76a969.exe 2744 f76abf8.exe 2660 f76c504.exe -
Loads dropped DLL 6 IoCs
pid Process 2528 rundll32.exe 2528 rundll32.exe 2528 rundll32.exe 2528 rundll32.exe 2528 rundll32.exe 2528 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a969.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c504.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c504.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c504.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: f76a969.exe File opened (read-only) \??\S: f76a969.exe File opened (read-only) \??\T: f76a969.exe File opened (read-only) \??\E: f76c504.exe File opened (read-only) \??\J: f76a969.exe File opened (read-only) \??\O: f76a969.exe File opened (read-only) \??\M: f76a969.exe File opened (read-only) \??\P: f76a969.exe File opened (read-only) \??\K: f76a969.exe File opened (read-only) \??\L: f76a969.exe File opened (read-only) \??\N: f76a969.exe File opened (read-only) \??\R: f76a969.exe File opened (read-only) \??\H: f76a969.exe File opened (read-only) \??\I: f76a969.exe File opened (read-only) \??\E: f76a969.exe File opened (read-only) \??\G: f76a969.exe -
resource yara_rule behavioral1/memory/2052-14-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-18-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-22-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-24-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-23-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-21-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-20-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-19-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-17-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-16-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-62-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-61-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-63-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-65-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-64-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-67-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-68-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-82-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-84-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-86-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-107-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2052-151-0x0000000000710000-0x00000000017CA000-memory.dmp upx behavioral1/memory/2660-153-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/2660-205-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76faa4 f76c504.exe File created C:\Windows\f76a9e6 f76a969.exe File opened for modification C:\Windows\SYSTEM.INI f76a969.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a969.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c504.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2052 f76a969.exe 2052 f76a969.exe 2660 f76c504.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2052 f76a969.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe Token: SeDebugPrivilege 2660 f76c504.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2528 2972 rundll32.exe 30 PID 2972 wrote to memory of 2528 2972 rundll32.exe 30 PID 2972 wrote to memory of 2528 2972 rundll32.exe 30 PID 2972 wrote to memory of 2528 2972 rundll32.exe 30 PID 2972 wrote to memory of 2528 2972 rundll32.exe 30 PID 2972 wrote to memory of 2528 2972 rundll32.exe 30 PID 2972 wrote to memory of 2528 2972 rundll32.exe 30 PID 2528 wrote to memory of 2052 2528 rundll32.exe 31 PID 2528 wrote to memory of 2052 2528 rundll32.exe 31 PID 2528 wrote to memory of 2052 2528 rundll32.exe 31 PID 2528 wrote to memory of 2052 2528 rundll32.exe 31 PID 2052 wrote to memory of 1108 2052 f76a969.exe 19 PID 2052 wrote to memory of 1160 2052 f76a969.exe 20 PID 2052 wrote to memory of 1196 2052 f76a969.exe 21 PID 2052 wrote to memory of 2036 2052 f76a969.exe 23 PID 2052 wrote to memory of 2972 2052 f76a969.exe 29 PID 2052 wrote to memory of 2528 2052 f76a969.exe 30 PID 2052 wrote to memory of 2528 2052 f76a969.exe 30 PID 2528 wrote to memory of 2744 2528 rundll32.exe 32 PID 2528 wrote to memory of 2744 2528 rundll32.exe 32 PID 2528 wrote to memory of 2744 2528 rundll32.exe 32 PID 2528 wrote to memory of 2744 2528 rundll32.exe 32 PID 2528 wrote to memory of 2660 2528 rundll32.exe 33 PID 2528 wrote to memory of 2660 2528 rundll32.exe 33 PID 2528 wrote to memory of 2660 2528 rundll32.exe 33 PID 2528 wrote to memory of 2660 2528 rundll32.exe 33 PID 2052 wrote to memory of 1108 2052 f76a969.exe 19 PID 2052 wrote to memory of 1160 2052 f76a969.exe 20 PID 2052 wrote to memory of 1196 2052 f76a969.exe 21 PID 2052 wrote to memory of 2036 2052 f76a969.exe 23 PID 2052 wrote to memory of 2744 2052 f76a969.exe 32 PID 2052 wrote to memory of 2744 2052 f76a969.exe 32 PID 2052 wrote to memory of 2660 2052 f76a969.exe 33 PID 2052 wrote to memory of 2660 2052 f76a969.exe 33 PID 2660 wrote to memory of 1108 2660 f76c504.exe 19 PID 2660 wrote to memory of 1160 2660 f76c504.exe 20 PID 2660 wrote to memory of 1196 2660 f76c504.exe 21 PID 2660 wrote to memory of 2036 2660 f76c504.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a969.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c504.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fe982c3c0a9998190a5da76f9965ed07_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fe982c3c0a9998190a5da76f9965ed07_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\f76a969.exeC:\Users\Admin\AppData\Local\Temp\f76a969.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\f76abf8.exeC:\Users\Admin\AppData\Local\Temp\f76abf8.exe4⤵
- Executes dropped EXE
PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\f76c504.exeC:\Users\Admin\AppData\Local\Temp\f76c504.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2660
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a1672bee7315f9ac858b472ec08c5678
SHA1008025e282bdb593008a4da18f5aa6b0c3911493
SHA2560e245938776d41664880ca7c81a10c5284eb26e4599e68159c516247bf420ba6
SHA51254855c47f2b2f299fe56c948e151697b913e397ebb055726e071caf16704db71c38142a7f4d80c6d11e122bad0e128a641929cbd2f1101f825272b240688e4c0
-
Filesize
257B
MD5a90cffab7785a68a68233dadd1446ee9
SHA1ee0808e5d2fad7b79b4c7f42d860ba056ba14b7d
SHA256c5c6ad3694790ad1b8f10b0da65ce645f02922ec740f2275be085a52079dc3a3
SHA51231f0f4bb7516f1a07452e17a5f4b8d113d8c5bdb19d23791e46095e37f00db6c48baae9c4a6b9cba8fea1245796698ac808968fe972e06dbc874bf8cfa208c5a