Overview

overview

10

Static

static

3

JaffaCakes...20.exe

windows7-x64

10

JaffaCakes...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520.exe

  • Size

    233KB

  • MD5

    0621c3f3a262ce7e64a5fe9cb5706520

  • SHA1

    4475324756e78883fcd911eb649db2ba15b4dbe7

  • SHA256

    f6095c12de5e32ca44e64607815cf99cb8826a9eb60bf01bac3e362edcd39803

  • SHA512

    d2905f4158cc24897122129dbd7a8ea0ebe1acdee2ddaf25ceda65c0a9724088a22f74c937ce834b3a3a97fe9255308fecb09dccfb7addc356970f4443bb81a0

  • SSDEEP

    3072:ebq9FP/7UNphUAUXWbGCa0/b0QtRegrz1MboTwyV1jKoyzMwq5AxlEWm:eYJGOAUmbGhJezCbo0yVMvlEWm

Score
10/10
salitybackdoordiscoveryevasionexecutionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Windows security modification 2 TTPs 20 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1104
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1164
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1192
          • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520.exe
            "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2236
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "sc create "JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520" binPath= "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520.exe" start= auto && sc start "JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520" "
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2860
              • C:\Windows\SysWOW64\sc.exe
                sc create "JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520" binPath= "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520.exe" start= auto
                4⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:2716
              • C:\Windows\SysWOW64\sc.exe
                sc start "JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520"
                4⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:2776
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1228
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "-64568069-712684199-97713966216693385722065215780631432962-1864389000-1863631500"
            1⤵
              PID:2088
            • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520.exe
              C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0621c3f3a262ce7e64a5fe9cb5706520.exe
              1⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2732

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            System Services

            1
            T1569

            Service Execution

            1
            T1569.002

            Persistence

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            4
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            5
            T1112

            Credential Access

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            1
            T1012

            System Information Discovery

            3
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SYSTEM.INI
              Filesize

              257B

              MD5

              12e8e70b1eb0ebfdf6629cacd3310441

              SHA1

              cf9c8e5adc147d4ecb5545372204910ffaf75b17

              SHA256

              0321633a3e181e86a46d24c012626354c0989623359cc716fda91c1dd0b3edf6

              SHA512

              ca7c537d64ead13b853c5c4f753d5d58f20d6891b14c90fe6ced0191ae709089231deadb26c92ee98713f2fca987acca13d341e01fc09c22fda482289d08332f

              Download Submit

            • C:\aqbwgk.exe
              Filesize

              97KB

              MD5

              5d55f4a5f8b762e0ee8b3db340412ea5

              SHA1

              6ddc151c98424b809b41cf3d1a69c5134ea4f600

              SHA256

              ed76274683c10f5db4f27fd0312686ca6cbb2a346086a1e35bb5369261cf149d

              SHA512

              30c945966a1c72142f6a3769f71dfb51fc9dec23cfb6dab077ab909c015afa52abbbdfb5e791bee624d93bd38e6d8db826f4692a3af54fc9a409e5d83d2ff507

              Download Submit

            • memory/1104-13-0x00000000002E0000-0x00000000002E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2236-42-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-6-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-5-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-11-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-26-0x0000000000300000-0x0000000000301000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2236-41-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-24-0x0000000000300000-0x0000000000301000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2236-100-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-99-0x0000000000400000-0x000000000043B000-memory.dmp

              Filesize

              236KB

              Download

            • memory/2236-23-0x00000000002F0000-0x00000000002F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2236-10-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-4-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-3-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-7-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-8-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-0-0x0000000000400000-0x000000000043B000-memory.dmp

              Filesize

              236KB

              Download

            • memory/2236-12-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-9-0x0000000001D80000-0x0000000002E3A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2236-33-0x00000000002F0000-0x00000000002F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2236-65-0x0000000000340000-0x0000000000342000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2732-54-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-45-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-51-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-46-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-53-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-73-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-52-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-50-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-47-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-43-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-121-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-49-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2732-48-0x0000000000990000-0x0000000001A4A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2860-40-0x0000000000120000-0x0000000000122000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2860-38-0x0000000000130000-0x0000000000131000-memory.dmp

              Filesize

              4KB

              Download