Overview

overview

10

Static

static

7

JaffaCakes...16.exe

windows7-x64

10

JaffaCakes...16.exe

windows10-2004-x64

10

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...md.dll

windows7-x64

3

$PLUGINSDI...md.dll

windows10-2004-x64

3

$PLUGINSDI...ig.dll

windows7-x64

3

$PLUGINSDI...ig.dll

windows10-2004-x64

3

$PLUGINSDI...SC.dll

windows7-x64

3

$PLUGINSDI...SC.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...me.exe

windows7-x64

3

$PLUGINSDI...me.exe

windows10-2004-x64

3

$PLUGINSDI...ON.dll

windows7-x64

5

$PLUGINSDI...ON.dll

windows10-2004-x64

5

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...om.dll

windows7-x64

5

$PLUGINSDI...om.dll

windows10-2004-x64

5

$PROGRAMFI...V3.exe

windows7-x64

3

$PROGRAMFI...V3.exe

windows10-2004-x64

3

$PROGRAMFI...ll.exe

windows7-x64

7

$PROGRAMFI...ll.exe

windows10-2004-x64

7

$PLUGINSDI...md.dll

windows7-x64

3

$PLUGINSDI...md.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_4e95131a70ac3cdddb1ac90818fb7716

  • Size

    525KB

  • Sample

    250101-knfpbsznbs

  • MD5

    4e95131a70ac3cdddb1ac90818fb7716

  • SHA1

    9f2209e7438cbffb884e1ec2cb11514005d4b00c

  • SHA256

    9f318554e7eb51d2d486821ec043e65ec4fe8d7e6cc353c1c8a0eb6e5d6feeb0

  • SHA512

    c38545f041ae4124c18fef882b6526fc9359616a5d7ca9243c1c279b115bf9b1003f8d64104ce96800e7a2033ff663d5249f0c4adf5fdeb9b0c5d9ba958ba6cb

  • SSDEEP

    12288:BgS2Srmo6XQwWIllkMJScyF+ZPPfnEUnM85XpYG:iS2kmoTwWIllE6lvo85CG

Score
10/10
salitybackdoordiscoveryevasionspywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      JaffaCakes118_4e95131a70ac3cdddb1ac90818fb7716

    • Size

      525KB

    • MD5

      4e95131a70ac3cdddb1ac90818fb7716

    • SHA1

      9f2209e7438cbffb884e1ec2cb11514005d4b00c

    • SHA256

      9f318554e7eb51d2d486821ec043e65ec4fe8d7e6cc353c1c8a0eb6e5d6feeb0

    • SHA512

      c38545f041ae4124c18fef882b6526fc9359616a5d7ca9243c1c279b115bf9b1003f8d64104ce96800e7a2033ff663d5249f0c4adf5fdeb9b0c5d9ba958ba6cb

    • SSDEEP

      12288:BgS2Srmo6XQwWIllkMJScyF+ZPPfnEUnM85XpYG:iS2kmoTwWIllE6lvo85CG

    Score
    10/10
    salitybackdoordiscoveryevasionspywarestealertrojanupx

    • Modifies firewall policy service

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • Sality family

      sality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/DcryptDll.dll

    • Size

      14KB

    • MD5

      904beebec2790ee2ca0c90fc448ac7e0

    • SHA1

      40fabf1eb0a3b7168351c4514c5288216cb1566d

    • SHA256

      f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

    • SHA512

      8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

    • SSDEEP

      192:apY9VuCnNCbs8dNyHdrvr5T1KEtx/9ehuhiDTUkSv/DxRyeHk51I7n13Xm:aptMNUjyVvGWxauhiDDS3DnyK7nF

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/ExecCmd.dll

    • Size

      4KB

    • MD5

      b9380b0bea8854fd9f93cc1fda0dfeac

    • SHA1

      edb8d58074e098f7b5f0d158abedc7fc53638618

    • SHA256

      1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

    • SHA512

      45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

    • SSDEEP

      48:ifXNtGNjFizsU35iej7luiwa28mDJmDKUOMQH0glay/Aa4r/:5Fef5iej5txKJKenlV4r/

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/IpConfig.dll

    • Size

      114KB

    • MD5

      a3ed6f7ea493b9644125d494fbf9a1e6

    • SHA1

      ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

    • SHA256

      ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

    • SHA512

      7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

    • SSDEEP

      1536:CPDzpyvLtmY7SeAmhPzV8+i7kRuACUxHf91MionF9JTwrLPG5zfO+lP7:UZl1e7L4ARzC3dwrLPG5zG+lP7

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/SimpleSC.dll

    • Size

      61KB

    • MD5

      d63975ce28f801f236c4aca5af726961

    • SHA1

      3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

    • SHA256

      e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

    • SHA512

      8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

    • SSDEEP

      1536:i/qXv1si+Xsp9MNptZ8KMT6+nMA4fx+kmA:Bv1EXZnLMT5M3x+km

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      c17103ae9072a06da581dec998343fc1

    • SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    • SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    • SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • SSDEEP

      192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      $PLUGINSDIR/chrome.exe

    • Size

      43KB

    • MD5

      f592cd154e8f797fb809dd904db4e15d

    • SHA1

      508b95cb794f30150cf5c97313e14f5f22a48c6d

    • SHA256

      e2d4630572f2841a4ca6db7b653f77df8174f9d009537fa264e2b6a16b6b6d24

    • SHA512

      3492eab565c582b31347a70016cb8028a672251f89b2414ed9d19191dc99fd37669f488f29c8284328e82ea552e68f7bf08d2a40060b7cdd08510c525eb30cd9

    • SSDEEP

      768:B0C2Vmn7QfF/P2QeVFnBYykXIgJRMvX8MP0D3YMcjfS+tXJFix9a9Cze7NuWrAaQ:qCUm7KFP2QuXYdsLP0DgXJFicCzEuWr+

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      $PLUGINSDIR/nsJSON.dll

    • Size

      7KB

    • MD5

      b9cd1b0fd3af89892348e5cc3108dce7

    • SHA1

      f7bc59bf631303facfc970c0da67a73568e1dca6

    • SHA256

      49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

    • SHA512

      fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

    • SSDEEP

      96:Zw8NZ0x0OOdzJt0TwYKj7W/NYDNd9fQ6blfW+KrWC69r7ncnrD6Qdm:6e/7vAmrHblfW3iCmDcru

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral15behavioral16

    • Target

      $PLUGINSDIR/inetc.dll

    • Size

      20KB

    • MD5

      4c01fdfd2b57b32046b3b3635a4f4df8

    • SHA1

      e0af8e418cbe2b2783b5de93279a3b5dcb73490e

    • SHA256

      b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

    • SHA512

      cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

    • SSDEEP

      384:rJBJ8VnX8K+uKn2WQJdxbs3aEUhU7ya4L60Ac9khYLMkIX0+GwNyEAG:3J8+K+uK2WQJdxbsqEUhUua4L6AG

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      acc2b699edfea5bf5aae45aba3a41e96

    • SHA1

      d2accf4d494e43ceb2cff69abe4dd17147d29cc2

    • SHA256

      168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

    • SHA512

      e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

    • SSDEEP

      96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      $PLUGINSDIR/nsRandom.dll

    • Size

      21KB

    • MD5

      ab467b8dfaa660a0f0e5b26e28af5735

    • SHA1

      596abd2c31eaff3479edf2069db1c155b59ce74d

    • SHA256

      db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

    • SHA512

      7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

    • SSDEEP

      384:LCHDPMs4GdtyO5roguusMxUXiO3wOw95euooP2UgKbd9BvNtf:LCHD6Gh87MKXil/5r2U3z

    Score
    5/10
    discoveryupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral21behavioral22

    • Target

      $PROGRAMFILES/Wajam/Updater/WajamUpdaterV3.exe

    • Size

      111KB

    • MD5

      7c3012aac2a223b295cb60d5f3415450

    • SHA1

      60b5a35cef2e94cf74e4f5d0e6e2c0ec1646b645

    • SHA256

      4ea6c99809e76ee6b3edbe8c62912d539b8aae1db8c7bf977eb5bc2f2807f401

    • SHA512

      f15781a44f6bc49cd45ecea8ba922cc8439883f0079ce0fcf7eb46f6c370d9d6c498918d9667e14dfcd58b3f4ce487952686d17adc5d3efb3b542a25508c75e7

    • SSDEEP

      1536:sFjaSADV9+AVhzV4Dd4OCGcgMp4W8C/QXkRB3F2U3uWe90IBeYwkd:sRADLVROCGcH8CttFFuWe90IBLwkd

    Score
    3/10
    discovery
    behavioral23behavioral24

    • Target

      $PROGRAMFILES/Wajam/uninstall.exe

    • Size

      62KB

    • MD5

      99d90902a41b5ef1a2e97b641dc17d4d

    • SHA1

      bec739dfdb9f3b6a1a364dca56a325e2f56720ed

    • SHA256

      9dd76887784714e3b47a650f1343f5e2f888462d63047b5471000ccd97671cf0

    • SHA512

      f36110d2a26c7b74a3847c17324d5b718365f8101efa4f7017e99863ae585406837e2abff550afee01521cd87b279411b7ab9314cc69a396b8a4b705c5f98c19

    • SSDEEP

      1536:s1q3+uta99Hj25XvwLXJLiH/AtNmTgX/HeqgLuh3c:KstajHKBvYXJL8Mt+qgL3

    Score
    7/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral25behavioral26

    • Target

      $PLUGINSDIR/ExecCmd.dll

    • Size

      4KB

    • MD5

      b9380b0bea8854fd9f93cc1fda0dfeac

    • SHA1

      edb8d58074e098f7b5f0d158abedc7fc53638618

    • SHA256

      1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

    • SHA512

      45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

    • SSDEEP

      48:ifXNtGNjFizsU35iej7luiwa28mDJmDKUOMQH0glay/Aa4r/:5Fef5iej5txKJKenlV4r/

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      c17103ae9072a06da581dec998343fc1

    • SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    • SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    • SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • SSDEEP

      192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      acc2b699edfea5bf5aae45aba3a41e96

    • SHA1

      d2accf4d494e43ceb2cff69abe4dd17147d29cc2

    • SHA256

      168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

    • SHA512

      e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

    • SSDEEP

      96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

6
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

upx
Score
7/10

behavioral1

salitybackdoordiscoveryevasionspywarestealertrojanupx
Score
10/10

behavioral2

salitybackdoordiscoveryevasionspywarestealertrojanupx
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discoveryupx
Score
5/10

behavioral16

discoveryupx
Score
5/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discoveryupx
Score
5/10

behavioral22

discoveryupx
Score
5/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discoveryspywarestealer
Score
7/10

behavioral26

discoveryspywarestealer
Score
7/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10