Analysis
-
max time kernel
13s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-01-2025 10:33
General
-
Target
JaffaCakes118_51a4b372e766b04eadfe6b2bbcfd7dc6.exe
-
Size
219KB
-
MD5
51a4b372e766b04eadfe6b2bbcfd7dc6
-
SHA1
fae0d43c3c87d896ac4027529b8cad54245ffe26
-
SHA256
e333f5fa21d3fe4212ba530406aa09c19d65d3a8d80773e1e9a59cf73ca9f45b
-
SHA512
311e0e0838c1e44113494d28d66ecdee0a3935656ccae64942dc31578ad0a15c6ff7cffd829101894409ebf3d1f14d46a1cca49852188ea08ecf7d6709365272
-
SSDEEP
3072:inxwgxgfR/DVG7wBpESU1qyAbsyo+6y8MTHpEYepPPRE6rjwRYiQI4CL66NW9X:i+xDVG0BpwOlo+UMfWGiweiR2t9X
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 26 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51a4b372e766b04eadfe6b2bbcfd7dc6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51a4b372e766b04eadfe6b2bbcfd7dc6.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4360 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5028 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD551a4b372e766b04eadfe6b2bbcfd7dc6
SHA1fae0d43c3c87d896ac4027529b8cad54245ffe26
SHA256e333f5fa21d3fe4212ba530406aa09c19d65d3a8d80773e1e9a59cf73ca9f45b
SHA512311e0e0838c1e44113494d28d66ecdee0a3935656ccae64942dc31578ad0a15c6ff7cffd829101894409ebf3d1f14d46a1cca49852188ea08ecf7d6709365272
-
Filesize
471B
MD530f59b20e935520badc298242cb4cff1
SHA100622b2054eb148a8459c2ccd0b22606c2d5c7f6
SHA2564a981d199e551f2b8c8fa22f0e3fbc264e876e5ed243d83331b2a6083a753e3c
SHA512f22ca09eb3266cee3f363e4f3f955745382679d136d61e7c27f81081cd77efa5f82f82220526928f73049e692b7c060f64032dfae0f967c579c6e6acfd2e8d21
-
Filesize
404B
MD50e9aa7bbcfbd0664d84d443564171a64
SHA1e916183f20fb8e4fefc2e3f2d95e9f88cdac8187
SHA256b89c0c755a0014c7ca209f8d8100753ebe4201353ff9c1503dfcfadee245f4eb
SHA51226b57110ef617a7caeda00e9bcd024995d0fdc61f99a5454c3669a5acc3d40d1d3fb42291c33c6a6215cb35dc10167896c1e6957fbed741759e9b5bff32f70b1
-
Filesize
404B
MD5103b1199816e0765393e20a86c09218d
SHA105e020390742129823bf4033881cf3a6da107786
SHA2561d7ddae41bc8f86f54c911b05514d801aa04a241683a25b88d42d92373d37c1a
SHA512d4d7e128c51b1989052a2cece4be7d18ca46cf871c4d2bf43bba5a8429026f17641079e0660500e163990ead7557000949924062c044929fea955e8c6ff3c7e6
-
Filesize
3KB
MD5f2e7d31452360eec08195e431bb1067d
SHA1eb3231f7eb0c17db16443ed9eae71ab2d637be04
SHA256949e58fef319671c0ddf6f857dec66d2b24f0be85c64a8dca1f77dc40eb61bdf
SHA51235d847686a5b5e74537f804dfcabba476e00cb3c860de514d8ac9052ff85481c8269e40ed9895a76ec29ef6e9239ffcfbe58cb83e7ffe8f605b60454a7040bd8
-
Filesize
5KB
MD52f3ebdd105008e7a2385a5baf1bc7f62
SHA196fa19a00175f56b73fcd0190a000a7d02c98723
SHA256211e54dfd678378942e50010bc514fb3901c81ce584653478ace82fd2e4c4189
SHA5120a1daade26808150dd7a1358a5e4c6e41d5c0b946307e60decb14e52d09154584e1cfe7e45adc88baeb7412f9a88b18572d695973709220fd8479b2711662fe7
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
257B
MD5e30c5d09522b3eb8e54f40c87f7cdcdd
SHA11410e279c66cd28a213af665f20614fff66b90ae
SHA2561e381550c283bdea13ef7ad1b4de49cfbf219cfe1d90100fd35d09d8376d9dca
SHA5120378d38362aac19e8fcbf7d4f07c7a9b0c74e54cfdcd0dafdd3a53db229c0c9fa9ce6e8aeba6d9ee89278dcc9b78cae687ced352d0bedf3551189206a9987573
-
Filesize
100KB
MD5e27bfb5eb789c5a3b8d677bb99b79be5
SHA1182e99d37faf22ea20c0d3c6f6a90f106ccf35d6
SHA2568f3e172c6e3613bfb889d368345e8371f2ae4e9991ed61d071c1584c062b8b91
SHA51239bf4f2336bb4234af614a07095283c18761b714985c827f9283f5493dc1524049024fd28c229e652ec51f8c0304d26fac3ca14775bf7c67ebdb564b5c85cdcd
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
132KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB