Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
02-01-2025 20:22
General
-
Target
JaffaCakes118_680e782739853d9ab89f2a6b929bda9c.exe
-
Size
2.2MB
-
MD5
680e782739853d9ab89f2a6b929bda9c
-
SHA1
134db29b396c18daad1290dec090ede152c7ae58
-
SHA256
244af2b75e59120c8a306b1b64b946be401d64b4cf3c22c5bead31772b24d116
-
SHA512
ba3ae7b7b4801eca7953379c9dd2fdbe4e9c8fbe628b190b1ed2b38bcf726640f1d2b3bdacca9e8acf89fcc8db5717f6637dfa4863c5766da7d11334946fc784
-
SSDEEP
49152:r94TDiVcvpec5e0mZfyeSywbd4CoohD3msm:r94TD6cvcc5e0mQw+D3Rm
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modiloader family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
ModiLoader Second Stage 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 10 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_680e782739853d9ab89f2a6b929bda9c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_680e782739853d9ab89f2a6b929bda9c.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\BiFrOsT.exe"C:\Users\Admin\AppData\Local\Temp\BiFrOsT.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\BiFrOsT.exe"C:\Users\Admin\AppData\Local\Temp\BiFrOsT.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1165⤵
- Loads dropped DLL
- Program crash
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ff8bdd790f373a63c58231260e7d9735
SHA1bd1ff5abafe58dbfbe58841aa58b37e4c14dfbf2
SHA256c802b070e7bebe5465f0cad4026876eae129cffb4f192b81ab215a0bc85a345a
SHA512d1843196321f6b3285c0941f3e088ff68d44cca0100d71c74f8c4300edafa38262cbbad3f9d886a519a5971a074ba95af48d1acb6c38a949d82f2ef68dda71d2
-
Filesize
288KB
MD5f43eb9d34f6462f4c48210c4c0f5a39e
SHA188b2efd2723a7c13b42c64af00bcc178893859ec
SHA256ed5bbfd85631de43a25f3c1c4f8a7851f621330772b02d436da782432a269c2a
SHA5124cb4e25842736cdb083cb70559657fdf391b656d208fcc557778b08e6213631fb778f2b6d80432ddb2f37f5229213f34ba5e78fa9137b7cb14c7bb7e6c5331a2
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
28KB
-
Filesize
1.9MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.9MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.9MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
2.2MB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
4KB