Analysis
-
max time kernel
23s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-01-2025 15:45
General
-
Target
JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe
-
Size
419KB
-
MD5
4127f1773178d0597c0a54b719689c86
-
SHA1
2a89d552abfeadd203df210bb1166f5e93663df8
-
SHA256
18c1d4cdefc2fec292716c8ca114ba756342517066fb6beac11d2fc998d5f57b
-
SHA512
20d7fb6e0cbfddb08c0e14e2053daefba3a1a94e799511fa651199512177581e76d621d983fa9cd45bc5635f1eeab31d46766978d2a97857cc5569d448619822
-
SSDEEP
6144:4ltC6+RPi6dSTaUNcneIUqdKLwJ+V1pNtlHlWi4lIe5WL5thveXDtH0Nff3hfKMW:8+138aCbItdLulV4lTc5/0tUyk0XVh
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 3844⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5b0ca348e242deee7ea5417a15a84c1a4
SHA12a727655feb43796810fde263877aa5cfa2ac3ce
SHA2562a8d2bce7a164527e5aab01da2b5c8fc683dbd82958de6a311c5a0a7b40eec5a
SHA5124eb5aee58dda6c0f7b7170bf67c73b0cb6da7885c04937f5f8757adf987942ff0319b01b7cfbf9d940a0f4ef745d6d9cd5f35508c633dbfccd77ad033e36b98f
-
Filesize
257B
MD5568062ed3c53598a7fedce6ec12eef70
SHA1580aaec95b2fdc048e22b64211af9501709f7480
SHA25657cc1ddd883b94266d00e3dfc4bdaa4bc0cdc1278ca9d7bdaae934a640ed10d5
SHA51204e7cdc06c4de9718a6cde27bdb570fa9b904d1f646c68de37c82ae752844f350c6ad1f5c02b459320255a15e8996786289dd0b209bec5b7eb1c7edb23084d05
-
Filesize
174KB
MD5720442f6a69c5a7f9fc98c369a2b1932
SHA108c29ba11ca18626ea0cde321426de60eeb06791
SHA2568fcd3ff8b91dadba8f3b8a80f49ef02ad4fe94839d86e493580f9021fad4404a
SHA512d484f1373635cd78144be753d91d02b123680875468880488f044db6650d1abc24af48490c937fd25fc4b8a6e7a6f655f90b829c4a1e0721f83921337775db4f
-
Filesize
8KB
-
Filesize
28KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
104KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
104KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB