Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
28-01-2025 07:40
General
-
Target
JaffaCakes118_48750158c081745d04dc11be9b24da91.dll
-
Size
120KB
-
MD5
48750158c081745d04dc11be9b24da91
-
SHA1
9ee4dd4dc47dd8dc23c619e702e4ff584f44832a
-
SHA256
15bfb23d6abf8679b20cc78677583456efce11bb3eecedca6c1ffa8fc6f0276c
-
SHA512
c602d417d75fbef8e61e1553fcb71814b90684090ee0dc7318951234cde3f7181afc1892f625a7cefdf127aca57f88896d39e96f44fc38c3c68ed133c31e14be
-
SSDEEP
3072:jHvuBnjhTmFy3bEQLResSUbnXhI86aj3XA3Tha:buBlDIQLRe+bRI86X3Tha
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48750158c081745d04dc11be9b24da91.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48750158c081745d04dc11be9b24da91.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f770445.exeC:\Users\Admin\AppData\Local\Temp\f770445.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f770648.exeC:\Users\Admin\AppData\Local\Temp\f770648.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7723d6.exeC:\Users\Admin\AppData\Local\Temp\f7723d6.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD55ff5da44fc77eb4eee0399cdd1225765
SHA1081279fe0a9ee8338209e7967f42c26aa1128188
SHA25676c800f78212def3e76639a9bccf18b81c166ab06d847d240291477f6bfd3b33
SHA512a3edaa8b8f135bb3a8679b4a8f1a8700d2ce2c2c23bf76ce6c4b1135370df1c894bffc32d82dc85261413be7212123c1cccbe8c585006b3cfa7a874152bfc145
-
Filesize
257B
MD59862eeb271438f619e6c97bf187908d9
SHA16d9428746dd012b52a59bea04e8d93f4e115a572
SHA25670e73473ca211d754f046c9edb383d4d174de487b7962dd2c0c104b9a04d61b8
SHA51222ffa115abcb02aa8e3b40d84e7af9e7381db06f3b3d712a00f6bbb919657d0fd18bb40bffe0835912b3778fd5bbb3770874be415d0d0fa722a810a5f8c7b5d1
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB