Overview

overview

10

Static

static

3

JaffaCakes...e3.exe

windows7-x64

10

JaffaCakes...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2025 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_4cdf6d282861677c309d96b2441ae3e3.exe

  • Size

    984KB

  • MD5

    4cdf6d282861677c309d96b2441ae3e3

  • SHA1

    4835dec84f5508b2df0de81e6038cf17bd145264

  • SHA256

    ef4f716f836c643c0f24f1478618d4d83a9dfddde7eadabdf076b5cabb776fd5

  • SHA512

    c1f5c37cadc1b01632b412635a698f6e3e261fdc0ddfcb3fdbeb583e1f69f30ee5d1f8ca61f1f29a8f9516e57d9d0444c76d75f79fb86e23ff72755ee043c363

  • SSDEEP

    12288:WFeOkxOVGeOG6gCpu/14Gl6fRvxOl+p647fZXZxk:WFeOkxOVr16/0N2fRvxu/qY

Score
10/10
salitybackdoordefense_evasiondiscoverypersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    defense_evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    defense_evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1220
          • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cdf6d282861677c309d96b2441ae3e3.exe
            "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4cdf6d282861677c309d96b2441ae3e3.exe"
            2⤵
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Users\Admin\AppData\Local\Temp\Newbie Cleaner V.5.exe
              "C:\Users\Admin\AppData\Local\Temp\Newbie Cleaner V.5.exe"
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2716
            • C:\Windows\SysWOW64\SYSTEM99RUNNER.exe
              "C:\Windows\SYSTEM32\SYSTEM99RUNNER.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1712
              • C:\Users\Admin\AppData\Local\Temp\Newbie Cleaner V.5.exe
                "C:\Users\Admin\AppData\Local\Temp\Newbie Cleaner V.5.exe"
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2668
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1200

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Newbie Cleaner V.5.exe
            Filesize

            292KB

            MD5

            c9d264149952ab440fd3c26c1a049baa

            SHA1

            a39b83d27277cefc1e4a38976411c617ced51328

            SHA256

            9f62eafaa20d26673858796dfd999840e995620de0403adb209f62bef0ba5c87

            SHA512

            68b3c67ff90d9905c757bfc127773995316943860ce6a07bad852b7f16143cb839298912e266322961c29da0ed7f5fae05f90271ccd2d3e4517d8ab2f9f9e0ea

            Download Submit

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            7a4b8ff4f117dd3423ced7fd72a5729c

            SHA1

            44a7d72b7764460641fe3168dac3c215055a29e9

            SHA256

            824bc7cd03423b1f854eca66f052f41ff8bedab6ec4bd3a194e8070401387003

            SHA512

            26f900b5490f557bbc5ecaf347232d96f2b3f2dd2ee718738cee435e2d5acacc5809caa4c1d47df713a8daad74da30473ae9adf6e117600569dfee8fa5f52813

            Download Submit

          • C:\Windows\SysWOW64\SYSTEM99RUNNER.exe
            Filesize

            984KB

            MD5

            4cdf6d282861677c309d96b2441ae3e3

            SHA1

            4835dec84f5508b2df0de81e6038cf17bd145264

            SHA256

            ef4f716f836c643c0f24f1478618d4d83a9dfddde7eadabdf076b5cabb776fd5

            SHA512

            c1f5c37cadc1b01632b412635a698f6e3e261fdc0ddfcb3fdbeb583e1f69f30ee5d1f8ca61f1f29a8f9516e57d9d0444c76d75f79fb86e23ff72755ee043c363

            Download Submit

          • memory/1120-24-0x0000000000290000-0x0000000000292000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2668-129-0x0000000000400000-0x000000000044B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/2668-93-0x0000000003BA0000-0x0000000004C2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2668-99-0x0000000003BA0000-0x0000000004C2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2668-95-0x0000000003BA0000-0x0000000004C2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2668-96-0x0000000003BA0000-0x0000000004C2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2668-71-0x0000000000400000-0x000000000044B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/2716-42-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-18-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-21-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-15-0x0000000000400000-0x000000000044B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/2716-17-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-20-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-46-0x0000000002510000-0x0000000002512000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2716-45-0x0000000002510000-0x0000000002512000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2716-39-0x0000000002720000-0x0000000002721000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2716-41-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-40-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-50-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-49-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-44-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-51-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-19-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-72-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-76-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-77-0x0000000002780000-0x000000000380E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2716-92-0x0000000000400000-0x000000000044B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/2788-43-0x00000000026D0000-0x00000000026D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2788-32-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2788-47-0x00000000026D0000-0x00000000026D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2788-14-0x0000000003050000-0x000000000309B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/2788-33-0x00000000026E0000-0x00000000026E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2788-31-0x00000000026D0000-0x00000000026D2000-memory.dmp

            Filesize

            8KB

            Download