Analysis
-
max time kernel
123s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
30-01-2025 09:41
General
-
Target
JaffaCakes118_6158c6bc46c4c2ff6d20b5393ae86b81.exe
-
Size
4.5MB
-
MD5
6158c6bc46c4c2ff6d20b5393ae86b81
-
SHA1
3bcea54356be388fe60fd14315f55933c9713077
-
SHA256
74379c7c3960ebe4d18c7617d118fb4d4e3f307faa1059ac7007d7bedfe31402
-
SHA512
3725b226ec94344cc2d3d8c3a633be52441e09ec84ca0cbec578bf59aed0bd8d6e3f0a8c153b56296097f4782b8ec40f1eee41e0a92ca37cf9ee18ce021e1077
-
SSDEEP
49152:qHgzHgUNghs8bBlKaEotaj7yg3AsZKlQc3MPsYMKZ9wsPma/oAlEHj9jt14X8qWX:qHgzHgUihs8blmfh3AQSKZGsgnzKX8Ff
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 19 IoCs
-
Loads dropped DLL 64 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 9 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 26 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 27 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6158c6bc46c4c2ff6d20b5393ae86b81.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6158c6bc46c4c2ff6d20b5393ae86b81.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 592 "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"19⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"21⤵
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"22⤵
-
C:\Windows\SysWOW64\ustata.exeC:\Windows\system32\ustata.exe 604 "C:\Windows\SysWOW64\ustata.exe"23⤵
-
C:\Windows\SysWOW64\ustata.exe"C:\Windows\SysWOW64\ustata.exe"24⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5c1fe36815ce6f4e493f881e8b0f10954
SHA12b536baf6290303544a382388d2a05c9a765a1dd
SHA256cb3c4bf46c08a4c2d70d8b31c40b4649c6b4131b97fd33dee57381e59d0c64dc
SHA512b4023a5fc4abf4b4bdc61d1c78776ecc8d7786a89c6a7dd3a001306df031bc978162f4ab79e68c1b8a00aa0fb6c8e577f72a449783ae7d107e008a66425c9b06
-
Filesize
100KB
MD5f4183189cf97e60ebd89316f6d114775
SHA133df6ddcae26c0923cf4d563addb4d515a8944ef
SHA256a250d28b4a79adf183a65c102c0c39c4cb7210140494894bec2c23259673b441
SHA512ec5141db4ad824d2b5ba12b6ec4005ead485dae228cc2bb9bfb496e5047b25ff5daf13354aaafa290ea3b45ad467365d2163de39abb33757de4e6712e9e419b8
-
Filesize
593KB
MD52c94309d304e3f7cedff0ac4de171334
SHA1b28ce92c969397f94ec34b268d0b86f8179f8f33
SHA2563bb5c7324f070d562fa83fcfb46ed2de976eadaeb7e58cce8df9bf812ab759b9
SHA512c963bcdb9f84a7d6a15cda01f48621f9c492dbc488b4ca7be6c78bdce823e48639097719b50a2352351062b2fa249218f3ecabeda5cf1891578eca29bc36f3aa
-
Filesize
3.3MB
MD50de821eeba661183a00ef583983d5cdc
SHA1518a8f5555a226a0fca56fc8502db35df62deb3e
SHA2565d623b7ba6a0ea1b89d6089fbd1afd29370ee1bf2536becd97ae95967b706eee
SHA5127841770d4ee7abb7c86a9c17fdf3c858df26917ecd31da38a29c87d75da653b89126487737747382b9a27094bdb44ed5988620b1a6bc5d690a80ed9ee51d7aa4
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
2.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
2.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
2.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
48KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
10.7MB
-
Filesize
2.6MB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
1.0MB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
1.0MB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
12KB
-
Filesize
464KB