Extracted

• • Target

    JaffaCakes118_80a044c5d9e94a69472172fa8db49823

  • Size

    1.0MB

  • MD5

    80a044c5d9e94a69472172fa8db49823

  • SHA1

    b82b750e00b06477505c818b841953d8d3f6e3e2

  • SHA256

    49b46b9d73a0c39269501a9ee90145c71c9f20e582303aeb5b9777e3f6808845

  • SHA512

    483f95e799663d9542625567dcfb31ab99f49cbf98ba06c2ddf91ade82991972a2c2bedc8cfc647659c97dbb4090917bafdea2355678cb84258452eb58e7c387

  • SSDEEP

    24576:2VoQ0WH84QRpnyuScebMk6XJBlOxv5BJy4y+8n2LZSiribnA:f2H84QiMXvl6LJyM8msiB

  Score

  10^/10

  salitybackdoorbootkitdefense_evasiondiscoverypersistencetrojanupx

  • Modifies firewall policy service

    defense_evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Sality family

    sality

  • UAC bypass

    defense_evasiontrojan

  • Windows security bypass

    defense_evasiontrojan

  • Disables RegEdit via registry modification

    defense_evasion

  • Disables Task Manager via registry modification

    defense_evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2