Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03-02-2025 03:39
General
-
Target
JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe
-
Size
183KB
-
MD5
840fa6ee06fff8d84a2773e8ae922156
-
SHA1
578ca844543245c67e88aa8c71664035f4b18d76
-
SHA256
52f79515018dba7417e433c71b09a951015f69827f30b1ca0db3688a2a21d65b
-
SHA512
b6ca765f0fa3193e0e332e3a9f730309b88491327c6c35eb543343d8e8997e70f9643347ed875156d18403d56e1139e74f7f462aab2c36130197ad2188b3d55d
-
SSDEEP
3072:DLk39XKhYXJlq+JNu/9P0qO5dqAv9efWQFgn8PInvqHUE9s2giM0vxj+hyv8umc3:DQHK+3S9MqODvULe6mCkbeRmu
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 32 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD51e77482af3122ce2cc5a1a0dc8d3082d
SHA1bd73aee1dc12468a2e285dc3358776faf02404c1
SHA256f954e8a92a0b52a2c46ad5d42076d1c19f78758b300569085ee77a9c9b69c79a
SHA5127fd3ba411f88793c2f046dd38bae692d2ad2e545a4e94cc58802b3dc12ca390663b68aebb25c85f100fc38abcbd9913c8e3c1dda2ffd10976ac1d1fbfa726b8b
-
Filesize
257B
MD54d54dcf8a2182d1ce443a33e10103300
SHA152ddd8b4d7ad4818307f25db60aaa8e3062dd261
SHA256e2d902f33a9b92fd2c38ff18b7bff1a8ce16ed23544a39ce8e170871f7f162e5
SHA512e58761da75a620fb5d08e813ce9ad5fd8e95d8c92f84d8a57bf6268807584468179ae036ccc88ffb4f9d22062f2affeb2c0faec5bdf6d40206c081bcada39f18
-
Filesize
35KB
MD52cfba79d485cf441c646dd40d82490fc
SHA183e51ac1115a50986ed456bd18729653018b9619
SHA25686b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
SHA512cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
13KB
MD5bcec2a6095d38abc192a68d094c302d0
SHA19e88c5b957b45524690513b75d81dee259d5d599
SHA256446000200eff4f9c20761ce1680902daba190c81a57154f4917b1741d7800e3c
SHA512b48e85a17904a104eef573358763a0b1215eec96f72f83ff544d2dab22737bc42411ca505adf3f7e95c6f7e7997ad3e408f258093727105b678d5eee8d8e6278
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
24KB
MD5ef630cf1898c257df36b1037bd1e5392
SHA1b2c47d9a741d2b5391387059552b37f2daddade2
SHA25641776a77b4e3bba1c3e70d10b9f560248148b8f2c45d39d4cd8683754112860f
SHA512986b405d723294ff5b3649f899bc048c5693bd386dc3f489b390ccb1d56e8e65a9dbe6d0863d553525ce93d505a162eaa087faf4b4c5133345c3330d01327211
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
183KB
MD5840fa6ee06fff8d84a2773e8ae922156
SHA1578ca844543245c67e88aa8c71664035f4b18d76
SHA25652f79515018dba7417e433c71b09a951015f69827f30b1ca0db3688a2a21d65b
SHA512b6ca765f0fa3193e0e332e3a9f730309b88491327c6c35eb543343d8e8997e70f9643347ed875156d18403d56e1139e74f7f462aab2c36130197ad2188b3d55d
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
340KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
340KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
340KB
-
Filesize
52KB
-
Filesize
340KB
-
Filesize
16.6MB