Overview

overview

10

Static

static

3

JaffaCakes...f1.exe

windows7-x64

3

JaffaCakes...f1.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...c3.dll

windows7-x64

3

$PLUGINSDI...c3.dll

windows10-2004-x64

3

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    93s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-02-2025 09:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_9e1fc2025ee07b383353b07b44bb5df1.exe

  • Size

    258KB

  • MD5

    9e1fc2025ee07b383353b07b44bb5df1

  • SHA1

    423562d464799b06bcaff6a8bc92ab546976ce42

  • SHA256

    36be331d0ef90bc33b66ff764d4571b59fad3878a4cb57e8e917ec2a26873da8

  • SHA512

    eadbbe0901de99cfe7be4cb6d33c204725a845289b936e888ff75c2baf16858471e70b905e41dc39224e7afbc3136105950945ec9541db4c5eea7f9f3997381b

  • SSDEEP

    6144:qQBg1suJmdX/520h98sgrD67LRjtX6t1pcJGUg1ZoNj:41/JY/5SrD2LRpK1c8UgzM

Score
10/10
salitybackdoordefense_evasiondiscoverypersistenceprivilege_escalationtrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    defense_evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Loads dropped DLL 21 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    defense_evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:792
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:788
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:64
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2508
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2536
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2656
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3608
                  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e1fc2025ee07b383353b07b44bb5df1.exe
                    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e1fc2025ee07b383353b07b44bb5df1.exe"
                    2⤵
                    • UAC bypass
                    • Windows security bypass
                    • Disables RegEdit via registry modification
                    • Loads dropped DLL
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:2692
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh firewall set opmode disable
                      3⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:1628
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3736
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3916
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:4008
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4076
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:1348
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4276
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:2700
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:932
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                                  1⤵
                                    PID:424
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                    1⤵
                                      PID:4628
                                    • C:\Windows\system32\BackgroundTaskHost.exe
                                      "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                                      1⤵
                                        PID:4868
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        1⤵
                                          PID:4784

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Reconnaissance

                                        Resource Development

                                        Initial Access

                                        Execution

                                        Persistence

                                        Create or Modify System Process

                                        1
                                        T1543

                                        Windows Service

                                        1
                                        T1543.003

                                        Event Triggered Execution

                                        1
                                        T1546

                                        Netsh Helper DLL

                                        1
                                        T1546.007

                                        Privilege Escalation

                                        Abuse Elevation Control Mechanism

                                        1
                                        T1548

                                        Bypass User Account Control

                                        1
                                        T1548.002

                                        Create or Modify System Process

                                        1
                                        T1543

                                        Windows Service

                                        1
                                        T1543.003

                                        Event Triggered Execution

                                        1
                                        T1546

                                        Netsh Helper DLL

                                        1
                                        T1546.007

                                        Defense Evasion

                                        Abuse Elevation Control Mechanism

                                        1
                                        T1548

                                        Bypass User Account Control

                                        1
                                        T1548.002

                                        Impair Defenses

                                        4
                                        T1562

                                        Disable or Modify System Firewall

                                        1
                                        T1562.004

                                        Disable or Modify Tools

                                        3
                                        T1562.001

                                        Modify Registry

                                        4
                                        T1112

                                        Credential Access

                                        Discovery

                                        System Information Discovery

                                        2
                                        T1082

                                        System Location Discovery

                                        1
                                        T1614

                                        System Language Discovery

                                        1
                                        T1614.001

                                        Lateral Movement

                                        Collection

                                        Command and Control

                                        Exfiltration

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Temp\0E57A642_Rar\JaffaCakes118_9e1fc2025ee07b383353b07b44bb5df1.exe
                                          Filesize

                                          186KB

                                          MD5

                                          bb2e194f5d07a28839bf017e5ae3dace

                                          SHA1

                                          2e6e0c85e761380f5f51276d8426cea210742b19

                                          SHA256

                                          b535a0c902c035d1551c35e36fc80676fd9f198a3d4ab108483c8f073a1eaab3

                                          SHA512

                                          6b4f66d023452b4aeaf08c75e66680e82157f3a12c6c348ef993cc78febf55a13478b8cacbb24724d8eea29faa72e7fe6d0ddea4d4ad9076245c4da9ae9f9a4c

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\nscA653.tmp\EBanner.dll
                                          Filesize

                                          5KB

                                          MD5

                                          cce7bc13dbc3faea7769fcf7727eb19f

                                          SHA1

                                          59633ed1adc02235ca058883534ff36be4fb3f37

                                          SHA256

                                          dd519ae6d7fd6df0c32db834df215df2fe7c1d044b800922a58da7f4f00b95ab

                                          SHA512

                                          21e4a8ecd383d59ef24f590367328248d21c7fe452fc5c3a42ec597f920e79caf6a8047babb9fb44d2cca8329dd7d14b39cf13a0934aee409fa5bdd7c2e4f121

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\nscA653.tmp\NSISdl.dll
                                          Filesize

                                          14KB

                                          MD5

                                          a5f8399a743ab7f9c88c645c35b1ebb5

                                          SHA1

                                          168f3c158913b0367bf79fa413357fbe97018191

                                          SHA256

                                          dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

                                          SHA512

                                          824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\nscA653.tmp\System.dll
                                          Filesize

                                          11KB

                                          MD5

                                          c17103ae9072a06da581dec998343fc1

                                          SHA1

                                          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

                                          SHA256

                                          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

                                          SHA512

                                          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\nscA653.tmp\accept2.bmp
                                          Filesize

                                          16KB

                                          MD5

                                          f642e8cfce23aa5d124533357de7394b

                                          SHA1

                                          80ce98a2bc4b416db357ea52a74424d742cfaa55

                                          SHA256

                                          f1bed304ea1d96094c1e4e3f8e112b7ce15af4441192e73c9144f774ad132d2e

                                          SHA512

                                          d0ec47e3a69cc6c6f54e8ba58cade7875ace43b66946e7bd4b678dc246c61acf8d36aeaf80082308f08783c28424c5db601bdde1d820f7797b60ca4fe948ad26

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\nscA653.tmp\inetc3.dll
                                          Filesize

                                          25KB

                                          MD5

                                          9d8ce05f532dc7b5742831ec8a63c2d8

                                          SHA1

                                          b014365f723c78a84bcdf8a46cfa016eb2b8dbc5

                                          SHA256

                                          fcc46c2e60931a76fe529a9fa5a85ba2f4bf7907d651161f92fc524ac4747982

                                          SHA512

                                          98f268bebf0c82d019873a7b109e1822011c0532e6a6d8ba94d2b8a918d9558f4db89100b6ee357c9c510ff56adc349e619489fd7e8d21e7f826877185ede3fe

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\nscA653.tmp\linker.dll
                                          Filesize

                                          6KB

                                          MD5

                                          8450b29ee8d592c208ba1aaf6ee50267

                                          SHA1

                                          75096da057bc85cef63bb0eec168652ea75cf618

                                          SHA256

                                          53aa57e582dc56421c1191a0a9efac9c36960b903b7d825f3b9682605ec2b612

                                          SHA512

                                          d23a3057053a1f36f5eb212ae0b09b9b0b41e50b8a6a20bbc46c12c51199ad0bca741bcce17534488158e8f2b9470dbdac2aa059688b7588a05778c40d461039

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\nscA653.tmp\nsDialogs.dll
                                          Filesize

                                          9KB

                                          MD5

                                          c10e04dd4ad4277d5adc951bb331c777

                                          SHA1

                                          b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

                                          SHA256

                                          e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

                                          SHA512

                                          853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\nscA653.tmp\ty2Response
                                          Filesize

                                          4KB

                                          MD5

                                          4685e87c06efcc5ce632c76697f644c1

                                          SHA1

                                          9338776dbda1b12f2624e77aa0b4eb8d1f95e318

                                          SHA256

                                          8ae78b39379a0835ad1ccd7dc282ff293cfe5886ac14bc8e3f39b2b3f7b0a637

                                          SHA512

                                          712e99be35c5adb4bf2e2515ca519666ea59e3fea78f6221a8f4d7581d30b282e38468d4ead76e3e704b91bdc028c9f37ddf152b3c62ff73b05fade36379a856

                                          Download Submit

                                        • memory/2692-13-0x00000000004C0000-0x00000000004C2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2692-31-0x0000000002380000-0x00000000033B3000-memory.dmp

                                          Filesize

                                          16.2MB

                                          Download

                                        • memory/2692-8-0x00000000004C0000-0x00000000004C2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2692-41-0x0000000002380000-0x00000000033B3000-memory.dmp

                                          Filesize

                                          16.2MB

                                          Download

                                        • memory/2692-9-0x0000000002340000-0x0000000002341000-memory.dmp

                                          Filesize

                                          4KB

                                          Download

                                        • memory/2692-0-0x0000000000400000-0x0000000000479000-memory.dmp

                                          Filesize

                                          484KB

                                          Download

                                        • memory/2692-12-0x00000000004C0000-0x00000000004C2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/2692-10-0x0000000002380000-0x00000000033B3000-memory.dmp

                                          Filesize

                                          16.2MB

                                          Download

                                        • memory/2692-6-0x0000000002380000-0x00000000033B3000-memory.dmp

                                          Filesize

                                          16.2MB

                                          Download

                                        • memory/2692-3-0x0000000002380000-0x00000000033B3000-memory.dmp

                                          Filesize

                                          16.2MB

                                          Download

                                        • memory/2692-200-0x0000000000400000-0x0000000000479000-memory.dmp

                                          Filesize

                                          484KB

                                          Download

                                        • memory/2692-191-0x00000000004C0000-0x00000000004C2000-memory.dmp

                                          Filesize

                                          8KB

                                          Download