Analysis
-
max time kernel
26s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-02-2025 14:27
General
-
Target
JaffaCakes118_b80f7658ffb704350faf5060b1d92d66.dll
-
Size
424KB
-
MD5
b80f7658ffb704350faf5060b1d92d66
-
SHA1
2ad9d0776d0e38c306af1d40660045b1a98a8f04
-
SHA256
02d2d004f30e2022c652cb1e92b92ed5326cb5d0c49a3983bdcb480ae6012fe9
-
SHA512
61d95373a6d46c36e35b4f32d412440f54c9eecbaf04d596cd3da9b9144b0470588c241199ad2e08bd423d955e0a68ff7ee113bfcce9d82f759dc6dcc1709d1d
-
SSDEEP
6144:vl9XgnzxOP/sFR2h+9q1kih6ibUxrp3/vIyR5fih8JRmlM+9ZldLIsIyNk2uu6:vlCzcMg+9YkDiQ3/Q8Jud9f9jhuT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 3 IoCs
-
Disables RegEdit via registry modification 3 IoCs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 26 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b80f7658ffb704350faf5060b1d92d66.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b80f7658ffb704350faf5060b1d92d66.dll,#13⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4436 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:17410 /prefetch:27⤵
- UAC bypass
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 6124⤵
- Program crash
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 49841⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD52493af7befda11771a3cee1e4ef2e441
SHA15c781cfe398f112d6738bd9d1352de7c8e5c0a4f
SHA256b97790c7fc17363178d6172864fcddd77dec9caad9f6252de62876b65acf9761
SHA51273aff0e7d1a7b728f19abd10f4cc16178655f778ddda7dcf472014af94e624608efcd2523e05ea6a35ea0e858a6d54c4d02483938297da74c9ffd325fc6b3391
-
Filesize
5KB
MD577d2b9b8d5e1cd64c50f3cd5a3509bef
SHA1125cf0132a31ce5371f47d29dd8d17752b02057f
SHA25674fbd8e10a2e31e61c66836a490fee04c7e417c64d34f97bb732c828094d0687
SHA512c0b37492fb1caea315de88df2bb1d5407ad17e67170802c83ca7c7a3b5337a18d918f6cb9fe914696c0578909916dc3d043b4b2ff9b63ddd0859879f0ee5ed59
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
258B
MD5112051e4c84a9e8da66b8c0a219add5c
SHA12a1b8d054fcf6f4150e6163e58a62fd40585614a
SHA25609733e08397a00048dbcf07bee477285323e45a0ff6f8578d428cffe846be4ab
SHA512309201a68fe7bfef40c65d41387ed4ea5e317cc6599feed4ec6be866fb104fcd44b8b082abdd4acc92b20422f852eee6399d0951d9d8fb2d537ee2186eef71c5
-
Filesize
187KB
MD527fdabf7c440551ce0d41832bb40e0e4
SHA1c3a6f07789562c1edbea44197a3f6cb3f6d345c9
SHA25652f26137f9a813c374e5bca7ae97f2f31c1f8084276944fdc5e97df7a69a86c4
SHA5124c13cfe5ed6741933d83ba0af39bd9cc544033328fe015b5ec1f1eff358e54764814f60085c0b4528034e2e8ab2f94694e186b27d9e66e42e01391ba20f38df5
-
Filesize
16.2MB
-
Filesize
8KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
16.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.2MB
-
Filesize
16.2MB
-
Filesize
16.2MB
-
Filesize
16.2MB
-
Filesize
252KB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
16.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.2MB
-
Filesize
132KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
84KB
-
Filesize
132KB
-
Filesize
16.2MB
-
Filesize
16.2MB
-
Filesize
16.2MB
-
Filesize
132KB
-
Filesize
252KB
-
Filesize
16.2MB
-
Filesize
16KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
424KB
-
Filesize
424KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB