Extracted

• • Target

    JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60

  • Size

    292KB

  • MD5

    285cebbc3f15e5f98fd569c88ef88b60

  • SHA1

    63e29c8ef0595908a0b3b97fc20a6cab80640a93

  • SHA256

    5600f1f50e6971e997b489a53a9741c2e474606739fa9482fbc847cbccb92912

  • SHA512

    1544c4dee90ac72e494a1e55c54dad63cf8fbe90731bec8601fb2925cecfc2709399bd3d12c868828b5ae9ee3821c68c179480e44787f665ac020cd0272d87fc

  • SSDEEP

    6144:cvEF2U+T6i5LirrllHy4HUcMQY6nyLTepUZPun0CX:uEFN+T5xYrllrU7QY6yLTEnh

  Score

  10^/10

  bazaloadersalitybackdoordefense_evasiondiscoverypersistencetrojanupx

  • Bazaloader family

    bazaloader

  • Detects BazaLoader malware

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

    trojan

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    defense_evasion

  • Modifies visiblity of hidden/system files in Explorer

    defense_evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Sality family

    sality

  • UAC bypass

    defense_evasiontrojan

  • Windows security bypass

    defense_evasiontrojan

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2