Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05/03/2025, 19:09
General
-
Target
JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe
-
Size
212KB
-
MD5
53446bee6d94a205129c8e55574d9fe4
-
SHA1
8793e22d95fb8f9418bad91413c797f602499247
-
SHA256
59c9544c206f6e202f2fbb10d5d9da403554eb8ca6db2db138e7b8c2a69fe185
-
SHA512
36f98f2ec9d6d95f29f296d7403360307b2e08953764b07b72dd471a3219eaa1a332d184944ea3dff30b3cb5b08f811a66f69548fddc91730450b4e8c1a1f122
-
SSDEEP
3072:ucUcm0X3qDOUwUNvo8Hj/64qDuibRRP1SWYh037Fu776yThTthw:ucUK3qDpvTT6LDuibjfa0rFa7PtTI
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe"3⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sesdessecetra.exe"C:\Users\Admin\AppData\Local\Temp\sesdessecetra.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\sesdessecetra.exe"C:\Users\Admin\AppData\Local\Temp\sesdessecetra.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD553446bee6d94a205129c8e55574d9fe4
SHA18793e22d95fb8f9418bad91413c797f602499247
SHA25659c9544c206f6e202f2fbb10d5d9da403554eb8ca6db2db138e7b8c2a69fe185
SHA51236f98f2ec9d6d95f29f296d7403360307b2e08953764b07b72dd471a3219eaa1a332d184944ea3dff30b3cb5b08f811a66f69548fddc91730450b4e8c1a1f122
-
Filesize
257B
MD54252884d73155abb64d70ef01fff8056
SHA13e7c96cf96fb29da12f7e08fdb9e1cac2e1c1d99
SHA256f40ec85b4de7f687e5161bfd0d780ecc49b83b82aa2c27bae29ba8cf7b552370
SHA512988638568867713eb92c6bf6dd4175f914a5b95a90433a611b320f30288e807be8dc00c0dfdbcd60283f60193872743c90a50a2ef8713449514ab21f11ca330f
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
252KB
-
Filesize
16.6MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
252KB
-
Filesize
16.6MB
-
Filesize
252KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
252KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB