Extracted

• • Target

    JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d

  • Size

    287KB

  • MD5

    80b5d6b1db9b2a3a754dcfc082ec1c6d

  • SHA1

    949e7ed5d58dac9d8a1ffdc61da351a1b2333e28

  • SHA256

    704d8f03265ae5970cfc2dc5ad341d3b3ed67e757bbe56ea72c7666496528d12

  • SHA512

    7504d24719a42159d5af48a18f40b2b1538533e3cc48d5dea07c9c5812b6a9411ed6f165d494f8c98438fcaa13d95e55843b781e5557049db3fb381ce3955121

  • SSDEEP

    6144:KvEA2U+T6i5LirrllHy4HUcMQY6qjbh+bR2j1P:0EAN+T5xYrllrU7QY6qKR29

  Score

  10^/10

  bazaloadersalitybackdoordefense_evasiondiscoverypersistencetrojanupx

  • Bazaloader family

    bazaloader

  • Detects BazaLoader malware

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.

    trojan

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    defense_evasion

  • Modifies visiblity of hidden/system files in Explorer

    defense_evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Sality family

    sality

  • UAC bypass

    defense_evasiontrojan

  • Windows security bypass

    defense_evasiontrojan

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Disables RegEdit via registry modification

    defense_evasion

  • Disables Task Manager via registry modification

    defense_evasion

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2