Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
27-06-2024 23:54
General
-
Target
180585584c14d9afbaa0670fad166c5f_JaffaCakes118.dll
-
Size
832KB
-
MD5
180585584c14d9afbaa0670fad166c5f
-
SHA1
500b7099db374c718f3fd3a399750ad44bb74138
-
SHA256
9e19c4b9e6c9e8715b20a36bdfda405ca12cfd26adb1ec6316a4f7256c60884b
-
SHA512
4d685d7e7fb4a868d7cc622209c14e1f3a862b34aa0b13d4aca02ce5fce2278a5ed1e1ba89c7255f5ccf0c1f608bde1a55de527b6855ffa587743b3552c91e44
-
SSDEEP
12288:tPTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5Uju80rv1mNs:tPSH4hQP/RN2fLqNK9QV4qBH1edefKP
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\180585584c14d9afbaa0670fad166c5f_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\180585584c14d9afbaa0670fad166c5f_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
168KB
MD54ee90e77cc7b95036c28d6f85eaf278b
SHA11234d710eb024b4e1a4c02b3e244a7a827039808
SHA256a73144e948274aa0ad9c291ab52d9a944e969020d92cfcdbc5f83b492d2dd5b1
SHA5125c82fdf8d94c15c63fb0f6e577a22851787f316e32178df633fcdf89aeb6075e5399cc610ac1875f871d6f4ac34b620ef67ed09a74af8e699a1c1c764f7858f1
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
351KB
MD5f0f6afea3085f3d605d88347e180e97b
SHA1cb2978637f2be27d7897a6c278b38aec4521bd69
SHA25602d89531b56acff0aca0ba0b788e5f07a971d68384fddf1000f078f6a2cb52eb
SHA5123bd967fc9c88d6504309978f08dc013d5795d4ab079cb86125d21f3a8d4e2128676cf28c34a06d9957706837c2ef9858ad2a5d4b1b6c4fab80aab2d0ad107f10
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
347KB
MD5b6fd5a1d79055164e4a8369771102cfe
SHA1ad1f00e312351b4a7357296daf43a31b094fc41e
SHA2563fb3f394582fc56bc4bc307e6c49dfaa642422f86cc6f39947b5aeb089e73dbe
SHA512208044893809c440c133a8a592b6ab3a0bf3335ffed5e553b8e1db086bb7dbfe4e8e170a9eb9ffdad8905468e40750627fcd4a61c022d7bc87cb333e62ab60de
-
memory/1120-35-0x0000000000410000-0x0000000000412000-memory.dmpFilesize
8KB
-
memory/1780-377-0x0000000077AA0000-0x0000000077AA1000-memory.dmpFilesize
4KB
-
memory/1956-73-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1956-124-0x0000000077A9F000-0x0000000077AA0000-memory.dmpFilesize
4KB
-
memory/1956-611-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1956-79-0x0000000077A9F000-0x0000000077AA0000-memory.dmpFilesize
4KB
-
memory/1956-78-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1956-77-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2368-2-0x0000000075020000-0x00000000750F2000-memory.dmpFilesize
840KB
-
memory/2368-3-0x0000000074F40000-0x0000000075012000-memory.dmpFilesize
840KB
-
memory/2368-4-0x0000000075020000-0x00000000750F2000-memory.dmpFilesize
840KB
-
memory/2368-5-0x0000000000180000-0x00000000001B4000-memory.dmpFilesize
208KB
-
memory/2368-12-0x0000000000180000-0x00000000001B4000-memory.dmpFilesize
208KB
-
memory/2936-81-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-90-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-1052-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-95-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-99-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2936-100-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2936-102-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-101-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/3036-49-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/3036-31-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/3036-30-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-14-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-26-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-20-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-13-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3036-24-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-25-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-27-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-28-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-44-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/3036-45-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/3036-32-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-33-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-34-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-64-0x00000000048A0000-0x00000000048D4000-memory.dmpFilesize
208KB
-
memory/3036-56-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB