Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
01-07-2024 11:39
General
-
Target
1b27cf1a9808b8433f58d7e786a1c3d5_JaffaCakes118.exe
-
Size
100KB
-
MD5
1b27cf1a9808b8433f58d7e786a1c3d5
-
SHA1
13b6e7b7948b5476ea370fb9784dd0c35fb542d3
-
SHA256
e3597d8ff570d050f50b9342bbdbf39134536ae43b82b4c00e5746f12e85bb58
-
SHA512
d3e17d5ebac6701cae9df5106500b2231a92720363922f77eb4eb7be36a7ba01cd086172f6b1ded8610747aa4a11570259c20773d9037ebd0c8a10b796af0a02
-
SSDEEP
1536:avKLvEvUnogD2fG6w7gOaAI9zDVc8fjzSAxNNQyyVq8I:8KTEM2fG3aAe5c8rOGNz
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1b27cf1a9808b8433f58d7e786a1c3d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b27cf1a9808b8433f58d7e786a1c3d5_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\vsroy.pifFilesize
100KB
MD51d8ae342faa812d48bb87a36e567d614
SHA16e902124ae1d6a6fbe3eb50215b1a9be9338ee46
SHA256b76d1feb07ec8822b3b786563c1884bfd7466acf5d478ebf9fd23ead44015d6c
SHA512b8b07661d152b02d161e9712279e1bbeefc246b3f9649c86c7e83135c7a5eb24752d3f8c43552e7ef365ca8626dbb31f1c922e4903eefa239325a957e35861a7
-
memory/1108-10-0x0000000000450000-0x0000000000452000-memory.dmpFilesize
8KB
-
memory/3008-31-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-61-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-23-0x0000000003340000-0x0000000003341000-memory.dmpFilesize
4KB
-
memory/3008-20-0x0000000003340000-0x0000000003341000-memory.dmpFilesize
4KB
-
memory/3008-19-0x0000000003330000-0x0000000003332000-memory.dmpFilesize
8KB
-
memory/3008-5-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-6-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-24-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-28-0x0000000003330000-0x0000000003332000-memory.dmpFilesize
8KB
-
memory/3008-27-0x0000000003330000-0x0000000003332000-memory.dmpFilesize
8KB
-
memory/3008-8-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-26-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-25-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-32-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-7-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-1-0x0000000077050000-0x0000000077051000-memory.dmpFilesize
4KB
-
memory/3008-29-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-30-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-90-0x0000000003330000-0x0000000003332000-memory.dmpFilesize
8KB
-
memory/3008-3-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-9-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-35-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-36-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-37-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-39-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-41-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-43-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3008-51-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-50-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-53-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-56-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-59-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-60-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-33-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-64-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-65-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-69-0x0000000001F70000-0x0000000002FFE000-memory.dmpFilesize
16.6MB
-
memory/3008-0-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3008-2-0x000000007704F000-0x0000000077050000-memory.dmpFilesize
4KB