Overview

overview

10

Static

static

7

262bdf94b0...18.exe

windows7-x64

10

262bdf94b0...18.exe

windows10-2004-x64

10

Ares.exe

windows7-x64

7

Ares.exe

windows10-2004-x64

7

AsyncEx.dll

windows7-x64

1

AsyncEx.dll

windows10-2004-x64

1

MP3Source.dll

windows7-x64

7

MP3Source.dll

windows10-2004-x64

7

Uninstall.exe

windows7-x64

10

Uninstall.exe

windows10-2004-x64

10

bass.dll

windows7-x64

1

bass.dll

windows10-2004-x64

1

chatServer.exe

windows7-x64

1

chatServer.exe

windows10-2004-x64

1

data/Homepage.url

windows7-x64

6

data/Homepage.url

windows10-2004-x64

3

libfaad2.dll

windows7-x64

1

libfaad2.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    262bdf94b004bd09ce58437f12493cd9_JaffaCakes118

  • Size

    2.5MB

  • Sample

    240704-zn6m3s1amd

  • MD5

    262bdf94b004bd09ce58437f12493cd9

  • SHA1

    7177b4bdbbcf4b17c0bc90975da9ee026f3de547

  • SHA256

    2779f07d01247b9294a1db290ca70ce53700438839c8cb61b33c95012ccee83d

  • SHA512

    21f88c2dba0d22ad17185c7afbffe65d979cccc08b8ab7a8cb673d7582eaa11c34ef9352f612b4144c31a23e911d04dc24b6a24207f378b89cf9460d6914e20d

  • SSDEEP

    49152:vpIiXFW9352hc5vrU8nFWWQ+prv3nTHncbLRlewau1dEHYqnEDY:bXFW9J2hcxrUS0Z+pz3rcb1DuvaY

Score
10/10
salityaspackv2backdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      262bdf94b004bd09ce58437f12493cd9_JaffaCakes118

    • Size

      2.5MB

    • MD5

      262bdf94b004bd09ce58437f12493cd9

    • SHA1

      7177b4bdbbcf4b17c0bc90975da9ee026f3de547

    • SHA256

      2779f07d01247b9294a1db290ca70ce53700438839c8cb61b33c95012ccee83d

    • SHA512

      21f88c2dba0d22ad17185c7afbffe65d979cccc08b8ab7a8cb673d7582eaa11c34ef9352f612b4144c31a23e911d04dc24b6a24207f378b89cf9460d6914e20d

    • SSDEEP

      49152:vpIiXFW9352hc5vrU8nFWWQ+prv3nTHncbLRlewau1dEHYqnEDY:bXFW9J2hcxrUS0Z+pz3rcb1DuvaY

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Modifies firewall policy service

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

    • Target

      Ares.exe

    • Size

      992KB

    • MD5

      69e967f3ff9e3df41f4228440fbd43ae

    • SHA1

      6c447b64f036f39eb3d248cf16991b32633d51ad

    • SHA256

      b6d3e5449b22d3f3e2f8120c3746fd65785909348ded63c2a2f8d77376b48bff

    • SHA512

      cf351a619b26503ffb66e7667d9425f31bbe5ce472a45de828b9b841aca2da913972a467da0620c6c59ee0f6230dc598b79f92239dad30f7bf43c9bf8dbaa18f

    • SSDEEP

      24576:Z4PWjFqcs26aptG/g0q0UuncjMb9ZfZP3rCVUnMoZRnLVqKAfgA:ZW26ajJ0UuncjKZfJrCSn7nZqKQt

    Score
    7/10
    persistence

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      AsyncEx.ax

    • Size

      196KB

    • MD5

      c250246a8020efc9d905e32aea98d8a4

    • SHA1

      bd82927d03992a4d5ab390c21249ec150270984c

    • SHA256

      46ce1a2667580265807eb9a7576303ecf02defb4cbb93ecc9ca5825ada267cf0

    • SHA512

      fc4979d766e542293a92ec520ebeb2ca48999b28d6731faaad2297e33dff701f351d6782d7c374d3aad8e10040b240573a4a09641610384271531a36a5130991

    • SSDEEP

      6144:fNBDDkAa1rlGC6sxTC9OCybJuyQqk6P8hZm:fLkAaV04dCwCybJu1OPw

    Score
    1/10
    behavioral5behavioral6

    • Target

      MP3Source.ax

    • Size

      60KB

    • MD5

      14fda53fbef501023ac193544cfcc9d9

    • SHA1

      dedf954a0e444022b77d085b731c7146804d78d5

    • SHA256

      f57a5122275ddc67f56d45608fb3b1c41a25b10899bd1e46bb9f04f02f7fc424

    • SHA512

      5bea4300b522e290cb0499944529921658c0d9f39fc4e2e2fa0ac31c6410b9834d430e5ce8f4afd1e20bc7cf16ec59460dcdb4bed7b770656a9bd7698c718b7f

    • SSDEEP

      1536:nV3d1U+bcXzRh9p8KPLrzmipy7RS1dw01xk:nJHbcXzRh8KPrmh1Sbw01O

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      Uninstall.exe

    • Size

      129KB

    • MD5

      e8e3a158223c63f08ac763a1c9567627

    • SHA1

      c4c3e3fd403e6f1053284cfa8e73a256ac4af7fd

    • SHA256

      acb1fac4042e427309a0ae8d872d788de9a6033250e28652f98758d43efe2c34

    • SHA512

      755b027a1715a029025862547effbcf30e34792c4c8cb9ba7faa8b8adea66f0cc802f5935efc827af32020ecfd43bf63456301438ff033a8e8d73a6354e9c46e

    • SSDEEP

      3072:4kjA04dDGkJjqKswMPcgj1EA208+fYNaTBvh3t:485KhMkOOAHfEYBvh3t

    Score
    10/10
    salitybackdoorevasiontrojanupx

    • Modifies firewall policy service

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral10behavioral9

    • Target

      bass.dll

    • Size

      93KB

    • MD5

      38473d7a84ab44517dec3d9327764cc9

    • SHA1

      3603232bd6b557bf6b3a8b10a8a274162b3e0d7f

    • SHA256

      b4567acb45f3329ba6931c514a0df01386f6f89521cf228735111cea336685c6

    • SHA512

      a22a534ed288d1a2abbed36028586f1ab78f649fadf05aaf81d773614e033a8b6c61855349dac0fa156e21ccfc8b9e2f199e55e9f63adca5f3506d311288bee1

    • SSDEEP

      1536:6PZtcJMOPJkKmCyFomUDmAOLiRGQsgJix3BO5Rp9Wls9artatTNqQ6kjjrTysLRh:m+JtPJdiZft+RG/M3RpKTrQtRqBOrTyk

    Score
    1/10
    behavioral11behavioral12

    • Target

      chatServer.exe

    • Size

      389KB

    • MD5

      eb7319da35fff406c2afd912f8268f4c

    • SHA1

      c910576a71600fda8148b89f04447bbbc3a2d2a5

    • SHA256

      ec318dd5992b4d3f23ffe11c2bdded5fe4d28615dc4750f8faf7afa7aa324322

    • SHA512

      b92864f1b474d21c8de5fe1d28e6858d6ab7e4caa4d025e22c6bebba229cee63d7e4a81f62becf2240427eebfdea594d2904f4f5056e8db9ef866ca09f0e24eb

    • SSDEEP

      6144:xxtikHm/dn3i04xwo27y3N8nfldTRieNmfiXW4YTyjZrACjb12jg02:EkH+IwMg9RieO/+lhjBy12

    Score
    1/10
    behavioral13behavioral14

    • Target

      data/Homepage.url

    • Size

      249B

    • MD5

      450d1c4cd8852d5ffa7f922f6c7cbaa7

    • SHA1

      fe2e5a5447592fd2349fc417584f9ac11795c613

    • SHA256

      b86da025026b626f63cb2d32608c1b905b59496e8c2b30b87eed1e2eaf0eb0b8

    • SHA512

      ca6d51664b9dbcfdc4c7cbf0dcd9278b116958477b3e42046925ecb2630ac897ec52274019bb84b630fd0cfc4684ea0cfbb1bed53ce02db08282054d128a5560

    Score
    6/10
    evasiontrojan
    behavioral15behavioral16

    • Target

      libfaad2.dll

    • Size

      169KB

    • MD5

      fd5abedf547602eaa107ddbeba50cdc7

    • SHA1

      7adbd9cb65605eb3e43afc4c93a2adc025f36342

    • SHA256

      e1fdc49b2a3f23fac94e1a1978f226c8cf7d4d7ca0297745a6d543ab1d53a471

    • SHA512

      bcd1a7069d8728ef5417d23f105963eaadf3ead07ca59bd2d281bdeae559fcef923865d0b26a500a401d290cd8a527dc9c35ebe0033109ced99138e4d0d87417

    • SSDEEP

      3072:4q0lyEEbqWiYKTPgeRiLiXzox75a+yYscJfDQNr4BfD4yrz:GlyEEbd8DgeYi+5HJfOMBfcyrz

    Score
    3/10
    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Abuse Elevation Control Mechanism

2
T1548

Bypass User Account Control

2
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

12
T1112

Impair Defenses

8
T1562

Disable or Modify Tools

6
T1562.001

Disable or Modify System Firewall

2
T1562.004

Abuse Elevation Control Mechanism

2
T1548

Bypass User Account Control

2
T1548.002

Credential Access

Discovery

System Information Discovery

8
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks