b6a0f7857e82a7c58c8ce2d25f24f3d7e2773d503de56d1bc24a621cce7aa988

General

Target

09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Size

317KB
MD5

09f0f16d1768d86dede4da6da063e765
SHA1

4d0b748eda462f91844bfb7ad6e509a4030cbb96
SHA256

b6a0f7857e82a7c58c8ce2d25f24f3d7e2773d503de56d1bc24a621cce7aa988
SHA512

de82a557c5c44559bdb96d466fb58e3da88cf771b3c47b722405bcfced07025a6f1617700a96571ead3c5681fb709fb796f36022b7b816b23d53c1048ec18f02
SSDEEP

6144:2yHzI4guBgjCvJwPNtkdtRSO4Z0zFQrwtQHxw9sym:Rg2g6J6NO4O4UFQHHxLym

Score

8^/10

persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe

Loads dropped DLL 12 IoCs

pid	Process
1708	svchost.exe
2764	svchost.exe
2780	svchost.exe
2468	svchost.exe
2692	svchost.exe
2732	svchost.exe
2868	svchost.exe
1824	svchost.exe
1880	svchost.exe
1664	svchost.exe
2472	svchost.exe
2224	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000390000-0x00000000003DD000-memory.dmp	upx
behavioral1/memory/1708-6-0x00000000751A0000-0x00000000751ED000-memory.dmp	upx
behavioral1/files/0x0009000000015018-5.dat	upx
behavioral1/memory/2764-11-0x0000000074C50000-0x0000000074C9D000-memory.dmp	upx
behavioral1/memory/2692-21-0x00000000751A0000-0x00000000751ED000-memory.dmp	upx
behavioral1/memory/2732-25-0x00000000751A0000-0x00000000751ED000-memory.dmp	upx
behavioral1/memory/2224-45-0x00000000751A0000-0x00000000751ED000-memory.dmp	upx
behavioral1/memory/3048-46-0x0000000000390000-0x00000000003DD000-memory.dmp	upx

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09f0f16d1768d86dede4da6da063e765_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:2180

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1880

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
317KB

MD5
73b2096b1fefc95cb1488cc9936bf890

SHA1
d5cd560f8d0f05523e7e5ee19d89127fbb752211

SHA256
95dd6a0159755172540e3989d0adff5783b19619500e031cb27437e66f2805bb

SHA512
65eb0c2baba45329e1d2458867b431154974f6aabde04067c9fde216076f0d0a9fe98924de218a81d29b9ed019d2bddfcd01fd78b774f228203ba8ef581e9513

Download Submit
memory/1708-6-0x00000000751A0000-0x00000000751ED000-memory.dmp

Filesize
308KB

Download
memory/2224-45-0x00000000751A0000-0x00000000751ED000-memory.dmp

Filesize
308KB

Download
memory/2692-21-0x00000000751A0000-0x00000000751ED000-memory.dmp

Filesize
308KB

Download
memory/2732-25-0x00000000751A0000-0x00000000751ED000-memory.dmp

Filesize
308KB

Download
memory/2764-11-0x0000000074C50000-0x0000000074C9D000-memory.dmp

Filesize
308KB

Download
memory/3048-0-0x0000000000390000-0x00000000003DD000-memory.dmp

Filesize
308KB

Download
memory/3048-1-0x0000000000080000-0x00000000000CD000-memory.dmp

Filesize
308KB

Download
memory/3048-46-0x0000000000390000-0x00000000003DD000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing