d55ae490597cd7f103cea4ae9ccf1e6f2bf96881daa37756711517ecd556b27f

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 12:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
Size

299KB
MD5

0e0be8f0d8c6caf01699186c20c9ece8
SHA1

04f14aeb077e51338c4b50f3cfd0a6941e1bcd10
SHA256

d55ae490597cd7f103cea4ae9ccf1e6f2bf96881daa37756711517ecd556b27f
SHA512

e8cf69713e6e18076be62b0a4f56667915d099d6ee2118478388ac4b109e226102d5436639bcf598da8eb1ee6e84e26ac99f421fdc9550d47223cae6867b4716
SSDEEP

6144:3/V7nDZULcHBs+gG6UI545uUmjAgsvOzkemeW4J73QALCsbibCL:3N7DZ5PgG85459WvCx+gALUbC

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Acces\Parameters\ServiceDll = "C:\\Windows\\system32\\rpcdll32.dll"	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
3812	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rpcdll32.exe	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rpcdll32.dll	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rpcdll32.dat	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rpcdll32.dat	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rpcdll32.exe	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
3620	0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e0be8f0d8c6caf01699186c20c9ece8_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3620

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rpcdll32.dat

Filesize
234B

MD5
a94ce31b1d7d0d81324b2e9bedb60afc

SHA1
58a822075be892f4cc6d916dae21d2e7eb36e31e

SHA256
d576aaa659d184d5a315ff868cba4b134875f265aef9060d41608a0adc62bd1a

SHA512
4211a35e9195220d7c76841681e92c033550f26db7d26acf8f24c596962721377a5e7eab65deb090525b4528f177bd00bc874c27022ca7e7c802e1837e629faf

Download Submit
\??\c:\windows\SysWOW64\rpcdll32.dll

Filesize
331KB

MD5
d8be9d0b71a346531ba892d6ad5ff573

SHA1
bf92cf67b4d2708b861d433723bc8f560d15de0d

SHA256
d1b8a90c26dd43483c3304a07c37706e26e7a1f036f3c868e98069e268fa52bd

SHA512
34af5ba7de0965a173fc353e59807b538e45dae509aa569dcf1374973bc140655370a7b3a8c3b52dce6fc06cf75b5183d872e9840184a723da2aaf226ad400b6

Download Submit
memory/3620-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3620-1-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3620-4-0x000000000047A000-0x000000000047B000-memory.dmp

Filesize
4KB

Download
memory/3620-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3620-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3812-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3812-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3812-13-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3812-16-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download