a4c25d6e410f58b7e22bb8ea94440d998419a1c1b4a45688537da091ba26cf0b

General

Target

0e732bd532da07da61378bdb1c2a848d_JaffaCakes118.exe
Size

372KB
MD5

0e732bd532da07da61378bdb1c2a848d
SHA1

1f733661f54490c0da4a6fc0336a14c3eda751e5
SHA256

a4c25d6e410f58b7e22bb8ea94440d998419a1c1b4a45688537da091ba26cf0b
SHA512

d074f758053cab55d6cdd8ba9e0a64e1356f3ceb6f16797613011a91ab7745b1596ff158bb3e7fa6949f3b29bac339d2387f23dec4df0c261ab6c89c78e94154
SSDEEP

6144:9EF2idZecnl20lHRxp3g1ncduD7yB9VCO6Sco4q8+dE6CqI2CRqgHV/V0hEK:9EF3Z4mxxaDqVTVOCM/e

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 6 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Workstain\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstain.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Workstain\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstain.dll"	0e732bd532da07da61378bdb1c2a848d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\Workstain\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstain.dll"	0e732bd532da07da61378bdb1c2a848d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Workstain\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstain.dll"	0e732bd532da07da61378bdb1c2a848d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Workstain\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstain.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\Workstain\Parameters\ServiceDll = "%SystemRoot%\\System32\\Workstain.dll"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2752	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	0e732bd532da07da61378bdb1c2a848d_JaffaCakes118.exe
2752	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Workstain.dll	0e732bd532da07da61378bdb1c2a848d_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2752	svchost.exe
2752	svchost.exe
2752	svchost.exe

C:\Users\Admin\AppData\Local\Temp\0e732bd532da07da61378bdb1c2a848d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e732bd532da07da61378bdb1c2a848d_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:3056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Workstain
1⤵
- Server Software Component: Terminal Services DLL
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Workstain.dll

Filesize
87KB

MD5
e98bd4ec1ea2491e87fc075d6ee50566

SHA1
eb8b40007be4920cb1be09f4d098110d86d4b8e7

SHA256
87c9a1e7a7c96e04875321c4e9bc67fe94902636c6b251daecb2af260c7a7b2e

SHA512
ba94f30594075a806724ba8b486fa22551479c8b1258a1e813025609a35a83789011b1ce849dc931e821ff98722e78ea5e8d24409ad9ac263af757d609594e81

Download Submit
memory/3056-18-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3056-36-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/3056-35-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/3056-34-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/3056-33-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3056-32-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3056-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3056-29-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/3056-27-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/3056-26-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3056-25-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3056-24-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3056-23-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3056-22-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3056-21-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3056-20-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000001C00000-0x0000000001C54000-memory.dmp

Filesize
336KB

Download
memory/3056-19-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/3056-7-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/3056-16-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/3056-15-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/3056-14-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3056-13-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/3056-12-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3056-11-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/3056-10-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/3056-9-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/3056-8-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3056-17-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3056-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3056-5-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3056-4-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/3056-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3056-2-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3056-41-0x0000000001C00000-0x0000000001C54000-memory.dmp

Filesize
336KB

Download
memory/3056-40-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing