e5e57032899d87a8bb9d384af7cce4b94f5ae6b6c9dd3edbe0039e6dc2747156

General

Target

1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Size

139KB
MD5

1b91ad79df5e8c980e1e96e600578907
SHA1

746c2f97ae08d2410828c0f020113309fface45e
SHA256

e5e57032899d87a8bb9d384af7cce4b94f5ae6b6c9dd3edbe0039e6dc2747156
SHA512

fc14ea7127f81ec9dfe8382febb28c7c0dc537af3c04acd8ab8d4b165e1619a2426d0eae7ca9b2e4ce5d23e4e4d8866ff557d27f6c959a071568b94db71de971
SSDEEP

3072:zH+Mcv5JXXieDEvy1W7rkD+bnAIhRjaNK:zHl0ndEqgkCAaRGk

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe

Loads dropped DLL 39 IoCs

pid	Process
3920	svchost.exe
3920	svchost.exe
3920	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe
4180	svchost.exe
4180	svchost.exe
4180	svchost.exe
4356	svchost.exe
4356	svchost.exe
4356	svchost.exe
1012	svchost.exe
1012	svchost.exe
1012	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
388	svchost.exe
388	svchost.exe
388	svchost.exe
2456	svchost.exe
2456	svchost.exe
2456	svchost.exe
4200	svchost.exe
4200	svchost.exe
4200	svchost.exe
4260	svchost.exe
4260	svchost.exe
4260	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nla.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1044	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
1044	1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b91ad79df5e8c980e1e96e600578907_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
1⤵
PID:3480

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:2408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:1340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:1684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:4180

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:4356

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:1012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:3352

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:2456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:4200

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
139KB

MD5
33cabec51e5263e4ba9bd1ef036f73e5

SHA1
f8c5b2cda788579089bf9915f40297f34b304c0f

SHA256
94b3ecbe9eae95a52415a404fa16a7322ab4eaf267e72a7d4b4bbd862dc4e2e6

SHA512
c6972755ada90472dcd16272dcda811a2b07d614984885b416814b6293ab4e620a4d9c6d1a466f2c4f488752f0cf315d829471dfabddd147d88e54a9fccd913f

Download Submit
memory/1044-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1044-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1340-29-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1340-27-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2408-22-0x0000000000BF0000-0x0000000000C13000-memory.dmp

Filesize
140KB

Download
memory/2408-21-0x0000000000BF0000-0x0000000000C13000-memory.dmp

Filesize
140KB

Download
memory/2408-20-0x0000000000BF0000-0x0000000000C13000-memory.dmp

Filesize
140KB

Download
memory/2408-19-0x0000000000BF0000-0x0000000000C13000-memory.dmp

Filesize
140KB

Download
memory/2408-18-0x0000000000BF0000-0x0000000000C13000-memory.dmp

Filesize
140KB

Download
memory/3920-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3920-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3920-5-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing