2455a5d1805bbb019ca88c93a8f8a099a42e552528619a51d3eebe06684237b1

General

Target

20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Size

183KB
MD5

20d3fdf6c84e22fa3a41a9b53820ba61
SHA1

86f220a6b048ea3fb4bdd10c8a8aca7c8e320682
SHA256

2455a5d1805bbb019ca88c93a8f8a099a42e552528619a51d3eebe06684237b1
SHA512

e2bdf06db24f9021931a470cd98019161368024d6c9e616d639edc261b3d601c0c917f22a045ed3bf0d0c07f80fab266bb1a34b7a2815e2cb9917408176fa694
SSDEEP

3072:83GCZi+u93NyBNr9hoOVGToadTutNaubNVFywb9Ve4kZJcMKQv+C25MOLdUr9hoO:Zv4o/ToUatsubNawb9VOExRCiMOEo

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe

Loads dropped DLL 36 IoCs

pid	Process
440	svchost.exe
440	svchost.exe
440	svchost.exe
3732	svchost.exe
3732	svchost.exe
3732	svchost.exe
432	svchost.exe
432	svchost.exe
432	svchost.exe
4976	svchost.exe
4976	svchost.exe
4976	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1084	svchost.exe
1084	svchost.exe
1084	svchost.exe
4296	svchost.exe
4296	svchost.exe
4296	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4092	svchost.exe
4092	svchost.exe
4092	svchost.exe
3436	svchost.exe
3436	svchost.exe
3436	svchost.exe
5104	svchost.exe
5104	svchost.exe
5104	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
456	20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20d3fdf6c84e22fa3a41a9b53820ba61_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:3732

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:4976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:1212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:1084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:4296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:1832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:4364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:4092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:3436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
183KB

MD5
0aa91ae6100e2051748dc95413ed3f99

SHA1
e463db0057764360c6b78ff365fa4d5fe0564f8c

SHA256
0cfb2b54f4d293c6791eef025f4c014716d2e5c2688a1c5dbb834e87e5e17647

SHA512
0595d57236beca321061aef593923ef892150e4a720591073d43e3219af1e0ba597897d09e2c75ea3bec043c4b0b7192bac66a1e1fa1868657acf7aa20359db0

Download Submit
memory/440-5-0x0000000074E30000-0x0000000074E52000-memory.dmp

Filesize
136KB

Download
memory/440-8-0x0000000074E30000-0x0000000074E52000-memory.dmp

Filesize
136KB

Download
memory/456-0-0x0000000000B30000-0x0000000000B52000-memory.dmp

Filesize
136KB

Download
memory/456-20-0x0000000000B30000-0x0000000000B52000-memory.dmp

Filesize
136KB

Download
memory/1084-39-0x0000000074E30000-0x0000000074E52000-memory.dmp

Filesize
136KB

Download
memory/1084-41-0x0000000074E30000-0x0000000074E52000-memory.dmp

Filesize
136KB

Download
memory/1084-40-0x0000000074E30000-0x0000000074E52000-memory.dmp

Filesize
136KB

Download
memory/3732-14-0x0000000074E30000-0x0000000074E52000-memory.dmp

Filesize
136KB

Download
memory/3732-13-0x0000000074E30000-0x0000000074E52000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing