cdef9b49022cdfa277e61e57822cbd9e18d2eb2be74aab39f62f873350cf3be9

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe
Size

36KB
MD5

210818c3fc3461d81d5d9f6272e16c4a
SHA1

a13224aa7fb03e8d4f55709d8bb063e23ff52fc9
SHA256

cdef9b49022cdfa277e61e57822cbd9e18d2eb2be74aab39f62f873350cf3be9
SHA512

09049e18c9b8f6e38ae1f5c879a7c87c9497b14c8799e642983525de79d099f72a2871ecd3228cb9a2d34a7f35e9ec76e71cbc7523087a55dd8aa7e2b0a15b0a
SSDEEP

384:f7ZRiVisM3Kvv41+ofl1qRMQcYm4E1HK0sz2F2aT7ZIQqXfBW3x:f78isMavAEof7quQcfH7szozfCQqP8x

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IPSEO\Parameters\ServiceDll = "C:\\Windows\\system32\\ipse0.dll"	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1344	Del8D90.tmp

Executes dropped EXE 1 IoCs

pid	Process
1344	Del8D90.tmp

Loads dropped DLL 1 IoCs

pid	Process
2136	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ipse60.dll	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ipse60.dll	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ipse0.dll	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ipse0.dll	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2136	svchost.exe
2136	svchost.exe
2136	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1344	2232	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe	29
PID 2232 wrote to memory of 1344	2232	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe	29
PID 2232 wrote to memory of 1344	2232	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe	29
PID 2232 wrote to memory of 1344	2232	210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\Del8D90.tmp
  C:\Users\Admin\AppData\Local\Temp\Del8D90.tmp 176 "C:\Users\Admin\AppData\Local\Temp\210818c3fc3461d81d5d9f6272e16c4a_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1344

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k IPSEO
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Del8D90.tmp

Filesize
36KB

MD5
210818c3fc3461d81d5d9f6272e16c4a

SHA1
a13224aa7fb03e8d4f55709d8bb063e23ff52fc9

SHA256
cdef9b49022cdfa277e61e57822cbd9e18d2eb2be74aab39f62f873350cf3be9

SHA512
09049e18c9b8f6e38ae1f5c879a7c87c9497b14c8799e642983525de79d099f72a2871ecd3228cb9a2d34a7f35e9ec76e71cbc7523087a55dd8aa7e2b0a15b0a

Download Submit
\??\c:\windows\SysWOW64\ipse0.dll

Filesize
6KB

MD5
75150ecf39e0d2f173cc055745739b84

SHA1
f23515280c404d4996a88bfeec45ee030ae79a58

SHA256
63bfd35e51164acf1f75ffd6edddf6dac79932587b4da50f93a873228c608e30

SHA512
5ab42b512cd525725a53c4863d32307ffe550f113bb04b4ed414eea21be3f0f897e01bc0782411b143e31384951ee211fc3bb390afc940f27a52b56071ea616e

Download Submit