8088f9cca57ed2d9577e44a19daee688b8db584f397e517eccad527964ed37ad

Analysis

max time kernel
92s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a5b5905f3b469858ca22a24669dae2d_JaffaCakes118.exe
Size

284KB
MD5

2a5b5905f3b469858ca22a24669dae2d
SHA1

44cadc7d9f60ac09c29b131562ba87c96723705e
SHA256

8088f9cca57ed2d9577e44a19daee688b8db584f397e517eccad527964ed37ad
SHA512

4014f32e606b68e4a9b0c11cf910d597bd59462303981cde6c53d67e7ebd51165b2fcc851ab7f7fff4b995f0a89935a1002e0f2b26742a38451afb8f5a54fa13
SSDEEP

6144:3Y5j7m3ywtKDBTcwkBYK5Tz77uCYXilJbg5O5/9W:acAB8YK5/7+XST5l

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	3bdf3dc2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	3bdf3dc2.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022f55-3.dat	aspack_v212_v242
behavioral2/files/0x00070000000234ab-10.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1512	3bdf3dc2.exe

Loads dropped DLL 12 IoCs

pid	Process
2980	svchost.exe
3964	svchost.exe
5060	svchost.exe
2260	svchost.exe
2828	svchost.exe
4468	svchost.exe
4836	svchost.exe
3464	svchost.exe
1780	svchost.exe
3672	svchost.exe
2564	svchost.exe
4820	svchost.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4888-0-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/files/0x0006000000022f55-3.dat	upx
behavioral2/memory/1512-5-0x0000000000380000-0x00000000003CD000-memory.dmp	upx
behavioral2/memory/1512-7-0x0000000000380000-0x00000000003CD000-memory.dmp	upx
behavioral2/memory/1512-6-0x0000000000380000-0x00000000003CD000-memory.dmp	upx
behavioral2/files/0x00070000000234ab-10.dat	upx
behavioral2/memory/2980-13-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/2980-12-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/2980-14-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/3964-21-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/3964-20-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/3964-19-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/5060-27-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/5060-28-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/5060-26-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/1512-30-0x0000000000380000-0x00000000003CD000-memory.dmp	upx
behavioral2/memory/2260-36-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/2260-35-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/2260-34-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/2828-44-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/4888-43-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/2828-41-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/2828-42-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/4468-50-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/4468-53-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/4468-49-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/4836-59-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/4836-57-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/4836-58-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/3464-64-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/3464-67-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/3464-65-0x00000000751D0000-0x000000007521D000-memory.dmp	upx
behavioral2/memory/1780-74-0x0000000074480000-0x00000000744CD000-memory.dmp	upx
behavioral2/memory/1780-73-0x0000000074480000-0x00000000744CD000-memory.dmp	upx
behavioral2/memory/1780-72-0x0000000074480000-0x00000000744CD000-memory.dmp	upx
behavioral2/memory/4888-76-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/3672-80-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/3672-82-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/3672-84-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/3672-81-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/2564-88-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/2564-91-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/2564-89-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/4820-97-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/4820-96-0x0000000075470000-0x00000000754BD000-memory.dmp	upx
behavioral2/memory/4820-99-0x0000000075470000-0x00000000754BD000-memory.dmp	upx

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	3bdf3dc2.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	3bdf3dc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1512	3bdf3dc2.exe
1512	3bdf3dc2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 1512	4888	2a5b5905f3b469858ca22a24669dae2d_JaffaCakes118.exe	83
PID 4888 wrote to memory of 1512	4888	2a5b5905f3b469858ca22a24669dae2d_JaffaCakes118.exe	83
PID 4888 wrote to memory of 1512	4888	2a5b5905f3b469858ca22a24669dae2d_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\2a5b5905f3b469858ca22a24669dae2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a5b5905f3b469858ca22a24669dae2d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\3bdf3dc2.exe
  C:\3bdf3dc2.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:2980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:3964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:5060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:2260

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:2828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:4468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:4836

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:3464

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:1780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:3672

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:2564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3bdf3dc2.exe

Filesize
236KB

MD5
22e73bf9421710e8f195def8680ec1ac

SHA1
85a1e0b8018126350886b874177bba9100dcdf14

SHA256
f6758310a644e67bd34ca9ef29df9a362934e2d5006d3084f873ddb835fcfe79

SHA512
eadb9310acca858f0c2224810b41f64e4b253a42c80518381b5d46f1de740c1b1fd744f2b96a2dec1a76e993b507a6073744d50c063f2b4fae37acdb6deb0139

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
236KB

MD5
54de69bece2e3b245341a0ce56d81c47

SHA1
9ba178a96e0a21bb197804866b5dd29c5e3e0f4a

SHA256
cee3efb1cade126196e6bec7a71ce1e91d382a8177b4606de4fa63807f20651b

SHA512
80fd1f2fc446d2f73ab15e62bac360b0488b3eb6e510a039d523b571e4668579a9e2b5772b565690ec5d40dd49925281669b043de22036548128619a9ea92a90

Download Submit
memory/1512-30-0x0000000000380000-0x00000000003CD000-memory.dmp

Filesize
308KB

Download
memory/1512-5-0x0000000000380000-0x00000000003CD000-memory.dmp

Filesize
308KB

Download
memory/1512-7-0x0000000000380000-0x00000000003CD000-memory.dmp

Filesize
308KB

Download
memory/1512-6-0x0000000000380000-0x00000000003CD000-memory.dmp

Filesize
308KB

Download
memory/1780-72-0x0000000074480000-0x00000000744CD000-memory.dmp

Filesize
308KB

Download
memory/1780-73-0x0000000074480000-0x00000000744CD000-memory.dmp

Filesize
308KB

Download
memory/1780-74-0x0000000074480000-0x00000000744CD000-memory.dmp

Filesize
308KB

Download
memory/2260-34-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/2260-35-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/2260-36-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/2564-91-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/2564-88-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/2564-89-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/2828-42-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/2828-44-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/2828-41-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/2980-13-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/2980-12-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/2980-14-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/3464-64-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/3464-65-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/3464-67-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/3672-82-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/3672-81-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/3672-84-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/3672-80-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/3964-21-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/3964-19-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/3964-20-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/4468-53-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/4468-50-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/4468-49-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/4820-99-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/4820-97-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/4820-96-0x0000000075470000-0x00000000754BD000-memory.dmp

Filesize
308KB

Download
memory/4836-58-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/4836-57-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/4836-59-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/4888-76-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4888-43-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4888-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5060-27-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/5060-28-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download
memory/5060-26-0x00000000751D0000-0x000000007521D000-memory.dmp

Filesize
308KB

Download