a84cc849c5d3fe3d666143b2786df3b51de9c50e9f9d803e71f18f380ed3c4bc

General

Target

2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Size

126KB
MD5

2f5009a385b3c87156e2372fcc834242
SHA1

2551e460d87e884f3e32bc81d07edf0d7350f2db
SHA256

a84cc849c5d3fe3d666143b2786df3b51de9c50e9f9d803e71f18f380ed3c4bc
SHA512

684bfa168edbb9b10fd78693b923d71c3080df921e4dec9dc0eae249c953c6229f7649369bdf8a706f33dcfc9d0d5abdff9645a9385edc9b389d8e1928dab62e
SSDEEP

1536:QZN3pOTDnWqwEpkYdZFoVP5mv+DiED8LE/Ln8D04cXQZqTERGtbxSUg7cWKiU:QHITDWqwExCk+DVF/L844cgcTok9g7W

Score

8^/10

persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2044-0-0x0000000000180000-0x00000000001A4000-memory.dmp	upx
behavioral2/files/0x000700000002346f-9.dat	upx
behavioral2/memory/2044-19-0x0000000000180000-0x00000000001A4000-memory.dmp	upx

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\0B090D8C.tmp	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
2044	2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nla.dll

Filesize
126KB

MD5
4e3514d1e271a60a24f9785c3cbcd279

SHA1
fb86fa75768d677a307da6aeaf2578020a4c2b66

SHA256
7328bc89b607593d82467754675b32e71eecd80f2cbbe38dc522706500a3d5fb

SHA512
5cdb26adfe3be0c48ebfa57425f015a06c31d58fd2c8a354a26768a8a037f51041c1391acd945e5b9a7b3ddeef8b1003e4b7252880601244b5cc1f4af158d6df

Download Submit
memory/2044-0-0x0000000000180000-0x00000000001A4000-memory.dmp

Filesize
144KB

Download
memory/2044-5-0x0000000077272000-0x0000000077273000-memory.dmp

Filesize
4KB

Download
memory/2044-6-0x00000000761FC000-0x00000000761FD000-memory.dmp

Filesize
4KB

Download
memory/2044-19-0x0000000000180000-0x00000000001A4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing