ee8a64bd6a4006e9b567635a4f3bf1bc5f4dbd17db09167a20741965c3a2e01e

General

Target

31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Size

80KB
MD5

31001c0b3294f2c79e837b414f1a2692
SHA1

aecc35b151ae805431133ef465537ba05d27a807
SHA256

ee8a64bd6a4006e9b567635a4f3bf1bc5f4dbd17db09167a20741965c3a2e01e
SHA512

e60559a3525e4631ed735ab401b554da5910ca29fcaa203cb84837cdc38e64eb1352687eb586f10ee2f9b67c97642993f65863e7fd1c8aabc3e296c9bfe31bc4
SSDEEP

1536:vvz1Q27x4i3zY/Zv5BlEStr91keFQFxyYj9mPppocy:vvx7G+zoZvNEkrOxyYj9BP

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe

Loads dropped DLL 24 IoCs

pid	Process
1952	svchost.exe
1952	svchost.exe
2356	svchost.exe
2356	svchost.exe
2692	svchost.exe
2692	svchost.exe
2924	svchost.exe
2924	svchost.exe
2572	svchost.exe
2572	svchost.exe
3032	svchost.exe
3032	svchost.exe
1628	svchost.exe
1628	svchost.exe
2444	svchost.exe
2444	svchost.exe
2756	svchost.exe
2756	svchost.exe
2884	svchost.exe
2884	svchost.exe
2864	svchost.exe
2864	svchost.exe
2108	svchost.exe
2108	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1760	31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31001c0b3294f2c79e837b414f1a2692_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2356

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:3032

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2444

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
80KB

MD5
8e0ec0e8732cc36927f1f3efb2e941b6

SHA1
eed568c9b9a491109de09cd58ea257186b5a3d47

SHA256
b5e81fd07e16c2032ed8ba259d90ffa6d5ec4e4de792a1f38bd7b1abcdbb52e5

SHA512
1cdb57549afcd0890e9622f5b29694f7c7ac11ca902c980ad9375d46b77216ef080c338bb5f91dcc4e121aadc50bb23d3a7bd570d318be091f3fa188600b8c37

Download Submit
memory/1628-44-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download
memory/1760-23-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1760-0-0x0000000000F60000-0x0000000000F80000-memory.dmp

Filesize
128KB

Download
memory/1760-1-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1760-2-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1760-4-0x0000000000F7F000-0x0000000000F80000-memory.dmp

Filesize
4KB

Download
memory/1760-17-0x0000000000F60000-0x0000000000F80000-memory.dmp

Filesize
128KB

Download
memory/1952-9-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download
memory/2356-16-0x0000000074610000-0x0000000074630000-memory.dmp

Filesize
128KB

Download
memory/2356-14-0x0000000074630000-0x0000000074650000-memory.dmp

Filesize
128KB

Download
memory/2444-52-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download
memory/2572-34-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download
memory/2572-35-0x0000000074B50000-0x0000000074B70000-memory.dmp

Filesize
128KB

Download
memory/2692-22-0x0000000074B50000-0x0000000074B70000-memory.dmp

Filesize
128KB

Download
memory/2756-58-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download
memory/2864-68-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download
memory/2884-62-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download
memory/2924-28-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download
memory/3032-39-0x0000000074B70000-0x0000000074B90000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing