4b9c0e698be5581dfa8b82c2de222bb6aac4e5fcd9ab62182fa70cbe59a2c87d

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe
Size

61KB
MD5

36c352fa046d57d6bb5e9f23ec5ac188
SHA1

5f98252fb8b287b05cb4056b52a97562d193b151
SHA256

4b9c0e698be5581dfa8b82c2de222bb6aac4e5fcd9ab62182fa70cbe59a2c87d
SHA512

b00d465cd02181fe983d847c4638636ea84363466c4ad889731770d826a0928a325737d4e0a94b2b479a7f4cb68b87fa976c8300ed90c487dc827f7fe4b459dc
SSDEEP

768:DKm6+x8uWxclxwzZb001Kd1NELgsaUhi3gAjsJl62TSqbzoyCcAWz/3Qjc3XNJ9y:jqutwzJ1KbNEUOOgVFSqQjToNvy

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gymwpw\Parameters\ServiceDll = "%SystemRoot%\\System32\\ifgbxi.dll"	36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\gymwpw\Parameters\ServiceDll = "%SystemRoot%\\System32\\ifgbxi.dll"	36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\gymwpw\Parameters\ServiceDll = "%SystemRoot%\\System32\\ifgbxi.dll"	36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2176	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1488	36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe
2176	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0003d96d.001	36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ifgbxi.dll	36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36c352fa046d57d6bb5e9f23ec5ac188_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:1488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k gymwpw
1⤵
- Deletes itself
- Loads dropped DLL
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ifgbxi.dll

Filesize
89KB

MD5
895515c60e7c219be8ebe52e33016982

SHA1
11dbf4cbba35c28d207a675af9bdeb112c78a884

SHA256
95d2a1d0e44211b56e4e660d113d79f46ef16cd364ba7b296fa48d68e8c88420

SHA512
bfa927ef9dc3a18c01dd3ab824649b0192fd0585c9442403b9bf690450455b082b8eb4c637fe0a55a3cded94b73a5f35ac805d4416319a6a580387910c5e7ec9

Download Submit
memory/1488-1-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download