5ff8ce8a13569e0d137148cfa98bf21f89f5414021b6934d46b5368da0000285

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 03:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe
Size

59KB
MD5

331b1c5a4967e61aafefd2cb3719e8c1
SHA1

64062b0adf64e7be4a3d600857cbaa2f45d1d814
SHA256

5ff8ce8a13569e0d137148cfa98bf21f89f5414021b6934d46b5368da0000285
SHA512

dde94b1ffd3b86930b600f9a5b546344672fef3fc3c88d9974fd5f25f89d13c93e2610687ca33d91578dd5c66b2ba7a01b2309fc99e8b1e76340b9315e1424c5
SSDEEP

768:k9uvKRIrxcKOAgkQ74QVzxftX9m26PWY2L3U0povNI7ZANh9RBf9Z31KBu/11jHv:rzH8xzxtOWYx0po46XjBFCC4tGQNK

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WebCalent\Parameters\ServiceDll = "%SystemRoot%\\System32\\dipgqt.dll"	331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WebCalent\Parameters\ServiceDll = "%SystemRoot%\\System32\\dipgqt.dll"	331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\WebCalent\Parameters\ServiceDll = "%SystemRoot%\\System32\\dipgqt.dll"	331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
4804	331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe
1240	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ 4f163.inf	331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dipgqt.dll	331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\331b1c5a4967e61aafefd2cb3719e8c1_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:4804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k WebCalent
1⤵
- Loads dropped DLL
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dipgqt.dll

Filesize
88KB

MD5
04e205fac132d5c6ba56c9605c0985d8

SHA1
9f0a1425e656974b87ab16b5ecd484cb62243953

SHA256
b88ff6135e9309f81fc86e8be66ac24a3fa9f2ba992146a5ee62014cdbb90eff

SHA512
f2089dadf584550d735b859aff8a835d554e70ca57216d908c5755edf01718fa7c09fa04cbe0869615fa6c6b8dc2311aff785b2a9780822e6d9d4003f74e6d9f

Download Submit