f27d941a91c3c809a07aa6d3312a3ff98370ff2286ed9141ae71fab8a0b581c8

General

Target

34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
Size

408KB
MD5

34c7259db30d7a03d2e33ba8d7f915c6
SHA1

a54336f8ccc4fa0f74d46a25cd587dde8e40f18a
SHA256

f27d941a91c3c809a07aa6d3312a3ff98370ff2286ed9141ae71fab8a0b581c8
SHA512

a5ae1bc351aafdd24bb1b3e5c21b07128381b076f9bbb864e7106c3379969fbb107d8754e0e950f17eb81a4dc751c20eef7789d962e0c91c3ed0325404110526
SSDEEP

6144:23e9whpxK+1bAo0xGvF2idZecnl20lHRxp3galk9ihl0/srEQpPK+e1FtEuxF+Uh:23Y+1MoZF3Z4mxx1oEtlK+kt9T2M7

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\eefueh.dll"	PCÃâ·Ñ°æ.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\eefueh.dll"	PCÃâ·Ñ°æ.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\WINS\Parameters\ServiceDll = "%SystemRoot%\\System32\\eefueh.dll"	PCÃâ·Ñ°æ.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	PCÃâ·Ñ°æ.exe

Loads dropped DLL 4 IoCs

pid	Process
1732	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
1732	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
2772	PCÃâ·Ñ°æ.exe
3020	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0003d656.ini	PCÃâ·Ñ°æ.exe
File created	C:\Windows\SysWOW64\eefueh.dll	PCÃâ·Ñ°æ.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2772	1732	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2772	1732	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2772	1732	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2772	1732	34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34c7259db30d7a03d2e33ba8d7f915c6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PCÃâ·Ñ°æ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PCÃâ·Ñ°æ.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k WINS
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\PCÃâ·Ñ°æ.exe

Filesize
59KB

MD5
e02d478a305449ed4280b0b6d2d402dd

SHA1
9d7e580d64271d4a3c3e8ab4ca27f02da2ab8700

SHA256
224d0b1a071c19ce46a50ca11f53b44fa7023621903b7ba71edb3acbf49ed510

SHA512
f786c638b16a7edc3d0894a1961ad2e04e1af59acc0913e9c2df198915e645e07ecc3818b5fbf11aad8321d3fc109b542a21355cbf5225946716313eb120fc69

Download Submit
\Windows\SysWOW64\eefueh.dll

Filesize
89KB

MD5
7f8fdac62c2de4ab0f70a6d598a0afee

SHA1
0b4e6377efb0ca17279bd16e78dd85cd266da8f0

SHA256
ad4cc4817d1f5a9a049cb13d49a87d427df5762791223eebecb1a4a365af29d1

SHA512
a0e0686e55c1230d6241d04876bb4c2ba33ed033893008cc9e6e404e7d2999d8964c8c434502005f9413938e9c092aefec41666faa587ae9eff45c81688f73c1

Download Submit
memory/1732-13-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1732-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1732-23-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1732-22-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1732-11-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1732-20-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1732-19-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1732-18-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1732-17-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1732-16-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1732-15-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1732-14-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1732-24-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/1732-21-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1732-10-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1732-9-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/1732-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1732-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1732-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1732-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1732-4-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1732-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1732-12-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1732-25-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1732-0-0x0000000001000000-0x000000000108A000-memory.dmp

Filesize
552KB

Download
memory/1732-43-0x0000000001000000-0x000000000108A000-memory.dmp

Filesize
552KB

Download
memory/1732-44-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads