e78273f745eede53191fd0deb4ad4a9c7d4da48fe6f60de49d4dfa4b7607d9af

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe
Size

98KB
MD5

38bb1e4a0c8201790ef1a52deb037c3c
SHA1

202d90b7f01e6d58c6c06ad9c0b209230731857c
SHA256

e78273f745eede53191fd0deb4ad4a9c7d4da48fe6f60de49d4dfa4b7607d9af
SHA512

a8502fcbdd486b088d2c487704474f0124da21c6d11c8df9807ca16e240dd5812766ca39163a70e97d58284d7333516149f5be949a4d866ba59a1bb24a4b11dd
SSDEEP

3072:GKlu1kKu1kGzyVeaTa1q9Zlz9z5EP2DRTFI1:NEO9uIBILFU4m1

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SwPrn\Parameters\ServiceDll = "%SystemRoot%\\System32\\mjcgth.fvg"	38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SwPrn\Parameters\ServiceDll = "%SystemRoot%\\System32\\mjcgth.fvg"	38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\CONTROLSET003\Services\SwPrn\Parameters\ServiceDll = "%SystemRoot%\\System32\\mjcgth.fvg"	38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2620	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2452	38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe
2620	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\00052918.sys	38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mjcgth.fvg	38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38bb1e4a0c8201790ef1a52deb037c3c_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:2452

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost -k SwPrn
1⤵
- Deletes itself
- Loads dropped DLL
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mjcgth.fvg

Filesize
118KB

MD5
4f7779603d968159c23a199d6134295c

SHA1
a44b0d3bc5d220f271fbc538dbadca7b85179b5a

SHA256
4a26e2b46328f26c9b174c495114acd6256d3297647fb53a1b462e25bae99cf2

SHA512
1a69241adb94eb57bf46a79419ac49b8f8f84a0b6f3375b00687c2af28239edc4aa3032c610684460b2935a3fa7d9d7add97837a63cbfb49d691c356d1ad1b2d

Download Submit
memory/2452-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2452-6-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/2452-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2452-10-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/2620-11-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download