d7bfb349b668c4ddb15b75b6f1d24c029c87bcd76538fd6080349a8d73c80134

General

Target

4730287a3d51e2a4da07c41338ca9898_JaffaCakes118.dll
Size

852KB
MD5

4730287a3d51e2a4da07c41338ca9898
SHA1

0c1fcb7430fafa0fe5eb8024e9d71559133c9746
SHA256

d7bfb349b668c4ddb15b75b6f1d24c029c87bcd76538fd6080349a8d73c80134
SHA512

0c45222f83c4c8910477ec322d72dd3fff12c0c555cafc0f8c100fd400e3bd8c35cb5f5170e57836de403286ce50b693fda56c4b078635977318f3ae9bcdd997
SSDEEP

12288:JUIt/dPJ0HTwlYkxd7S6RiisSYQOGyKTWszZ4c4k4NXYuxz6lMXydL/iDsao:JUo/ywlY+O61sL2zTWO4c4k4NXhKX2

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\QCUGFPZGRAMUE.DAT	regsvr32.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\QCUGFPZGRAMUE.DAT	regsvr32.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\QCUGFPZGRAMUE.DAT	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QEAPOYU\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4730287a3d51e2a4da07c41338ca9898_JaffaCakes118.dll"	regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\e0J0aDy.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\e0J0aDy.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\e0J0aDy.dll	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\SDOVUIXNSJJ.DLL	regsvr32.exe
File created	C:\windows\JWLVTHZYEIV.DLL	regsvr32.exe
File opened for modification	C:\windows\SDOVUIXNSJJ.DLL	regsvr32.exe
File created	C:\windows\ECAVLXVNIPYER.AAB	regsvr32.exe
File opened for modification	C:\windows\SDOVUIXNSJJ.DLL	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2616	2820	regsvr32.exe	30
PID 2820 wrote to memory of 2616	2820	regsvr32.exe	30
PID 2820 wrote to memory of 2616	2820	regsvr32.exe	30
PID 2820 wrote to memory of 2616	2820	regsvr32.exe	30
PID 2820 wrote to memory of 2616	2820	regsvr32.exe	30
PID 2820 wrote to memory of 2616	2820	regsvr32.exe	30
PID 2820 wrote to memory of 2616	2820	regsvr32.exe	30

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4730287a3d51e2a4da07c41338ca9898_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4730287a3d51e2a4da07c41338ca9898_JaffaCakes118.dll
  2⤵
  - Drops file in Drivers directory
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k APDCCXXF
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\drivers\QCUGFPZGRAMUE.DAT

Filesize
11KB

MD5
c70560817899842943100a55d8e04385

SHA1
433eb988908607d2c1a9e5b48ceff7c278af0592

SHA256
182e37e1743d783d14f5e38583667b9741a6eefe70c62c3eb5920355fa38fef6

SHA512
917909432728b6262045fa3a8452f124797cc34c3e40d6a8404df25217703eae29fb0bd2c02e537649398be5c2a93b655c15134a0afa7b492b7cdd022abc8305

Download Submit
C:\Windows\SysWOW64\e0J0aDy.dll

Filesize
1KB

MD5
c092faa29b447e491e2bcf7a1df43cf8

SHA1
6698c759599c4de6db6d09206f273c9b99c919d7

SHA256
261935c073f415b1f8b76ff470e3082ab28ae2c44d08069c612d61f5710f8d9e

SHA512
57f2aa2d3e1268375b4a439187b2619870b0ba26be868424cfdef8ed476e91ed194233874b6b985fd3cc05a4b2abb83daa0fb83f42dfff117ad3157c48805685

Download Submit
C:\Windows\SysWOW64\e0J0aDy.dll

Filesize
2KB

MD5
5ba6f81f6ef534a8567957b511cd8e38

SHA1
6742c8bfe706f251a7ff746990008364f2bbe09b

SHA256
aa298603d47ea1f81918b9a753039834a6eb275d7e8f80c096e50e45b6ec1733

SHA512
57e0f52e098b91e67542ec37b56151280ed96edb7d29f01e7e36841cb704b14c33d0e52842dd0f37fc9b671035f844d48f154ebc2c9e46773137b0d9f3da2af9

Download Submit
C:\windows\SDOVUIXNSJJ.DLL

Filesize
71B

MD5
53af03bfe0f7d48af946d5c45af5dd9b

SHA1
cfe59e89166931c8deca56dbf41bdaf5779cc0bd

SHA256
c65c2898c7c775dc360a46e57131b10167404eb04a0e514cd7cd8c4d557780f2

SHA512
dfe381709f89465fc40f47bf1b032ea62a48b672b4854eda22360d753ddc3e8bef3f81a88d8689be046cc5966b83f75dd314d5b36c86dacde2e25a8c67ce1af3

Download Submit
memory/2616-0-0x00000000022F0000-0x00000000023CB000-memory.dmp

Filesize
876KB

Download
memory/2716-199-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-201-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-196-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-197-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-198-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-108-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-200-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-195-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-202-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-203-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-204-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-205-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-206-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-207-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download
memory/2716-208-0x00000000024D0000-0x00000000025AB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing