d7bfb349b668c4ddb15b75b6f1d24c029c87bcd76538fd6080349a8d73c80134

General

Target

4730287a3d51e2a4da07c41338ca9898_JaffaCakes118.dll
Size

852KB
MD5

4730287a3d51e2a4da07c41338ca9898
SHA1

0c1fcb7430fafa0fe5eb8024e9d71559133c9746
SHA256

d7bfb349b668c4ddb15b75b6f1d24c029c87bcd76538fd6080349a8d73c80134
SHA512

0c45222f83c4c8910477ec322d72dd3fff12c0c555cafc0f8c100fd400e3bd8c35cb5f5170e57836de403286ce50b693fda56c4b078635977318f3ae9bcdd997
SSDEEP

12288:JUIt/dPJ0HTwlYkxd7S6RiisSYQOGyKTWszZ4c4k4NXYuxz6lMXydL/iDsao:JUo/ywlY+O61sL2zTWO4c4k4NXhKX2

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\BZZWJIEGJ.DAT	regsvr32.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\BZZWJIEGJ.DAT	regsvr32.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\BZZWJIEGJ.DAT	svchost.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RMJFVAKSGAF\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4730287a3d51e2a4da07c41338ca9898_JaffaCakes118.dll"	regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ekJ18gk7.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\ekJ18gk7.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\ekJ18gk7.dll	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\PKRFEO.DLL	regsvr32.exe
File created	C:\windows\EKCYKE.DLL	regsvr32.exe
File opened for modification	C:\windows\PKRFEO.DLL	regsvr32.exe
File created	C:\windows\GTPHTJGUUCW.AAB	regsvr32.exe
File opened for modification	C:\windows\PKRFEO.DLL	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 3008	4548	regsvr32.exe	83
PID 4548 wrote to memory of 3008	4548	regsvr32.exe	83
PID 4548 wrote to memory of 3008	4548	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4730287a3d51e2a4da07c41338ca9898_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\4730287a3d51e2a4da07c41338ca9898_JaffaCakes118.dll
  2⤵
  - Drops file in Drivers directory
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:3008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k PBWLN -s RMJFVAKSGAF
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\drivers\BZZWJIEGJ.DAT

Filesize
11KB

MD5
c70560817899842943100a55d8e04385

SHA1
433eb988908607d2c1a9e5b48ceff7c278af0592

SHA256
182e37e1743d783d14f5e38583667b9741a6eefe70c62c3eb5920355fa38fef6

SHA512
917909432728b6262045fa3a8452f124797cc34c3e40d6a8404df25217703eae29fb0bd2c02e537649398be5c2a93b655c15134a0afa7b492b7cdd022abc8305

Download Submit
C:\Windows\SysWOW64\ekJ18gk7.dll

Filesize
1KB

MD5
e445f19798ab03c3a4d9e0fbf6418265

SHA1
01cb2137cf362992cb79394ac198a4584793a6d1

SHA256
f7a071a2c7a98e370ad65fba48d46a69bda48dc072b954b42e7c028fe374c51b

SHA512
f9d8f4153c8db72949e4fc0e6a140c9f7eb0cec125f59369b2ed55f632e218f23b716ae01f487900cac73aa8ddc7e5890142cf8e2854dafa67ec12b62ea42ef8

Download Submit
C:\Windows\SysWOW64\ekJ18gk7.dll

Filesize
1KB

MD5
558474348bdf0ecb450cd5434676844a

SHA1
ee673cff89963d7075596e9768f87da2c6f84738

SHA256
7084fce49980ec93e7fd21e3945d84933e4ee868a5cb844aa1758f379f8bfe1e

SHA512
f77b3be204faa31fd2d8485ea0286d8f07e880fef3fea08c810bff66bdfd08c05e98400c7d3a5755c1bbee599b53cd9895320d7e620f4dd23076fdb49839563f

Download Submit
C:\Windows\SysWOW64\ekJ18gk7.dll

Filesize
2KB

MD5
07fd3a66fcd4086d06132c2648e8c9c9

SHA1
556f61f08179629621469a94ba46ea7259fc4e9a

SHA256
07da8ac6ac4886b3342529fbf6b166d658071cda17467da267bf9ec48757935d

SHA512
f38b0b7413940e5e8dd2dbb6ef99e02b11e83b31fbc3268122a92dffb3b29add579f94bcbacaee5829452a046d7274f761e75b69a4db312e0fc00339f38e4833

Download Submit
C:\Windows\SysWOW64\ekJ18gk7.dll

Filesize
2KB

MD5
971a8de5cd1e278a76e12de867e998e2

SHA1
288d0651aa63d1802f44ea503da7757dadc60c6b

SHA256
14cc989d455dfb1a2c7b336128ee10925476d875e67a833c9a30cc75de1200fa

SHA512
ae14f23419589872efb99aaabf41af70609496c39e8c8556bc4858ee7d7781c4c030be564209d5fa405ff160df3015f5b5aece804444d321fe92c3f98b971428

Download Submit
C:\windows\PKRFEO.DLL

Filesize
71B

MD5
53af03bfe0f7d48af946d5c45af5dd9b

SHA1
cfe59e89166931c8deca56dbf41bdaf5779cc0bd

SHA256
c65c2898c7c775dc360a46e57131b10167404eb04a0e514cd7cd8c4d557780f2

SHA512
dfe381709f89465fc40f47bf1b032ea62a48b672b4854eda22360d753ddc3e8bef3f81a88d8689be046cc5966b83f75dd314d5b36c86dacde2e25a8c67ce1af3

Download Submit
memory/2936-196-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-200-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-195-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-193-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-197-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-198-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-199-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-194-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-201-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-202-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-203-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-204-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-205-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-206-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing