db0c6cb435a3b6e8b7850601450fca9a528d735a0cece4f680f69462539a14a4

General

Target

4526370aba26120ba5a4730000329f96_JaffaCakes118.exe
Size

413KB
MD5

4526370aba26120ba5a4730000329f96
SHA1

528574cf1ad604cd28c8e6f59e39092b9a37d07e
SHA256

db0c6cb435a3b6e8b7850601450fca9a528d735a0cece4f680f69462539a14a4
SHA512

6e0ea44d3feaa258ba36be991d7c0c24ed8ba38041271d3547e0eff600a7ad31797f3d1932b0b7fae383ef36bd7bf57cfcdd75b00608e137bb0e1bff590e5f69
SSDEEP

6144:7MGg9eBsQsNwK6JUwi9/gO9Q7d+0tyGf84Coan+bSwXkREUiRa0ETB/srEwX:8eBsQRJUwE/gE++yv1bBRUiRRETYEw

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Security Accounts Manager Server\Parameters\ServiceDll = "C:\\Windows\\system32\\System64.dll"	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
308	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
2564	svchost.exe
2564	svchost.exe
2564	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.dll	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\KMe.bat	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\System64.exe	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\System64.exe	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 308	3056	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe	32
PID 3056 wrote to memory of 308	3056	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe	32
PID 3056 wrote to memory of 308	3056	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe	32
PID 3056 wrote to memory of 308	3056	4526370aba26120ba5a4730000329f96_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\4526370aba26120ba5a4730000329f96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4526370aba26120ba5a4730000329f96_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\KMe.bat
  2⤵
  - Deletes itself
  PID:308

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netservice
1⤵
- Loads dropped DLL
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KMe.bat

Filesize
100B

MD5
67e7efb30ba903ae232fdac9abd38851

SHA1
66e76b62bbf2e2fc629364de9882e7aec1265ed1

SHA256
0858d784332e40d0716f3ef3f4f64560257fde0bf417f6f4f5a0d72e005923d6

SHA512
efe4859cb9c97c27696daa9abddbc0828e841aa2ad6f074b902914250ad070f328887f483ce56890169f927805fa520d1071362debc42c49f758774cc6ecc71c

Download Submit
\??\c:\windows\SysWOW64\system64.dll

Filesize
311KB

MD5
d883c2434700bd99001c512fe34ddc00

SHA1
8ba15fdce19806bf24e73f2c89e2f94e1d3e6ce3

SHA256
18e29d1b0c8c4a52b7950005ea8e6a4bde8f6ce4e1a3384f26b374961331ac09

SHA512
5b7b77db4d872b2004af0c36bf69a1ac1ba78b5aca90a38d63278bbc9df64f6a4d9d59fc3eac8997dc327789e60fd8a63af520bf22157cda9414241233b04b93

Download Submit
\Windows\SysWOW64\System64.exe

Filesize
413KB

MD5
4526370aba26120ba5a4730000329f96

SHA1
528574cf1ad604cd28c8e6f59e39092b9a37d07e

SHA256
db0c6cb435a3b6e8b7850601450fca9a528d735a0cece4f680f69462539a14a4

SHA512
6e0ea44d3feaa258ba36be991d7c0c24ed8ba38041271d3547e0eff600a7ad31797f3d1932b0b7fae383ef36bd7bf57cfcdd75b00608e137bb0e1bff590e5f69

Download Submit
memory/2564-22-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-24-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2564-18-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-19-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-20-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-21-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-31-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-23-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-11-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-25-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-26-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-27-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-28-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-29-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/2564-30-0x0000000000200000-0x0000000000253000-memory.dmp

Filesize
332KB

Download
memory/3056-12-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing