7fa2b1cd5817591c860d2d2df02c51c89f6d73e7996caf9509b5cf0ee9ffc548

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
Size

57KB
MD5

485fd5a389ea2c39a41e119e1731e329
SHA1

3472e932405f5358e2d3fbfff3d6df34e1eff1b6
SHA256

7fa2b1cd5817591c860d2d2df02c51c89f6d73e7996caf9509b5cf0ee9ffc548
SHA512

eb3348df32d2ec825fa092e6e5c2f2aceca29477c89f73c7e56d80526ad9f69c8ad197f9fd0cf743d760acd4af200166237f413f95e48b375b0289d0db43de7f
SSDEEP

1536:MysuehEZVvzDxAYA+6QfHEs7v8JHE6xbGAuNldg:MjqZlzySftu/FGnNli

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\pjlnvj\parameters\ServiceDll = "%SystemRoot%\\System32\\gpwxgj.dll"	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\pjlnvj\parameters\ServiceDll = "%SystemRoot%\\System32\\gpwxgj.dll"	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pjlnvj\parameters\ServiceDll = "%SystemRoot%\\System32\\gpwxgj.dll"	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000015e4e-2.dat	aspack_v212_v242

Loads dropped DLL 3 IoCs

pid	Process
2480	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
2796	svchost.exe
2796	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0005ab09.ini	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpwxgj.dll	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:2480

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k pjlnvj
1⤵
- Loads dropped DLL
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\gpwxgj.dll

Filesize
50KB

MD5
b6dce9b2c6506144313a4e4e64a67846

SHA1
f6ef928b3ceee4eb04a30069c4251175abd6a708

SHA256
c2dc52f2aad29cd4f617a702b4033597d1df6a0a67e19fdb10b8d97b37c73eeb

SHA512
0dfe0b1d68016b319dfa59243ab25f43b07205a98734e1898d00bf1ec144714ce212c8cee04aaa313ad5f24ed4b2e31a0e7a9c419c9fa299cb8069df966d30dc

Download Submit
memory/2480-6-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2480-5-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2480-4-0x0000000000400000-0x000000000040D261-memory.dmp

Filesize
52KB

Download