7fa2b1cd5817591c860d2d2df02c51c89f6d73e7996caf9509b5cf0ee9ffc548

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
Size

57KB
MD5

485fd5a389ea2c39a41e119e1731e329
SHA1

3472e932405f5358e2d3fbfff3d6df34e1eff1b6
SHA256

7fa2b1cd5817591c860d2d2df02c51c89f6d73e7996caf9509b5cf0ee9ffc548
SHA512

eb3348df32d2ec825fa092e6e5c2f2aceca29477c89f73c7e56d80526ad9f69c8ad197f9fd0cf743d760acd4af200166237f413f95e48b375b0289d0db43de7f
SSDEEP

1536:MysuehEZVvzDxAYA+6QfHEs7v8JHE6xbGAuNldg:MjqZlzySftu/FGnNli

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pjlnvj\parameters\ServiceDll = "%SystemRoot%\\System32\\gpwxgj.dll"	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\pjlnvj\parameters\ServiceDll = "%SystemRoot%\\System32\\gpwxgj.dll"	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\pjlnvj\parameters\ServiceDll = "%SystemRoot%\\System32\\gpwxgj.dll"	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00090000000234b4-5.dat	aspack_v212_v242

Loads dropped DLL 4 IoCs

pid	Process
4148	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
3704	svchost.exe
3704	svchost.exe
3704	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0005ab09.ini	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpwxgj.dll	485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4108	3704	WerFault.exe	84
3092	3704	WerFault.exe	84
964	3704	WerFault.exe	84

C:\Users\Admin\AppData\Local\Temp\485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\485fd5a389ea2c39a41e119e1731e329_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:4148

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k pjlnvj
1⤵
- Loads dropped DLL
PID:3704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 528
  2⤵
  - Program crash
  PID:4108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 328
  2⤵
  - Program crash
  PID:3092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 392
  2⤵
  - Program crash
  PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3704 -ip 3704
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3704 -ip 3704
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3704 -ip 3704
1⤵
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\gpwxgj.dll

Filesize
50KB

MD5
a0ce5ac0541f28ccc6f955584981a85a

SHA1
99ac760f6cefd010ddbd7dde1e59b96b545aba3f

SHA256
9f0a096d11812c96bce02915e1deafc4822e974e280b34803d4c413f0ddf1686

SHA512
da1f7441a2a313e1df426c286bca86e5ebe7687a3ba77c5454d81b34c1f3d33fadf697c9cd29a817353cf5b3f5961c7714d58516e179ba198ba6c5535ed5e707

Download Submit
memory/3704-14-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4148-0-0x0000000000400000-0x000000000040D261-memory.dmp

Filesize
52KB

Download
memory/4148-3-0x0000000000400000-0x000000000040D261-memory.dmp

Filesize
52KB

Download
memory/4148-2-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/4148-6-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/4148-11-0x0000000000400000-0x000000000040D261-memory.dmp

Filesize
52KB

Download
memory/4148-12-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download