87306c6bb1a048408d12ac101e7c1d83c1556a3fda29d7d430dc5667fc1ea1d5

General

Target

4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Size

73KB
MD5

4ae8a5ce179eaefe40c694f9fae8bd48
SHA1

84ee6882afef02f81b4ff1284809567600320179
SHA256

87306c6bb1a048408d12ac101e7c1d83c1556a3fda29d7d430dc5667fc1ea1d5
SHA512

4cd3753e22f4d5f592e3782404e59679ecba56d73a68732289d3851d079dc9b6532a6bf733150efd15c71c4f0a149933a515ddc3032e7216a76c8dbaf5ed31d9
SSDEEP

1536:cB/Mz7IPM8QX41zUIF5uM2IHSlrd0SIivppoNn:cB/MI0X42ILutIorRONn

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe

Loads dropped DLL 36 IoCs

pid	Process
5072	svchost.exe
5072	svchost.exe
5072	svchost.exe
5028	svchost.exe
5028	svchost.exe
5028	svchost.exe
1716	svchost.exe
1716	svchost.exe
1716	svchost.exe
320	svchost.exe
320	svchost.exe
320	svchost.exe
4936	svchost.exe
4936	svchost.exe
4936	svchost.exe
1288	svchost.exe
1288	svchost.exe
1288	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
4332	svchost.exe
4332	svchost.exe
4332	svchost.exe
740	svchost.exe
740	svchost.exe
740	svchost.exe
3256	svchost.exe
3256	svchost.exe
3256	svchost.exe
4800	svchost.exe
4800	svchost.exe
4800	svchost.exe
4380	svchost.exe
4380	svchost.exe
4380	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1604	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
1604	4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ae8a5ce179eaefe40c694f9fae8bd48_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:5072

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:5028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:1716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:4936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:1288

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:1152

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:4332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:3256

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:4800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
73KB

MD5
591b98460855033cc339e5fff3ae037d

SHA1
f8622d2cfcf9d98fb904c20007123d460f09d1c3

SHA256
e5cb57fdc92aae9925627ba5af71ae631bce4834253c32e16503c07941bce169

SHA512
63ad1d4edeadf02801389b49586d14b5514de754b0880740c1246803a66c7fbf280e5bfa27e22fa0dbd4d672e5c3a7a9cfdbaad633d90523f09f6b829a95d9ae

Download Submit
memory/320-32-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/320-31-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/740-68-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/740-67-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/740-69-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/1288-47-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/1288-45-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/1288-46-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/1604-25-0x00000000006A0000-0x00000000006BF000-memory.dmp

Filesize
124KB

Download
memory/1604-0-0x00000000006A0000-0x00000000006BF000-memory.dmp

Filesize
124KB

Download
memory/1716-21-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/1716-23-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/3256-94-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/3256-77-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/3256-76-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4332-60-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4332-58-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4332-57-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4332-92-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4800-84-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4800-85-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4800-86-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4936-70-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/4936-38-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/5028-13-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/5028-16-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/5028-17-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/5072-5-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/5072-9-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download
memory/5072-8-0x0000000075370000-0x000000007538F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing