5853e4f131de097285728bb2ac0f3a7e2e3b457a98aa528980cd3b05d98e2d95

General

Target

4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Size

139KB
MD5

4b1181b44748a0edc5b4d95916382848
SHA1

a1d68f8417ea6440acf82a6c5664bcad56b1d509
SHA256

5853e4f131de097285728bb2ac0f3a7e2e3b457a98aa528980cd3b05d98e2d95
SHA512

8a8f8465691d68df0464e895ca4a2f0719d9479a87bfd373898c369442dd0493422f98b0a02910fd092ec75a937eb62d4af45b03d9af4fd6cec88c2986ba0aee
SSDEEP

3072:zH+Mcv5JXXieDEvy1W7rkD+bnAIhRjaNn:zHl0ndEqgkCAaRG9

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe

Loads dropped DLL 42 IoCs

pid	Process
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1812	svchost.exe
1812	svchost.exe
1812	svchost.exe
228	svchost.exe
228	svchost.exe
228	svchost.exe
3484	svchost.exe
3484	svchost.exe
3484	svchost.exe
3484	svchost.exe
3484	svchost.exe
3484	svchost.exe
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
3324	svchost.exe
3324	svchost.exe
3324	svchost.exe
4848	svchost.exe
4848	svchost.exe
4848	svchost.exe
4936	svchost.exe
4936	svchost.exe
4936	svchost.exe
4064	svchost.exe
4064	svchost.exe
4064	svchost.exe
3668	svchost.exe
3668	svchost.exe
3668	svchost.exe
4088	svchost.exe
4088	svchost.exe
4088	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1820	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
1820	4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b1181b44748a0edc5b4d95916382848_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:1788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
PID:1812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
PID:228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
PID:3484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
PID:1512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
PID:2096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
PID:3324

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
PID:4848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
PID:4936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
PID:4064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:3668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
139KB

MD5
f166d8a6143593af01d49f05cc8e5fd3

SHA1
d9f8c362b6ea267640bfd2854f25918a6a1f24ab

SHA256
818481dcfe138b3b26eece234a0e87bb3ccc69944e0b23e4ca759a3011ee31d4

SHA512
3c69f1e1b1be0c5e31240b91c1fd9ef477a011c50ddc940d75d176916bac9ce94ef0c432cea164ea9f2ff6366dbb80dd869cb8c736da4673b2f0c8a1f17467d3

Download Submit
memory/1512-36-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1788-5-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1812-12-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1820-19-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1820-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2096-48-0x0000000000F00000-0x0000000000F23000-memory.dmp

Filesize
140KB

Download
memory/2096-51-0x0000000000F00000-0x0000000000F23000-memory.dmp

Filesize
140KB

Download
memory/2096-50-0x0000000000F00000-0x0000000000F23000-memory.dmp

Filesize
140KB

Download
memory/2096-46-0x0000000000F00000-0x0000000000F23000-memory.dmp

Filesize
140KB

Download
memory/2096-49-0x0000000000F00000-0x0000000000F23000-memory.dmp

Filesize
140KB

Download
memory/2096-47-0x0000000000F00000-0x0000000000F23000-memory.dmp

Filesize
140KB

Download
memory/3484-29-0x0000000000F20000-0x0000000000F43000-memory.dmp

Filesize
140KB

Download
memory/3484-24-0x0000000000F20000-0x0000000000F43000-memory.dmp

Filesize
140KB

Download
memory/3484-30-0x0000000000F20000-0x0000000000F43000-memory.dmp

Filesize
140KB

Download
memory/3484-31-0x0000000000F20000-0x0000000000F43000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing