e50407b62502bfc2fe94c97e0d1af3871269596b8de3384df4dbb92f90de17c6

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

524aed944b7f307eea5677eda7e2079a_JaffaCakes118.exe
Size

111KB
MD5

524aed944b7f307eea5677eda7e2079a
SHA1

ed1078869941db13e29791132f4350d7bdfa2209
SHA256

e50407b62502bfc2fe94c97e0d1af3871269596b8de3384df4dbb92f90de17c6
SHA512

712d47cd629194d7e1ed4b97bed5fbb8e9aad5339bd6c514d4327b35ce9e8332899563528f2ac9934d300d32c6412b83cc55f863cdc8ca82fe1c1334d57eadce
SSDEEP

1536:vqy7hkeaG0g5VskxIJ0AUr+rUV8XqFAMkkMggtjG5piYZXKz0tC:fhkEsoIu8UrVMggty5pFZ1

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

524aed944b7f307eea5677eda7e2079a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system\\FastUserSwitchingCompatibilityex.dll"	524aed944b7f307eea5677eda7e2079a_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

524aed944b7f307eea5677eda7e2079a_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\system\config_t.dat	524aed944b7f307eea5677eda7e2079a_JaffaCakes118.exe
File created	C:\Windows\system\config_t.dat	524aed944b7f307eea5677eda7e2079a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\524aed944b7f307eea5677eda7e2079a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\524aed944b7f307eea5677eda7e2079a_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Windows directory
PID:1840

C:\Windows\system32\svchost.exe
svchost.exe -k netsvcs
1⤵
PID:2440

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\system\fastuserswitchingcompatibilityex.dll
Filesize
40KB

MD5
c7f6a8ead94a581401dd0b5f7aa192ff

SHA1
642d5dc7364406931bb8ef50acf76bd9f00ee268

SHA256
56641de686bab6fd855f6368b03121ea987e648486897e360882a3a86297c5fa

SHA512
f77910cbe87e5a51d0691edff2cfc1938310aff1cf73450bf27695f0cf95e74047990b688193556703ea793175c3c6ca4fcd6ca4f0488a43ea1b8e64c85014a9

Download Submit