e3b69a995b4524211637ed5fe57b0df0696e7f43d4f78d35cb1998cb93525f03

General

Target

5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Size

590KB
MD5

5b01c41c358a6c1d68ab84b6444ad016
SHA1

f02a0d0536727688ccce9c55f5fca2a6aa23001f
SHA256

e3b69a995b4524211637ed5fe57b0df0696e7f43d4f78d35cb1998cb93525f03
SHA512

2f7c4e04d6fd1cc652932373fd70221270c1dfc16f5ba062da59815bcbc1688d3e35c5f5d91cbaddf4250f8c2ceb9cc68e14ce3a6290a7c8e250b39fa42c37ca
SSDEEP

12288:7TH1o/j5RoRjs0FjUuF3Z4mxx4DqVTVOCtV:fO52RjFZQmXfVTztV

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\netns\Parameters\ServiceDll = "C:\\Windows\\System32\\sysns.dll"	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
4556	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysns.dll	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sysns.dll	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeBackupPrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
Token: SeRestorePrivilege	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 648	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe	88
PID 1040 wrote to memory of 648	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe	88
PID 1040 wrote to memory of 648	1040	5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\5b01c41c358a6c1d68ab84b6444ad016_JaffaCakes118.exe"
  2⤵
  PID:648

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netns
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\sysns.dll

Filesize
478KB

MD5
5d612c45e2a391d0138d338343190fe5

SHA1
01bdc2a6e7e1fa7b9d27b8726d1f5271af38d721

SHA256
92df7ab76dfa59f0396e2c911518f954e8a817d8edb8461db04b2a2f95c8e02d

SHA512
b7f37b4e1539927a51ac7f864fa095cc08e46794b7769f5d86a9f4dee86334001541ce6be08ca3edd5ba2e7da53ba314c10b56f1965915cd376772cfecb89774

Download Submit
memory/1040-15-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1040-13-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1040-27-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1040-2-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1040-26-0x0000000003360000-0x0000000003362000-memory.dmp

Filesize
8KB

Download
memory/1040-25-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1040-24-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1040-23-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1040-22-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1040-21-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1040-20-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1040-19-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1040-18-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1040-17-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1040-16-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1040-0-0x0000000013140000-0x0000000013225000-memory.dmp

Filesize
916KB

Download
memory/1040-28-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1040-12-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1040-14-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1040-11-0x0000000003370000-0x0000000003372000-memory.dmp

Filesize
8KB

Download
memory/1040-10-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1040-9-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/1040-8-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1040-7-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1040-6-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1040-5-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1040-4-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1040-3-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1040-1-0x00000000021A0000-0x00000000021F4000-memory.dmp

Filesize
336KB

Download
memory/1040-37-0x00000000021A0000-0x00000000021F4000-memory.dmp

Filesize
336KB

Download
memory/1040-36-0x0000000013140000-0x0000000013225000-memory.dmp

Filesize
916KB

Download
memory/4556-38-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4556-39-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing