50522976f4ed595e46cef01e881b01264cf5934c34bb4dc4b7062ffe1a0ecedd

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68872658d47f324276af55feb94c5149_JaffaCakes118.exe
Size

45KB
MD5

68872658d47f324276af55feb94c5149
SHA1

cbeb4a2be2017967e076575ea133708e3221811f
SHA256

50522976f4ed595e46cef01e881b01264cf5934c34bb4dc4b7062ffe1a0ecedd
SHA512

cde045c4ae70b8143ea22af112155c5ffe83952e3892277435514842e07aed17af4cd3c5e782f142a75d90af0a5f6b5a4fa78125540ba6d92b0822701034ecb0
SSDEEP

768:3O0tJsbjMWoxm/PXkh0yL9d1ZBDMPiflcCAhJ2uTNVthdP/URtEXA6+GS:vsXMM/PXkqyLj1oPivAhFHdP/UR+wt9

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\defaultlib\Parameters\ServiceDll = "C:\\Windows\\system32\\wowformf115_981.dll"	68872658d47f324276af55feb94c5149_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1788	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1788	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wowformf115_981.dll	68872658d47f324276af55feb94c5149_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysche	68872658d47f324276af55feb94c5149_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68872658d47f324276af55feb94c5149_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	svchost.exe

C:\Users\Admin\AppData\Local\Temp\68872658d47f324276af55feb94c5149_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68872658d47f324276af55feb94c5149_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\wowformf115_981.dll

Filesize
36KB

MD5
90b31e23d251b021058e21a04cd470ce

SHA1
4a9ba9ed6ccc660d4d413a603bc92ffcca56fe97

SHA256
41f4e5207d8a12cd0dcef53a840e0f7c9ee039fe6c01c27a6f19b285bcd9bd48

SHA512
165131dbdf1229307b2c1f7db81b6ca81a7dbc8c7e105c9900ca4e15027a2a8923a8957c673f3796d64bc9f87f3812958a33b58b124f5f80cf316f9379fdba40

Download Submit
memory/1788-7-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1788-8-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/1788-9-0x0000000010003000-0x0000000010004000-memory.dmp

Filesize
4KB

Download
memory/1788-10-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/3992-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3992-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3992-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download