229558dc23ef25b30520260dc82ff282bf8f51c9423f0a2a7079fe955643ce69

General

Target

757890834362fdd5a0335667192b9266_JaffaCakes118.exe
Size

3.4MB
MD5

757890834362fdd5a0335667192b9266
SHA1

17c4b9bed61dc54fd04509a3d3bc36e6ee27ba4b
SHA256

229558dc23ef25b30520260dc82ff282bf8f51c9423f0a2a7079fe955643ce69
SHA512

e443a20bf95379480951661f65b19bb655b5a191f138ce854cc9f40592834dfafe086aba5ee7a5b4741b6318f30099c1134c307ef0fbadc42d11b16b85a8f4ee
SSDEEP

49152:lIr7GGaITDEZxISJJCLZGhUcwM7FVSR0S67b8pbhpkjJY7X1XuYfrKrboYgOs:LZxT6cwU/zSbbhAJYr1XuYfrCYOs

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\skfloo.dll"	1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\skfloo.dll"	1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Minhdder\ParameteRS\ServiceDll = "%SystemRoot%\\System32\\skfloo.dll"	1.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	1.exe
2208	2.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	1.exe
1888	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ 5700d.001	1.exe
File created	C:\Windows\SysWOW64\skfloo.dll	1.exe
File created	C:\Windows\SysWOW64\skfloo.sys	1.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1.vbs	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259466494	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File created	C:\Windows\1.exe	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File opened for modification	C:\Windows\1.exe	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File created	C:\Windows\2.exe	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File opened for modification	C:\Windows\2.exe	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
File created	C:\Windows\1.vbs	757890834362fdd5a0335667192b9266_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	757890834362fdd5a0335667192b9266_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2208	2.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1888	svchost.exe
1888	svchost.exe
1888	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2856	1708	757890834362fdd5a0335667192b9266_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2856	1708	757890834362fdd5a0335667192b9266_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2856	1708	757890834362fdd5a0335667192b9266_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2856	1708	757890834362fdd5a0335667192b9266_JaffaCakes118.exe	30
PID 2856 wrote to memory of 2688	2856	WScript.exe	31
PID 2856 wrote to memory of 2688	2856	WScript.exe	31
PID 2856 wrote to memory of 2688	2856	WScript.exe	31
PID 2856 wrote to memory of 2688	2856	WScript.exe	31
PID 2856 wrote to memory of 3024	2856	WScript.exe	33
PID 2856 wrote to memory of 3024	2856	WScript.exe	33
PID 2856 wrote to memory of 3024	2856	WScript.exe	33
PID 2856 wrote to memory of 3024	2856	WScript.exe	33
PID 2688 wrote to memory of 2936	2688	cmd.exe	35
PID 2688 wrote to memory of 2936	2688	cmd.exe	35
PID 2688 wrote to memory of 2936	2688	cmd.exe	35
PID 2688 wrote to memory of 2936	2688	cmd.exe	35
PID 3024 wrote to memory of 2208	3024	cmd.exe	36
PID 3024 wrote to memory of 2208	3024	cmd.exe	36
PID 3024 wrote to memory of 2208	3024	cmd.exe	36
PID 3024 wrote to memory of 2208	3024	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\757890834362fdd5a0335667192b9266_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\757890834362fdd5a0335667192b9266_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WINDOWS\1.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c 1.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\WINDOWS\1.exe
      1.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c 2.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\WINDOWS\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Minhdder
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\1.exe

Filesize
69KB

MD5
432652519654357dd6550320f2c636b4

SHA1
ee0df6ac1b21b0f85fa264cf3285c11a82528d0f

SHA256
34d12e38b2c31b85ea5fd0a76a28f9b7c2347c2b8abf7465eb0489875e0ea42d

SHA512
64c201bccda1cc001a477d1ac279e18c11dacb7530f0723e547bf3c4397a706f98dde14a4e62d7303a591545e84713ee00df8a6f589f87d7806c27b3b4ada922

Download Submit
C:\WINDOWS\1.vbs

Filesize
98B

MD5
519bc6ba1dee20d7b8ec37d6a8e93cad

SHA1
d82348921cd64d006d096765434180ba66c81e12

SHA256
85e8d49f9921b5352c2e1f5300d26776683b98798cbb5572b6a520c4f6ed8467

SHA512
2ae1d66c7c5cffd053ef1cd8a220f8e268d8c24e11288aca142f4b1a28577e201ecd7898eb2e8c65d6b1f766eef6f6f99066380e0aae0c616854ab43662a0dbf

Download Submit
C:\WINDOWS\2.exe

Filesize
3.3MB

MD5
d0f78b68a8171c54a0760bb0ae7bb174

SHA1
2e281788cb63f347718f420b245a7db00b56b8ea

SHA256
5d7ba8d7e359c837234039b6ff1b34fad0a288f91b66918fcc66002392e5e140

SHA512
9c75c7bcaa2a47b488742553820ede72edf7218bbb326c667542826235dd8ddd56f876520725b9168abc7e15954cc9a4c9dc60a28a37853775cd3adf62496843

Download Submit
\Windows\SysWOW64\skfloo.dll

Filesize
104KB

MD5
78da1c202095a2d96a9d8576a11147fe

SHA1
22847e4e26cea039f5a2a0850bfe8694bba9bcc3

SHA256
ada8d9d4570dc420e7a6ac03f6ec870eb89bd68c2b1ac163b7b5603ff53c7d86

SHA512
65829b8439bf44a2247d7e3295d798ea6633319ce45238eb38a539abb3466b23647e716f995713f97b7920d0e8e6c4ed0c32faa9e7be2857e1ad462c34439f01

Download Submit
memory/1708-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1888-36-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1888-34-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2208-43-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-40-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-49-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-48-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-47-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-46-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-35-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-17-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-37-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-38-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-39-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-45-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-41-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-42-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-44-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2688-10-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2688-13-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2936-33-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2936-30-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3024-15-0x00000000006D0000-0x000000000082B000-memory.dmp

Filesize
1.4MB

Download
memory/3024-14-0x00000000006D0000-0x000000000082B000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing