b34dcfc6c63b7e8879ff65e7ed393633f54605dcb72fcd3c8393441411308527

General

Target

81c2445840214308d13785c24e737ff7_JaffaCakes118.exe
Size

369KB
MD5

81c2445840214308d13785c24e737ff7
SHA1

24d02c74438d95c3485e9fb4fff7622cd07f709e
SHA256

b34dcfc6c63b7e8879ff65e7ed393633f54605dcb72fcd3c8393441411308527
SHA512

619d5a2a4d9cd55685ae95caba4562889820a6363cb717cc536404e71691a149a77b3153f79bbce2634f60f7db66a3706c77042741d3dc2f276cc2e0447e398a
SSDEEP

6144:mnOA/LjmUc7HtR9BdQIddBc7s5EpXDegTMCB059inresJMrEyoErOofEvxR:mn/nmUcx5W+nc7c2zegTMCueeRrEyJbu

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 6 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fpstgl\Parameters\ServiceDll = "%SystemRoot%\\System32\\fpstgl.dll"	81c2445840214308d13785c24e737ff7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\fpstgl\Parameters\ServiceDll = "%SystemRoot%\\System32\\fpstgl.dll"	81c2445840214308d13785c24e737ff7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\fpstgl\Parameters\ServiceDll = "%SystemRoot%\\System32\\fpstgl.dll"	81c2445840214308d13785c24e737ff7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fpstgl\Parameters\ServiceDll = "%SystemRoot%\\System32\\fpstgl.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\fpstgl\Parameters\ServiceDll = "%SystemRoot%\\System32\\fpstgl.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\fpstgl\Parameters\ServiceDll = "%SystemRoot%\\System32\\fpstgl.dll"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2428	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	81c2445840214308d13785c24e737ff7_JaffaCakes118.exe
2428	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fpstgl.dll	81c2445840214308d13785c24e737ff7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c2445840214308d13785c24e737ff7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

C:\Users\Admin\AppData\Local\Temp\81c2445840214308d13785c24e737ff7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c2445840214308d13785c24e737ff7_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k fpstgl
1⤵
- Server Software Component: Terminal Services DLL
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\fpstgl.dll

Filesize
76KB

MD5
9c44548338d44699c0e959efb828819e

SHA1
2f5066cd60e2f084eaf8a9090d729d2d16d1c468

SHA256
5dcda0c5ad859cfd856aae2dc06a1dd7bd31bec5bc3c6eea6658d95f3acabb92

SHA512
de9cb635ade83732e356ad10b22f8cd0b6f8a511c49bd38994d67490f878642fc38a568c935ec896f592bbcf9b8b705946b06a587002ef9f3dd3a053885222ba

Download Submit
memory/2016-18-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-34-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2016-3-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2016-0-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2016-15-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-13-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2016-10-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2016-9-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2016-8-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2016-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2016-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2016-5-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2016-4-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2016-12-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-21-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-2-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2016-31-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-30-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-29-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-28-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-27-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-26-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-25-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-24-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-23-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-22-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-20-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-19-0x00000000031C0000-0x0000000003200000-memory.dmp

Filesize
256KB

Download
memory/2016-35-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2016-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing