df6588fac47aa123a2e753927de36e802cb0a40e3771a1109d5748c2437ce275

General

Target

8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Size

87KB
MD5

8347341fccc8735768ccc1a22e935272
SHA1

0dec90c8aa582df03eac63cb0cc4f8fd8f559853
SHA256

df6588fac47aa123a2e753927de36e802cb0a40e3771a1109d5748c2437ce275
SHA512

22fd0639fb787748b0f33b460b9de444e6c9a93d2616fecca58a0dbd184cbc7fd3fd5a6834c0c4bc58704079c7d7a27a697562ce8027045e434fd9c113ca72da
SSDEEP

1536:lneLFVzsAv8CTsU9Q2ApqAU0nD9DSDBSncy7UBAvRjfppopYMDWnm+eNi:0RZsAvA6pAp+0nDZSEFUBoRjUpYpleNi

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe

Loads dropped DLL 24 IoCs

pid	Process
2356	svchost.exe
2356	svchost.exe
2716	svchost.exe
2716	svchost.exe
2496	svchost.exe
2496	svchost.exe
2796	svchost.exe
2796	svchost.exe
2668	svchost.exe
2668	svchost.exe
2628	svchost.exe
2628	svchost.exe
3004	svchost.exe
3004	svchost.exe
2896	svchost.exe
2896	svchost.exe
1192	svchost.exe
1192	svchost.exe
2516	svchost.exe
2516	svchost.exe
2108	svchost.exe
2108	svchost.exe
1252	svchost.exe
1252	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2524	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2356

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- System Location Discovery: System Language Discovery
PID:2980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1192

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2108

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
87KB

MD5
a708b3eb0f5b369c9fb08de599805b1c

SHA1
b8642657759bf32420c359df4412494835a35b09

SHA256
888eaf09b4a7846f6d8b337024a083819738cd95e1fe31654e987bbc0f1b8107

SHA512
a065fd0abf903602c7827248daf1b444878c0efab61f8bd8600ef8e466d544e4808511b2b9bdcb7e18ba56487cdfef8708dc2958637f1db08c8a8158d7255de9

Download Submit
memory/1192-55-0x0000000074D00000-0x0000000074D22000-memory.dmp

Filesize
136KB

Download
memory/1192-56-0x0000000074CD0000-0x0000000074CF2000-memory.dmp

Filesize
136KB

Download
memory/2108-66-0x0000000074D00000-0x0000000074D22000-memory.dmp

Filesize
136KB

Download
memory/2516-61-0x0000000074D00000-0x0000000074D22000-memory.dmp

Filesize
136KB

Download
memory/2524-15-0x00000000009E0000-0x0000000000A02000-memory.dmp

Filesize
136KB

Download
memory/2524-0-0x00000000009E0000-0x0000000000A02000-memory.dmp

Filesize
136KB

Download
memory/2524-25-0x0000000000180000-0x00000000001A2000-memory.dmp

Filesize
136KB

Download
memory/2524-24-0x0000000000180000-0x00000000001A2000-memory.dmp

Filesize
136KB

Download
memory/2524-3-0x0000000000A01000-0x0000000000A02000-memory.dmp

Filesize
4KB

Download
memory/2524-2-0x0000000000180000-0x00000000001A2000-memory.dmp

Filesize
136KB

Download
memory/2628-37-0x0000000074CD0000-0x0000000074CF2000-memory.dmp

Filesize
136KB

Download
memory/2628-36-0x0000000074D00000-0x0000000074D22000-memory.dmp

Filesize
136KB

Download
memory/2668-30-0x0000000074D00000-0x0000000074D22000-memory.dmp

Filesize
136KB

Download
memory/2716-13-0x00000000747B0000-0x00000000747D2000-memory.dmp

Filesize
136KB

Download
memory/2716-14-0x0000000074780000-0x00000000747A2000-memory.dmp

Filesize
136KB

Download
memory/3004-43-0x0000000074CD0000-0x0000000074CF2000-memory.dmp

Filesize
136KB

Download
memory/3004-42-0x0000000074D00000-0x0000000074D22000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing