df6588fac47aa123a2e753927de36e802cb0a40e3771a1109d5748c2437ce275

General

Target

8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Size

87KB
MD5

8347341fccc8735768ccc1a22e935272
SHA1

0dec90c8aa582df03eac63cb0cc4f8fd8f559853
SHA256

df6588fac47aa123a2e753927de36e802cb0a40e3771a1109d5748c2437ce275
SHA512

22fd0639fb787748b0f33b460b9de444e6c9a93d2616fecca58a0dbd184cbc7fd3fd5a6834c0c4bc58704079c7d7a27a697562ce8027045e434fd9c113ca72da
SSDEEP

1536:lneLFVzsAv8CTsU9Q2ApqAU0nD9DSDBSncy7UBAvRjfppopYMDWnm+eNi:0RZsAvA6pAp+0nDZSEFUBoRjUpYpleNi

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe

Loads dropped DLL 36 IoCs

pid	Process
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe
3000	svchost.exe
3000	svchost.exe
3000	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4112	svchost.exe
4112	svchost.exe
4112	svchost.exe
3296	svchost.exe
3296	svchost.exe
3296	svchost.exe
3832	svchost.exe
3832	svchost.exe
3832	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3780	svchost.exe
3780	svchost.exe
3780	svchost.exe
1596	svchost.exe
1596	svchost.exe
1596	svchost.exe
3228	svchost.exe
3228	svchost.exe
3228	svchost.exe
3148	svchost.exe
3148	svchost.exe
3148	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nla.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
4460	8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8347341fccc8735768ccc1a22e935272_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4920

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3852

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3148

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
87KB

MD5
a708b3eb0f5b369c9fb08de599805b1c

SHA1
b8642657759bf32420c359df4412494835a35b09

SHA256
888eaf09b4a7846f6d8b337024a083819738cd95e1fe31654e987bbc0f1b8107

SHA512
a065fd0abf903602c7827248daf1b444878c0efab61f8bd8600ef8e466d544e4808511b2b9bdcb7e18ba56487cdfef8708dc2958637f1db08c8a8158d7255de9

Download Submit
memory/1596-62-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3148-77-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3148-78-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3296-36-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3296-34-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3296-35-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3780-57-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3780-56-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3780-55-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3832-68-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3832-43-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/3852-47-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/4364-22-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/4364-21-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/4364-20-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/4460-23-0x00000000008C0000-0x00000000008E2000-memory.dmp

Filesize
136KB

Download
memory/4460-0-0x00000000008C0000-0x00000000008E2000-memory.dmp

Filesize
136KB

Download
memory/4920-5-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/4920-8-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download
memory/4920-9-0x0000000075710000-0x0000000075732000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing