9596b8425d215fb1ce3b70064dfbf2a94dd1b988dc96bdd5f47d3cb3bdc4ed4c

General

Target

88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Size

89KB
MD5

88cfd907476565087e1747e70bf638b0
SHA1

d1d95d8afd5492f8fe9cd411627224d4ebcbe724
SHA256

9596b8425d215fb1ce3b70064dfbf2a94dd1b988dc96bdd5f47d3cb3bdc4ed4c
SHA512

582324ad62e433b886f8fe65d5c047c9c9b787b195eae0fafe726d48c8c3d51133ecce24d69d3f95f645bf5c6c8544ee7c6cc4b8b82bef69a13a9b42dcd3dbb0
SSDEEP

1536:Ev8jkIB0yIB3J5GlqWo5QljUzgYeBmdDe7+oaI5zjpaEK759+wTEO8vppoVx:E8V0yIB5wlpo5kIGBmdDQ+rI5zlalX+G

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe

Loads dropped DLL 24 IoCs

pid	Process
2248	svchost.exe
2248	svchost.exe
3028	svchost.exe
3028	svchost.exe
2840	svchost.exe
2840	svchost.exe
808	svchost.exe
808	svchost.exe
2968	svchost.exe
2968	svchost.exe
280	svchost.exe
280	svchost.exe
2160	svchost.exe
2160	svchost.exe
956	svchost.exe
956	svchost.exe
2572	svchost.exe
2572	svchost.exe
2044	svchost.exe
2044	svchost.exe
2908	svchost.exe
2908	svchost.exe
2124	svchost.exe
2124	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
760	88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88cfd907476565087e1747e70bf638b0_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2248

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:808

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- System Location Discovery: System Language Discovery
PID:1240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
89KB

MD5
8c16469c3aef3f17ff9ae3a2b78da236

SHA1
d610a17093e24400fb9e2e0dcd01e51344febc26

SHA256
15291c9e4900059195fe26fa7f968e042ac30520d2df557fcd9f1e208ecebe98

SHA512
b485b5d732b1a068264a758983eb4c5168c922b94918d92484cf557b6ca057829df163da26ae41c5e18ee4444af5ed37aaab20ef49f98abe15c6694e78e60209

Download Submit
memory/280-41-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/760-1-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/760-3-0x0000000001213000-0x0000000001214000-memory.dmp

Filesize
4KB

Download
memory/760-79-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/760-16-0x00000000011F0000-0x0000000001214000-memory.dmp

Filesize
144KB

Download
memory/760-20-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/760-0-0x00000000011F0000-0x0000000001214000-memory.dmp

Filesize
144KB

Download
memory/808-28-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/808-29-0x0000000074CD0000-0x0000000074CF4000-memory.dmp

Filesize
144KB

Download
memory/956-53-0x0000000074CD0000-0x0000000074CF4000-memory.dmp

Filesize
144KB

Download
memory/956-51-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/2044-65-0x0000000074CD0000-0x0000000074CF4000-memory.dmp

Filesize
144KB

Download
memory/2044-63-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/2124-76-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/2248-7-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/2572-59-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/2840-23-0x0000000074CD0000-0x0000000074CF4000-memory.dmp

Filesize
144KB

Download
memory/2840-21-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/2908-72-0x0000000074CD0000-0x0000000074CF4000-memory.dmp

Filesize
144KB

Download
memory/2908-71-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/2968-36-0x0000000074CD0000-0x0000000074CF4000-memory.dmp

Filesize
144KB

Download
memory/2968-35-0x0000000074D00000-0x0000000074D24000-memory.dmp

Filesize
144KB

Download
memory/3028-15-0x00000000747A0000-0x00000000747C4000-memory.dmp

Filesize
144KB

Download
memory/3028-13-0x00000000747D0000-0x00000000747F4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing