abaaf0549a0065329161158480d83809d887047f7230fedc534c707aa8c90357

Analysis

max time kernel
136s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95454603956e4c571c411702bd750da1_JaffaCakes118.exe
Size

57KB
MD5

95454603956e4c571c411702bd750da1
SHA1

57a7a02767efeda5cc12b0e469c1c08e60ec61cf
SHA256

abaaf0549a0065329161158480d83809d887047f7230fedc534c707aa8c90357
SHA512

1bad9b8f42a80fde81fddf607fe95322af4ccfea18921916ba82f34d4186668dbeefaf9696c72b09cc739f1a4b718f8c2e1af4b87c585d2ab6d96f7724e006b0
SSDEEP

1536:MysuehE6ATj9Ksd/oBupCPW1U6tbgAko9u6daMg:Mjq9pKWpaWq6tMNHkaMg

Score

8^/10

aspackv2 discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wqitoq\parameters\ServiceDll = "%SystemRoot%\\System32\\cafbjo.dll"	95454603956e4c571c411702bd750da1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\wqitoq\parameters\ServiceDll = "%SystemRoot%\\System32\\cafbjo.dll"	95454603956e4c571c411702bd750da1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\wqitoq\parameters\ServiceDll = "%SystemRoot%\\System32\\cafbjo.dll"	95454603956e4c571c411702bd750da1_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023485-5.dat	aspack_v212_v242

Loads dropped DLL 4 IoCs

pid	Process
1924	95454603956e4c571c411702bd750da1_JaffaCakes118.exe
3840	svchost.exe
3840	svchost.exe
3840	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cafbjo.dll	95454603956e4c571c411702bd750da1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\00049833.ini	95454603956e4c571c411702bd750da1_JaffaCakes118.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5040	3840	WerFault.exe	87
4552	3840	WerFault.exe	87
532	3840	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95454603956e4c571c411702bd750da1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

C:\Users\Admin\AppData\Local\Temp\95454603956e4c571c411702bd750da1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95454603956e4c571c411702bd750da1_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k wqitoq
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 528
  2⤵
  - Program crash
  PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 664
  2⤵
  - Program crash
  PID:4552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 584
  2⤵
  - Program crash
  PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 3840
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3840 -ip 3840
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3840 -ip 3840
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cafbjo.dll

Filesize
50KB

MD5
e82f8a93659b43c52e4a0debbc21df92

SHA1
d106830165d9cf2a891fe9f9c075889f1cf9ff80

SHA256
062bcf1a7df7884a2619005f4c26dff3273922af9ddd16ff923030917643b66e

SHA512
a01533ea86d74d3d81856e70e781a4700ff84a88f1f114fa300463845727852bb853b85edd611e69a7b74accce6eefd6df38f36927a50ab29eb0febc597e5630

Download Submit
memory/1924-0-0x0000000000400000-0x000000000040D261-memory.dmp

Filesize
52KB

Download
memory/1924-1-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/1924-3-0x0000000000400000-0x000000000040D261-memory.dmp

Filesize
52KB

Download
memory/1924-8-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1924-13-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/1924-12-0x0000000000400000-0x000000000040D261-memory.dmp

Filesize
52KB

Download
memory/3840-11-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/3840-15-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download