2dc30cc28fd2c3db4dfc1b53226b7619e0d760c37f2465b8f13d3665ed518e7e

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 19:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b08b5e2d643f2452d18ca622051a67fa_JaffaCakes118.exe
Size

105KB
MD5

b08b5e2d643f2452d18ca622051a67fa
SHA1

0b195bd54fbc19461ac46dee016c4dd0cf478b0d
SHA256

2dc30cc28fd2c3db4dfc1b53226b7619e0d760c37f2465b8f13d3665ed518e7e
SHA512

aca4a92e58dd998bc3bb577187d3fe5ff0a703d46877b5395db4910db5e382a5b25f6c6286f72b6032c1446dd96a3d852e6b58e97f3c11a10b42a74309e87ba5
SSDEEP

3072:J/oxpFv1j6n1iWtBnnp5BnRp8/CpnsJxVb:JQxpl1j6n1nnjXpmmsJxVb

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\sysrvc.dll"	b08b5e2d643f2452d18ca622051a67fa_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1348	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1348	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b08b5e2d643f2452d18ca622051a67fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2472	b08b5e2d643f2452d18ca622051a67fa_JaffaCakes118.exe
2472	b08b5e2d643f2452d18ca622051a67fa_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b08b5e2d643f2452d18ca622051a67fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b08b5e2d643f2452d18ca622051a67fa_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Local User\sysrvc.dll

Filesize
94KB

MD5
207f05a267510c5ab9286cda85988a21

SHA1
184aaef79a35329fb0fee40e0d31340c2b8d0e8e

SHA256
ec24f5e3d0f2ba056c116886396911955e65d01dc79028bbf618ad6fcd1e23fd

SHA512
858d8b22e3b55dfe3c63d78b6549f395edccf70f87b67862f534a4bff4c964899bcfb689170a2a9317e0960f43ea1896b6bed0af12fe1cdae285fa47b2d3f3e0

Download Submit
memory/1348-5-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1348-6-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2472-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2472-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download