a2fb397461d74213d9861d87d880390299d395a26852c0d1c30337bcb6e4567e

General

Target

b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Size

184KB
MD5

b2d1903f12411593c4ddd0fccde50319
SHA1

ba9f90f96f92d0c040a61de8939ae2a0f2d2b5c9
SHA256

a2fb397461d74213d9861d87d880390299d395a26852c0d1c30337bcb6e4567e
SHA512

fdeb887c20d9ff21ebcf0c8f2d30759c37838324c6232e5b03bd5c00a74c23bd6385cf96a26b9a38d2c770892e7db6c68ce94ebf0f3c538c5ee4889162ece159
SSDEEP

3072:mtaBk6WvG9v4j63IWg/1y14FDTZ2WRDiPa3TBft8nIiHtLlmI:GaBk6Wvgvw7H/8167hiPa3TBl8nIiHtT

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 10 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\srservice\Parameters\ServiceDll = "C:\\Windows\\system32\\ntsrservice.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\logonhours\Parameters\ServiceDll = "C:\\Windows\\system32\\ntlogonhours.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\ntfastuserswitchingcompatibility.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ias\Parameters\ServiceDll = "C:\\Windows\\system32\\ntias.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\ntntmssvc.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\ntwmi.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wmdmpmsp\Parameters\ServiceDll = "C:\\Windows\\system32\\ntwmdmpmsp.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\ntirmon.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nla\Parameters\ServiceDll = "C:\\Windows\\system32\\ntnla.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nwcworkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\ntnwcworkstation.dll"	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\729d73e9.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\9b56e972.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4ef54a5d.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntntmssvc.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\35172304.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntsrservice.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntnla.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a8c20fb6.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a4363793.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntias.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntirmon.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bda338ff.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntlogonhours.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntwmdmpmsp.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\d2f5ca0e.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dad53dd.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntnwcworkstation.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntwmi.dll	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4ac26bd1.del	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1420	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
1420	b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2d1903f12411593c4ddd0fccde50319_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:1188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- System Location Discovery: System Language Discovery
PID:4948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- System Location Discovery: System Language Discovery
PID:4088

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- System Location Discovery: System Language Discovery
PID:2744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- System Location Discovery: System Language Discovery
PID:4820

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- System Location Discovery: System Language Discovery
PID:716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- System Location Discovery: System Language Discovery
PID:744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- System Location Discovery: System Language Discovery
PID:4352

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- System Location Discovery: System Language Discovery
PID:2276

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- System Location Discovery: System Language Discovery
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll

Filesize
148KB

MD5
128067392b6d92487e6b3fe5b2289069

SHA1
2d7af881e89e075715eab0a419e41afda1d113dd

SHA256
b9a92e73f2187ddaf47806b437fccf702269e44e83a70b366a79a8ba85889ddc

SHA512
5894a5b2e985c5b4bd03ab55efdf33f2c8050157e6933be83a7634d977fa6a8d9c4ba523e484f3be1aa0327490612d93bd6f5e16227fea2965a9d99048491624

Download Submit

Analysis

Sharing