f6973271ac1f735395315fb47870eec7b7a2a9718e014376d4650b2e2a95ecaf

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 18:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe
Size

69KB
MD5

dcd21d3523bcd683f8a2929f33344978
SHA1

d97bfb456b981f699789f6b699befd4774b43584
SHA256

f6973271ac1f735395315fb47870eec7b7a2a9718e014376d4650b2e2a95ecaf
SHA512

7a86d4fe3faa204e8e2cebbff27cc6241462c4be35e291982d00d969c2cbf6d619b52eb6d7ff323d1dc8b07d14a411f9ec03ac12ee0cece42a94177129426964
SSDEEP

1536:iYfWamqp9NvihgqlsblcINUkxoNuudXpiHTjl5:i7e9NvQVlsb9UkeNuDzjn

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tboicc\Parameters\ServiceDll = "%SystemRoot%\\System32\\blsjks.dll"	dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\tboicc\Parameters\ServiceDll = "%SystemRoot%\\System32\\blsjks.dll"	dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\tboicc\Parameters\ServiceDll = "%SystemRoot%\\System32\\blsjks.dll"	dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2220	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2000	dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe
2220	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\blsjks.dll	dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\0004edf5.001	dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

C:\Users\Admin\AppData\Local\Temp\dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dcd21d3523bcd683f8a2929f33344978_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -K tboicc
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2220

Network

DNS

williamma931.gicp.net

svchost.exe

Remote address:

8.8.8.8:53

Request

williamma931.gicp.net

IN A

Response

No results found

8.8.8.8:53

williamma931.gicp.net

dns

svchost.exe

67 B
67 B
1
1

DNS Request

williamma931.gicp.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\blsjks.dll

Filesize
94KB

MD5
a4b2df12e94e6ba5af342a732a649d4b

SHA1
02e49faa56c1e86a7bace2afbe2446e056846200

SHA256
53c62440703614a6bd0f0ac9b763ce1e0b584b3322f09b7ad7513546128a35c0

SHA512
456c2015564fe430b147b847227dd98a0aff3fa7ec9832955b2ec4cf328c1a17130f4945b3662e2c9fdf53d45c4fbd3b7a4f90edbc65985ccc65dddbe7d363ca

Download Submit
memory/2000-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2000-5-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2000-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-8-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2220-10-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download