2f760f8bc2eaca3df20fafdaeb10424ecd6d0ee7e2260a1b02d90be7bb8496d5

General

Target

e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Size

183KB
MD5

e0b1d7fad1577f998fbd7f3b1ad736b0
SHA1

27569fc55ad843f50b2f8256a5a76566303942f3
SHA256

2f760f8bc2eaca3df20fafdaeb10424ecd6d0ee7e2260a1b02d90be7bb8496d5
SHA512

209e1282b29c6bc37d6f9ac36cdc3d6b75a224270b38b27afec21b914294ae09563dcf321edbc9226f2715b922df2640c5d6b8fefbbff57f9c812e7b77201aba
SSDEEP

3072:33GCZi+u93O+KNr9hoOVGToadTutNNubNVFywb9Ve4kZJcMKQv+C25MOLdUr9hoO:KvWo/ToUatvubNawb9VOExRCiMOEo

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe

Loads dropped DLL 24 IoCs

pid	Process
840	svchost.exe
840	svchost.exe
2696	svchost.exe
2696	svchost.exe
2568	svchost.exe
2568	svchost.exe
2220	svchost.exe
2220	svchost.exe
988	svchost.exe
988	svchost.exe
884	svchost.exe
884	svchost.exe
336	svchost.exe
336	svchost.exe
932	svchost.exe
932	svchost.exe
1820	svchost.exe
1820	svchost.exe
2932	svchost.exe
2932	svchost.exe
2928	svchost.exe
2928	svchost.exe
2468	svchost.exe
2468	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nla.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0b1d7fad1577f998fbd7f3b1ad736b0_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2220

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:336

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- System Location Discovery: System Language Discovery
PID:1440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1820

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
183KB

MD5
33d1e0c3a81ba3dcb1d94c8a36cfe0dd

SHA1
426f30d1e46600425824619f86bf143dd1690d76

SHA256
641aef8c6a4426cca37c59f53dc9d4a07281ac6f87801eda298308e8888bc89f

SHA512
f2021d5be0ce348cec515d28de62b90e64d850181684dbdc02117aa7905227b3d67b794c4dfaa1fff58683f56c2f1010bfb5956c79e72e17074321956b3d355e

Download Submit
memory/336-48-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download
memory/840-8-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download
memory/884-43-0x0000000074860000-0x0000000074882000-memory.dmp

Filesize
136KB

Download
memory/884-41-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download
memory/932-56-0x0000000074860000-0x0000000074882000-memory.dmp

Filesize
136KB

Download
memory/932-54-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download
memory/988-37-0x0000000074860000-0x0000000074882000-memory.dmp

Filesize
136KB

Download
memory/988-36-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download
memory/1820-62-0x0000000074860000-0x0000000074882000-memory.dmp

Filesize
136KB

Download
memory/2220-29-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download
memory/2220-30-0x0000000074860000-0x0000000074882000-memory.dmp

Filesize
136KB

Download
memory/2468-79-0x0000000074860000-0x0000000074882000-memory.dmp

Filesize
136KB

Download
memory/2468-77-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download
memory/2568-23-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download
memory/2568-24-0x0000000074860000-0x0000000074882000-memory.dmp

Filesize
136KB

Download
memory/2696-16-0x0000000074340000-0x0000000074362000-memory.dmp

Filesize
136KB

Download
memory/2696-17-0x0000000074310000-0x0000000074332000-memory.dmp

Filesize
136KB

Download
memory/2828-11-0x0000000000150000-0x0000000000172000-memory.dmp

Filesize
136KB

Download
memory/2828-1-0x0000000000150000-0x0000000000172000-memory.dmp

Filesize
136KB

Download
memory/2828-3-0x00000000001A1000-0x00000000001A2000-memory.dmp

Filesize
4KB

Download
memory/2828-10-0x0000000000180000-0x00000000001A2000-memory.dmp

Filesize
136KB

Download
memory/2828-0-0x0000000000180000-0x00000000001A2000-memory.dmp

Filesize
136KB

Download
memory/2932-68-0x0000000074860000-0x0000000074882000-memory.dmp

Filesize
136KB

Download
memory/2932-67-0x0000000074890000-0x00000000748B2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing