dfc157b611233ffb1037d4af638866e89f1d5504b10f86827de79a42cd4fa1ae

General

Target

eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Size

318KB
MD5

eb18c10daec2052a035420c3866ca62f
SHA1

4b3cee088f397e4d9f774c5c4a4f3c81d1a221d8
SHA256

dfc157b611233ffb1037d4af638866e89f1d5504b10f86827de79a42cd4fa1ae
SHA512

bf4202edc0f28ba4fe52e741aea6e6e96f2240e39a74d097ff9df349a37113e2b52b51d1d0eb463a413442b78086651c3f67d9450f2983223f2712200246c1a5
SSDEEP

6144:I1zSIqrkISRfXfpY+0yFdADAc74eJpTWCy2vd/BuiRoG:/4ISRPfu+TmZ77Rku1Buyo

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe

Loads dropped DLL 12 IoCs

pid	Process
2008	svchost.exe
5068	svchost.exe
4496	svchost.exe
5084	svchost.exe
836	svchost.exe
4308	svchost.exe
2860	svchost.exe
1936	svchost.exe
3704	svchost.exe
2604	svchost.exe
1008	svchost.exe
3480	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2084-0-0x0000000000380000-0x00000000003CE000-memory.dmp	upx
behavioral2/files/0x0007000000023459-3.dat	upx
behavioral2/memory/2008-5-0x00000000756C0000-0x000000007570E000-memory.dmp	upx
behavioral2/memory/2008-6-0x00000000756C0000-0x000000007570E000-memory.dmp	upx
behavioral2/memory/4496-13-0x00000000756C0000-0x000000007570E000-memory.dmp	upx
behavioral2/memory/2084-41-0x0000000000380000-0x00000000003CE000-memory.dmp	upx

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ias.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
2084	eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb18c10daec2052a035420c3866ca62f_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:836

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4308

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2860

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3704

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
318KB

MD5
bd8eb49e33037565c72209d7c6cb2e51

SHA1
b276e5619d7dad7b015d55788ab61a2af2990e97

SHA256
8eba2c13cacaecb719ae7582e9fa9469e7e2d260e7a96f6854b636e243636798

SHA512
af99d898a3b37412696905f3705d834ad5f4de48ee3180637b3d04278cab997466f5e76ba90fe2fe7fe4994756c450bbe50868f0ca6b0319fb10531d4db28048

Download Submit
memory/2008-5-0x00000000756C0000-0x000000007570E000-memory.dmp

Filesize
312KB

Download
memory/2008-6-0x00000000756C0000-0x000000007570E000-memory.dmp

Filesize
312KB

Download
memory/2084-0-0x0000000000380000-0x00000000003CE000-memory.dmp

Filesize
312KB

Download
memory/2084-41-0x0000000000380000-0x00000000003CE000-memory.dmp

Filesize
312KB

Download
memory/4496-13-0x00000000756C0000-0x000000007570E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing