681d1e4fc3a9a9c5f184808644faaffe20a1e16df5cc7465394d5a972d4a7fde

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
Size

21KB
MD5

f0acfde3acc6056e023d5e372f24c0ef
SHA1

c72792441f343a8b9404a2605bbb07e0cb5a6cce
SHA256

681d1e4fc3a9a9c5f184808644faaffe20a1e16df5cc7465394d5a972d4a7fde
SHA512

f6a42f99b09f24addc176c2146686458c50553d676c1cbd0097f3f9b730911e484b9cc7c5da7b85867c100f5f7b1f10f9c4abad6c0961b06fec28e793acaa4a0
SSDEEP

384:USkb4Vx8eYrZ7o+0Qdvm4E56NDcKE4nu/ZNRMl8KOE:USk88f1E6/Em

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Scheduler\Parameters\ServiceDll = "C:\\Windows\\system32\\Routing.dll"	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2996	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Routing.dll	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\values.dat	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000f086abe36f0cdb01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000009025a9e36f0cdb01	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe
2996	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 256	2996	svchost.exe	1
PID 2996 wrote to memory of 332	2996	svchost.exe	2
PID 2996 wrote to memory of 384	2996	svchost.exe	3
PID 2996 wrote to memory of 392	2996	svchost.exe	4
PID 2996 wrote to memory of 432	2996	svchost.exe	5
PID 2996 wrote to memory of 476	2996	svchost.exe	6
PID 2996 wrote to memory of 492	2996	svchost.exe	7
PID 2996 wrote to memory of 500	2996	svchost.exe	8
PID 2996 wrote to memory of 596	2996	svchost.exe	9
PID 2996 wrote to memory of 672	2996	svchost.exe	10
PID 2996 wrote to memory of 748	2996	svchost.exe	11
PID 2996 wrote to memory of 808	2996	svchost.exe	12
PID 2996 wrote to memory of 852	2996	svchost.exe	13
PID 2996 wrote to memory of 960	2996	svchost.exe	15
PID 2996 wrote to memory of 272	2996	svchost.exe	16
PID 2996 wrote to memory of 1052	2996	svchost.exe	17
PID 2996 wrote to memory of 1060	2996	svchost.exe	18
PID 2996 wrote to memory of 1092	2996	svchost.exe	19
PID 2996 wrote to memory of 1140	2996	svchost.exe	20
PID 2996 wrote to memory of 1164	2996	svchost.exe	21
PID 2996 wrote to memory of 1472	2996	svchost.exe	23
PID 2996 wrote to memory of 316	2996	svchost.exe	24
PID 2996 wrote to memory of 760	2996	svchost.exe	25
PID 2996 wrote to memory of 2176	2996	svchost.exe	26
PID 2996 wrote to memory of 1668	2996	svchost.exe	27
PID 2996 wrote to memory of 1940	2996	svchost.exe	28
PID 2996 wrote to memory of 2032	2996	svchost.exe	32

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:316
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:760
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2032
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1092
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1940
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1052
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1060
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1164
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2176
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2996
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\routing.dll

Filesize
12KB

MD5
8ed3f6402cd16e6d134dc6cf74c09c64

SHA1
d37cb170631913887167ed709310defbe434f91d

SHA256
35ab7d4b0ec0795245caf18b55f0080700d31c388df8885e9ed1b120d064ad0e

SHA512
ab7176722bc65ba32061c5d372081885718a21bdf38178d6f217f2829703a978e51237e8e9cbee0c49282545af2781ffc3f1aa7e8d2b701227d4cde6ce881ebd

Download Submit
memory/256-6-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2644-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2644-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2996-5-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2996-43-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download