681d1e4fc3a9a9c5f184808644faaffe20a1e16df5cc7465394d5a972d4a7fde

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
Size

21KB
MD5

f0acfde3acc6056e023d5e372f24c0ef
SHA1

c72792441f343a8b9404a2605bbb07e0cb5a6cce
SHA256

681d1e4fc3a9a9c5f184808644faaffe20a1e16df5cc7465394d5a972d4a7fde
SHA512

f6a42f99b09f24addc176c2146686458c50553d676c1cbd0097f3f9b730911e484b9cc7c5da7b85867c100f5f7b1f10f9c4abad6c0961b06fec28e793acaa4a0
SSDEEP

384:USkb4Vx8eYrZ7o+0Qdvm4E56NDcKE4nu/ZNRMl8KOE:USk88f1E6/Em

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Scheduler\Parameters\ServiceDll = "C:\\Windows\\system32\\Routing.dll"	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Routing.dll	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\values.dat	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000b68b0ee56f0cdb01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000008b5013e56f0cdb01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
4476	f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe
3024	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 616	3024	svchost.exe	5
PID 3024 wrote to memory of 672	3024	svchost.exe	7
PID 3024 wrote to memory of 776	3024	svchost.exe	8
PID 3024 wrote to memory of 784	3024	svchost.exe	9
PID 3024 wrote to memory of 792	3024	svchost.exe	10
PID 3024 wrote to memory of 900	3024	svchost.exe	11
PID 3024 wrote to memory of 948	3024	svchost.exe	12
PID 3024 wrote to memory of 340	3024	svchost.exe	13
PID 3024 wrote to memory of 412	3024	svchost.exe	14
PID 3024 wrote to memory of 1040	3024	svchost.exe	15
PID 3024 wrote to memory of 1060	3024	svchost.exe	16
PID 3024 wrote to memory of 1068	3024	svchost.exe	17
PID 3024 wrote to memory of 1076	3024	svchost.exe	18
PID 3024 wrote to memory of 1216	3024	svchost.exe	19
PID 3024 wrote to memory of 1224	3024	svchost.exe	20
PID 3024 wrote to memory of 1272	3024	svchost.exe	21
PID 3024 wrote to memory of 1284	3024	svchost.exe	22
PID 3024 wrote to memory of 1400	3024	svchost.exe	23
PID 3024 wrote to memory of 1452	3024	svchost.exe	24
PID 3024 wrote to memory of 1468	3024	svchost.exe	25
PID 3024 wrote to memory of 1480	3024	svchost.exe	26
PID 3024 wrote to memory of 1588	3024	svchost.exe	27
PID 3024 wrote to memory of 1628	3024	svchost.exe	28
PID 3024 wrote to memory of 1684	3024	svchost.exe	29
PID 3024 wrote to memory of 1728	3024	svchost.exe	30
PID 3024 wrote to memory of 1804	3024	svchost.exe	31
PID 3024 wrote to memory of 1828	3024	svchost.exe	32
PID 3024 wrote to memory of 1944	3024	svchost.exe	33
PID 3024 wrote to memory of 1972	3024	svchost.exe	34
PID 3024 wrote to memory of 1980	3024	svchost.exe	35
PID 3024 wrote to memory of 1440	3024	svchost.exe	36
PID 3024 wrote to memory of 2104	3024	svchost.exe	37
PID 3024 wrote to memory of 2132	3024	svchost.exe	38
PID 3024 wrote to memory of 2208	3024	svchost.exe	39
PID 3024 wrote to memory of 2272	3024	svchost.exe	40
PID 3024 wrote to memory of 2316	3024	svchost.exe	41
PID 3024 wrote to memory of 2460	3024	svchost.exe	42
PID 3024 wrote to memory of 2468	3024	svchost.exe	43
PID 3024 wrote to memory of 2492	3024	svchost.exe	44
PID 3024 wrote to memory of 2548	3024	svchost.exe	45
PID 3024 wrote to memory of 2704	3024	svchost.exe	46
PID 3024 wrote to memory of 2740	3024	svchost.exe	47
PID 3024 wrote to memory of 2756	3024	svchost.exe	48
PID 3024 wrote to memory of 2772	3024	svchost.exe	49
PID 3024 wrote to memory of 2796	3024	svchost.exe	50
PID 3024 wrote to memory of 2828	3024	svchost.exe	51
PID 3024 wrote to memory of 2836	3024	svchost.exe	52
PID 3024 wrote to memory of 768	3024	svchost.exe	53
PID 3024 wrote to memory of 3336	3024	svchost.exe	55
PID 3024 wrote to memory of 3380	3024	svchost.exe	56
PID 3024 wrote to memory of 3532	3024	svchost.exe	57
PID 3024 wrote to memory of 3760	3024	svchost.exe	58
PID 3024 wrote to memory of 3856	3024	svchost.exe	59
PID 3024 wrote to memory of 3924	3024	svchost.exe	60
PID 3024 wrote to memory of 4016	3024	svchost.exe	61
PID 3024 wrote to memory of 4116	3024	svchost.exe	62
PID 3024 wrote to memory of 2152	3024	svchost.exe	64
PID 3024 wrote to memory of 4636	3024	svchost.exe	66
PID 3024 wrote to memory of 4572	3024	svchost.exe	68
PID 3024 wrote to memory of 5000	3024	svchost.exe	69
PID 3024 wrote to memory of 1460	3024	svchost.exe	70
PID 3024 wrote to memory of 4192	3024	svchost.exe	71
PID 3024 wrote to memory of 1100	3024	svchost.exe	72
PID 3024 wrote to memory of 3404	3024	svchost.exe	73

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:340

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:776
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:768
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3760
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3856
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3924
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4016
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4116
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2152
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1100
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4892
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4912
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:4440
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4700
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:1504

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1216
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1480
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1440

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2772

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f0acfde3acc6056e023d5e372f24c0ef_JaffaCakes118.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1460

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 58d8bcd1a744bdbebd111aac06cdcc59 MxH5gtSmFkSCIvqRuB1VvQ.0.1.0.0.0
1⤵
PID:2848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3844

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\routing.dll

Filesize
12KB

MD5
8ed3f6402cd16e6d134dc6cf74c09c64

SHA1
d37cb170631913887167ed709310defbe434f91d

SHA256
35ab7d4b0ec0795245caf18b55f0080700d31c388df8885e9ed1b120d064ad0e

SHA512
ab7176722bc65ba32061c5d372081885718a21bdf38178d6f217f2829703a978e51237e8e9cbee0c49282545af2781ffc3f1aa7e8d2b701227d4cde6ce881ebd

Download Submit
memory/3024-5-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/3024-10-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4476-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4476-3-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download