91dea9e5ea612fad4f5282a698464a35ed803651ed6e901ac8998ca8566352b2

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
Size

1.9MB
MD5

ef286de7cc4cdf261f45669400d8b9ea
SHA1

8ce1800685e6607de8d78d452b2649de499fc8aa
SHA256

91dea9e5ea612fad4f5282a698464a35ed803651ed6e901ac8998ca8566352b2
SHA512

a98fb9cc326c2047ad9104083e2b981df0ba8396a58c29ac54a67064df3172ef50e2dee9da5ed1c1bfec3c6e19d9451a00be232e174b3c6c7d513da31e07df46
SSDEEP

12288:D/FhCcImvdsFa2I9x81fq0uKVMDkidwC7x4khdxJjnDAD6TtptS7ZO8jSVCDI:+aj9x8xq5KvqzXxJdT47ZxSVCDI

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4652	fservice.exe
3952	services.exe

Loads dropped DLL 5 IoCs

pid	Process
3952	services.exe
3952	services.exe
3952	services.exe
4652	fservice.exe
3672	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	212.156.4.20

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wininv.dll	services.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
File opened for modification	C:\Windows\system\sservice.exe	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe
3952	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3952	services.exe
3952	services.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4652	3672	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe	82
PID 3672 wrote to memory of 4652	3672	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe	82
PID 3672 wrote to memory of 4652	3672	ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe	82
PID 4652 wrote to memory of 3952	4652	fservice.exe	83
PID 4652 wrote to memory of 3952	4652	fservice.exe	83
PID 4652 wrote to memory of 3952	4652	fservice.exe	83
PID 3952 wrote to memory of 5032	3952	services.exe	84
PID 3952 wrote to memory of 5032	3952	services.exe	84
PID 3952 wrote to memory of 5032	3952	services.exe	84
PID 3952 wrote to memory of 3920	3952	services.exe	85
PID 3952 wrote to memory of 3920	3952	services.exe	85
PID 3952 wrote to memory of 3920	3952	services.exe	85
PID 3920 wrote to memory of 404	3920	NET.exe	88
PID 3920 wrote to memory of 404	3920	NET.exe	88
PID 3920 wrote to memory of 404	3920	NET.exe	88
PID 5032 wrote to memory of 428	5032	NET.exe	89
PID 5032 wrote to memory of 428	5032	NET.exe	89
PID 5032 wrote to memory of 428	5032	NET.exe	89

C:\Users\Admin\AppData\Local\Temp\ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef286de7cc4cdf261f45669400d8b9ea_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SysWOW64\fservice.exe
  C:\Windows\system32\fservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\services.exe
    C:\Windows\services.exe -XP
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP SharedAccess
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:428
  - - C:\Windows\SysWOW64\NET.exe
      NET STOP navapsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fservice.exe

Filesize
1.9MB

MD5
ef286de7cc4cdf261f45669400d8b9ea

SHA1
8ce1800685e6607de8d78d452b2649de499fc8aa

SHA256
91dea9e5ea612fad4f5282a698464a35ed803651ed6e901ac8998ca8566352b2

SHA512
a98fb9cc326c2047ad9104083e2b981df0ba8396a58c29ac54a67064df3172ef50e2dee9da5ed1c1bfec3c6e19d9451a00be232e174b3c6c7d513da31e07df46

Download Submit
C:\Windows\SysWOW64\wininv.dll

Filesize
24KB

MD5
f44e9190900ae1ff43d951dc12691e6c

SHA1
b17cb75f21486fdf0fff99c0313a7156a62653b8

SHA256
1feb2aea58b433b163612d51f454862d9e2921624be878cb26d8609e2c6d1cc0

SHA512
8d3c0fe7ccd4cae8bafedf08b92c6fd344a008063c9511def1c5399583336a2034543db15e75fdc42c16e70d14055263aac06240b457b57bd859520b4f3ba714

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
6ebe4162566888dc0050afc8bacde715

SHA1
e592f0e306eec69b4114228d15cdf3cb57b253af

SHA256
ce7cbb099826c1d946c4bcb97cd2f43a5d34a8e16fd8b181be993702b2dd3452

SHA512
74f33f9d48b1622d0c8ddedb5bc9d9f30c37197b06f4bc0acccff0e272a1ea08d657eee3f0f532a2461d936e40af245594826e60e3874c09bbb835efeedcae65

Download Submit
memory/3672-0-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3672-32-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3952-17-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3952-34-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3952-33-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3952-35-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4652-8-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4652-30-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download