800e25ec88196565a9020cfcb5a07f2e4d4952003c0f44ad524b02e3a11cd7bd

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
Size

62KB
MD5

f673496497c3de29e925e3c0330c7ce5
SHA1

ad27ee2b20eaeea847138767ce196157c42b36e8
SHA256

800e25ec88196565a9020cfcb5a07f2e4d4952003c0f44ad524b02e3a11cd7bd
SHA512

be74612fad3b88c2502d4895fee55d9870944a93513521ef1ab5334ec85fd7a4bf4c3532165ee17aa888352927836afd7d4cec8cae44b099b55bdd49a6a8e513
SSDEEP

1536:JDoBuXoSY3cHUchmJ1ZJviSPsyqRW3zqttN4czPuV:RCuXxOmIJJvRkyqRozqqczuV

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\xzysmb.sys	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kecsjb\ParameterS\ServiceDll = "%SystemRoot%\\System32\\xzysmb.dll"	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\kecsjb\ParameterS\ServiceDll = "%SystemRoot%\\System32\\xzysmb.dll"	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\kecsjb\ParameterS\ServiceDll = "%SystemRoot%\\System32\\xzysmb.dll"	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2812	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
2812	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0005653a.inf	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xzysmb.dll	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

C:\Users\Admin\AppData\Local\Temp\f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kecsjb
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\2688.exe

Filesize
809B

MD5
d4a8dfb20d07c8cd2705fbbd2d0faf04

SHA1
aec65873c5777da7618bbbf3078a2d3301e1781c

SHA256
50aaa7c11804c2b95bafc7db82231e6c224fb617b162298b399d053a981786e4

SHA512
df923d0bc225a05b5606dfa80ede68fb7e45628aaa20c13f01d74a8bdaa058aa0c1dbead0bf9686afd9a01793d99af03825eb8abc3b354a7f88cbef49b637d31

Download Submit
\Windows\SysWOW64\xzysmb.dll

Filesize
88KB

MD5
9a8422c40759ead51867b5ffa7562b89

SHA1
8169567d122bae6f5932bc82d256693a408b556c

SHA256
29dc08a0b0c0d6c59f59292c25efcd196421b1132560ebf97fc1d0250f501cee

SHA512
61f93880ed8a33916a0bf411f6e4a534bd0a053f28173abd28c146543186ee169275e09e002649015bba052318d0c6852df1c5975dd20f4a33c7acfcdd6aeae1

Download Submit