800e25ec88196565a9020cfcb5a07f2e4d4952003c0f44ad524b02e3a11cd7bd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
Size

62KB
MD5

f673496497c3de29e925e3c0330c7ce5
SHA1

ad27ee2b20eaeea847138767ce196157c42b36e8
SHA256

800e25ec88196565a9020cfcb5a07f2e4d4952003c0f44ad524b02e3a11cd7bd
SHA512

be74612fad3b88c2502d4895fee55d9870944a93513521ef1ab5334ec85fd7a4bf4c3532165ee17aa888352927836afd7d4cec8cae44b099b55bdd49a6a8e513
SSDEEP

1536:JDoBuXoSY3cHUchmJ1ZJviSPsyqRW3zqttN4czPuV:RCuXxOmIJJvRkyqRozqqczuV

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\uwwfuj.sys	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kecsjb\ParameterS\ServiceDll = "%SystemRoot%\\System32\\uwwfuj.dll"	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\kecsjb\ParameterS\ServiceDll = "%SystemRoot%\\System32\\uwwfuj.dll"	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\kecsjb\ParameterS\ServiceDll = "%SystemRoot%\\System32\\uwwfuj.dll"	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4044	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3828	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
4044	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0005653a.inf	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uwwfuj.dll	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

C:\Users\Admin\AppData\Local\Temp\f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f673496497c3de29e925e3c0330c7ce5_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k kecsjb
1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\uwwfuj.dll

Filesize
88KB

MD5
0219d8aada8d888efc437db97e91d127

SHA1
0f6ed90e34b7f359f0ba3a5414f0189c2d177aec

SHA256
26c29ce596706e38676447735a02be4329373ebdaddbd0a42355d3cb2e05916f

SHA512
fbcca1ff9d51106e211e8a8edc4913e897e97c09a581710bc43329401724c8a7f3639f433899d197ba981c45a7e37e4ebfe66a972c317e17ae7e4132f89f1da7

Download Submit
C:\Windows\Temp\3924.exe

Filesize
809B

MD5
d4a8dfb20d07c8cd2705fbbd2d0faf04

SHA1
aec65873c5777da7618bbbf3078a2d3301e1781c

SHA256
50aaa7c11804c2b95bafc7db82231e6c224fb617b162298b399d053a981786e4

SHA512
df923d0bc225a05b5606dfa80ede68fb7e45628aaa20c13f01d74a8bdaa058aa0c1dbead0bf9686afd9a01793d99af03825eb8abc3b354a7f88cbef49b637d31

Download Submit