d58e48dec2d54893ba1d9d161cbc79c059cc9ea0036b18724bd46890af7285ce

General

Target

37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Size

141KB
MD5

37bc462fa78afb8a95ab08c5060d0cfd
SHA1

b529c6b83363460cad9617ed2b477361aae70135
SHA256

d58e48dec2d54893ba1d9d161cbc79c059cc9ea0036b18724bd46890af7285ce
SHA512

01379f83504750fa64a3af0f6f6b53370ca4cc1c2c4a993eb00c3a166ce0721da57c0cefe88843a5d39773e5f4e809be53c9e26447a6a868c19d88aaa9c0e350
SSDEEP

3072:XMq3qCEqUTIzWodffH/oDYfdkyygR7Lxnf41NM:cq3q9bT1oxPwEF3t41+

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe

Loads dropped DLL 39 IoCs

pid	Process
4776	svchost.exe
4776	svchost.exe
4776	svchost.exe
2828	svchost.exe
2828	svchost.exe
2828	svchost.exe
4292	svchost.exe
4292	svchost.exe
4292	svchost.exe
5112	svchost.exe
5112	svchost.exe
5112	svchost.exe
3668	svchost.exe
3668	svchost.exe
3668	svchost.exe
3816	svchost.exe
3816	svchost.exe
3816	svchost.exe
3816	svchost.exe
3816	svchost.exe
3816	svchost.exe
5100	svchost.exe
5100	svchost.exe
5100	svchost.exe
844	svchost.exe
844	svchost.exe
844	svchost.exe
1844	svchost.exe
1844	svchost.exe
1844	svchost.exe
2212	svchost.exe
2212	svchost.exe
2212	svchost.exe
2064	svchost.exe
2064	svchost.exe
2064	svchost.exe
1196	svchost.exe
1196	svchost.exe
1196	svchost.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4352	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
4352	37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37bc462fa78afb8a95ab08c5060d0cfd_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4292

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
141KB

MD5
a0a66930976b99da846ab647b414a5a6

SHA1
b0c1e743343f4dbe9cb386f9235ba4c40c3c4a00

SHA256
c075d124757d886b1af54c9ffaa1b641f11571826484c9078274a625ac07dbe2

SHA512
c2bf9eceae0f09716ce76f04d99c49fe9729f3dc4c5b74580d78324ca63feb0bf1fd08747cb6766d7241a6d82b25a24cb73ca13ece4beb6581261926dec57ab6

Download Submit
memory/844-53-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-69-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3816-39-0x00000000011C0000-0x00000000011E3000-memory.dmp

Filesize
140KB

Download
memory/3816-43-0x00000000011C0000-0x00000000011E3000-memory.dmp

Filesize
140KB

Download
memory/3816-42-0x00000000011C0000-0x00000000011E3000-memory.dmp

Filesize
140KB

Download
memory/3816-41-0x00000000011C0000-0x00000000011E3000-memory.dmp

Filesize
140KB

Download
memory/3816-40-0x00000000011C0000-0x00000000011E3000-memory.dmp

Filesize
140KB

Download
memory/3816-38-0x00000000011C0000-0x00000000011E3000-memory.dmp

Filesize
140KB

Download
memory/4352-14-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4352-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4776-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4776-5-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing