aceca16c33ae8a73b1fd7699a8317d70d164df9744cb7e494834b9c1e457a768

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
Size

105KB
MD5

08e5352a2416bd32a1c07f2d6c2f11fa
SHA1

75a8054ee4939564fb90ccc654f0cfa9afe062c7
SHA256

aceca16c33ae8a73b1fd7699a8317d70d164df9744cb7e494834b9c1e457a768
SHA512

db1268b7f11726d9fae2d143757bec5c1497710cc97f3561cdf6dbd5cdd97aef7da2f1fbbbf6819b520e01a85e83775817d051812bcfcf5850dd534532ffc2af
SSDEEP

1536:2FmExUd6hs8reTaBElUWasAYHx0OyZ206LM9YZALMwVw:2nohCWasXxb0T9YZ3we

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1524 svchost.exe

pid	process
1524	svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\system_t.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\system_t.dll	svchost.exe
File created	C:\Windows\SysWOW64\enumfs.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dnlist.ini	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exesvchost.exe

description	ioc	process
File created	C:\Windows\system\config_t.dat	08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
File opened for modification	C:\Windows\system\config_t.dat	08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
File opened for modification	C:\Windows\system\config_t.dat	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3392 ipconfig.exe

pid	process
3392	ipconfig.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

1524 svchost.exe
1524 svchost.exe

pid	process
1524	svchost.exe
1524	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.execmd.exesvchost.exe

description	pid	process	target process
PID 4176 wrote to memory of 3608	4176	08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe	cmd.exe
PID 4176 wrote to memory of 3608	4176	08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe	cmd.exe
PID 4176 wrote to memory of 3608	4176	08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe	cmd.exe
PID 3608 wrote to memory of 2472	3608	cmd.exe	reg.exe
PID 3608 wrote to memory of 2472	3608	cmd.exe	reg.exe
PID 3608 wrote to memory of 2472	3608	cmd.exe	reg.exe
PID 1524 wrote to memory of 3392	1524	svchost.exe	ipconfig.exe
PID 1524 wrote to memory of 3392	1524	svchost.exe	ipconfig.exe
PID 1524 wrote to memory of 3392	1524	svchost.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08e5352a2416bd32a1c07f2d6c2f11fa_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll
3⤵
- Server Software Component: Terminal Services DLL
PID:2472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:3392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\net.bat
Filesize
211B

MD5
dde99ab936da8cbda74ea779ef0b2e67

SHA1
1e27e432e0b7c81b990b92595daebdf0539efea4

SHA256
ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80

SHA512
62a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437

Download Submit
C:\Windows\SysWOW64\dnlist.ini
Filesize
60B

MD5
c3bacb90e99eba817ab09df0d0ef20c6

SHA1
fe4e99571d73151583f7df9b38007324da49e2ef

SHA256
b99d78b6de211146fb5ab7786a873cc8429651c09e85b42ff78158219deaf79c

SHA512
5ca86a92927b7caf4b8d78c09f53a9fe2579f402140b38f42e47467e56a4156e4bf77bcae03fa626d75c1e274b9189a1d5e4da38836e601c0e602df075f61f12

Download Submit
C:\Windows\SysWOW64\enumfs.ini
Filesize
62B

MD5
61ce2d6472694de11b077a557065c911

SHA1
174600480ef52e775821467d289f1c2c6c7a7a43

SHA256
d8e6d2a7f536cb1a4e0ddba96073849f264a489deadfd7edbe4425924cdbbd61

SHA512
1b62b4dc93cdf14b52681570d97b87038040f3f8a04ad355c80784d0d90bf2b6d5d25ecc27196fd1566e0bedd110f9c395e7a2f465bad39fec240e94de2a41c2

Download Submit
C:\Windows\SysWOW64\system_t.dll
Filesize
1KB

MD5
ed7d77053c329a4a938260ec8a0cd3d3

SHA1
3d6697de16eb6aadc19a519759ba03567d52a0e1

SHA256
b98b0089a648f39d94b0c4ab568931965b918181616bd98a122c582f64f27fab

SHA512
23c095f06a98a0e184c2a12bf224534f7b92697bcfdd0ea7aad26831256adfc7c3a36e9af892f5bea5bc80add15e8df29372b1a7c30df82e46d06bc397e29c36

Download Submit
C:\Windows\System\config_t.dat
Filesize
142B

MD5
9ddb656796bb7d9ad7e3fdb19e50f4df

SHA1
3cbd7ed350a3b1a6d721355f3bf1987a7397c556

SHA256
91b75374e15df2be1b82e68b1fc303724cc30e6976aa2b6d0f75e59dfafc50f6

SHA512
210d5389ebc24449778c3801b304bc4759d5337570554cf782b045f11bd5e0bc54ce392d338416d1505385c28916b2c2c619d87aeb5787d5c5c10d02ec9bb04b

Download Submit
C:\Windows\system\config_t.dat
Filesize
186B

MD5
623bd7dce6a349545c890a17f18fb88d

SHA1
e0b3634aee490367844785469833101aa0fa29fd

SHA256
9230503e7b768ea4843c78ec22231b9c95af9c51a8112c3a935552761733adc7

SHA512
fe301a1ea4c026e978d60d03c087c9f08227fafe6b44fe52d8c0f3e0da79b85124527025a2ea9077fc497794d971f2687bfea9aec37be0a54b4e15f29aee6f86

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll
Filesize
53KB

MD5
bff5561677a647c314446e6daa509beb

SHA1
ea52a1a5b15a13bee44cdbfe97beb9c0a4cecc32

SHA256
91baeec8fa63fbfb7cc0b3e441b438edc6e156fc0ab18a56c7bb6c5df3045048

SHA512
470973e51649968a0298e46883f5bc9f38d440d7376b6f8b6f6e191f19c5af7f78544a80a90dd218fc6871d519ecdf1735499f3e209b8d103a1c981edf07787b

Download Submit