4d3a0ba910024c6ca1ca9e915eb43fff7f9610406105750383f716069e7dfb91

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
Size

95KB
MD5

1a70e1e36e6afa454f6457140ac3d2ec
SHA1

853c94da9a70900281a4345dab7c43812a467609
SHA256

4d3a0ba910024c6ca1ca9e915eb43fff7f9610406105750383f716069e7dfb91
SHA512

7ed173915292f8986cedfc4111ae644be0b497ba2d9e57a31d90699c5d8843b09646a94788f9644ddb732dc5ec6d6ee747e2de1fc4b0e852a64428d4398f1413
SSDEEP

1536:yL6aduLanddV3DKTNKmeQAaswB18GF7ECWYevGwyvHYBAwnW4i9:yLFdPyjAaswzjVFOBA3

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1588 svchost.exe

pid	process
1588	svchost.exe

Drops file in System32 directory 14 IoCs

Processes:

svchost.exe1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File created	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchost.log	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File created	C:\Windows\SysWOW64\system_t.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\system_t.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exesvchost.exe

description	ioc	process
File created	C:\Windows\system\config_t.dat	1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
File opened for modification	C:\Windows\system\config_t.dat	1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
File opened for modification	C:\Windows\system\config_t.dat	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

3524 ipconfig.exe

pid	process
3524	ipconfig.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

1588 svchost.exe
1588 svchost.exe

pid	process
1588	svchost.exe
1588	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.execmd.exesvchost.exe

description	pid	process	target process
PID 3312 wrote to memory of 2984	3312	1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe	cmd.exe
PID 3312 wrote to memory of 2984	3312	1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe	cmd.exe
PID 3312 wrote to memory of 2984	3312	1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe	cmd.exe
PID 2984 wrote to memory of 4564	2984	cmd.exe	reg.exe
PID 2984 wrote to memory of 4564	2984	cmd.exe	reg.exe
PID 2984 wrote to memory of 4564	2984	cmd.exe	reg.exe
PID 1588 wrote to memory of 3524	1588	svchost.exe	ipconfig.exe
PID 1588 wrote to memory of 3524	1588	svchost.exe	ipconfig.exe
PID 1588 wrote to memory of 3524	1588	svchost.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a70e1e36e6afa454f6457140ac3d2ec_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c temp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d C:\Windows\system32\FastUserSwitchingCompatibilityex.dll
3⤵
- Server Software Component: Terminal Services DLL
PID:4564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.bat
Filesize
211B

MD5
dde99ab936da8cbda74ea779ef0b2e67

SHA1
1e27e432e0b7c81b990b92595daebdf0539efea4

SHA256
ab6da77270cb63c49d1d12e854850e882d03f41ce48782e98c81bcede0c9ad80

SHA512
62a124172d34dc56d00328b45ac13a029c847c2b7e2843ec38270a7c4d813b68b7d66b9a8ef80b8adfa7b1a894f36b5f8c6365fa5551c35939c0b76cd4439437

Download Submit
C:\Windows\SysWOW64\svchost.log
Filesize
605B

MD5
f3227521c45d4e6fbeff684a2466a5e3

SHA1
674707d204fd3cc410da70687931c8d95ee0f04a

SHA256
f72c06e5532bcd54ee8fc497543028bee41f89b5da4a6450525ace25e7554b8a

SHA512
775f3b8d2f0c12cc060ca318ee703968d5278d6ea300983cb57c6a967da6b00c6e97892ad43b127731132d160e2b147a264b2d6af6ac44b7dd4efff26ea64ba8

Download Submit
C:\Windows\SysWOW64\system_t.dll
Filesize
1KB

MD5
2c924d2cbe0cb452708267e71688e166

SHA1
5967f9b11d0c210a25acaed0db356cf956917b63

SHA256
f28922f4f2cc5e08d42636611b802b15f04deb97b6619b936a25309540e211af

SHA512
0ee61cb196486f34363a6030ddc0558c543a48a32cf4b6f77207f764f38a5fff8a6d2f16fdada1a5aa52a4b215db75af33208e70838f0735ce293ed2bd1c8ab1

Download Submit
C:\Windows\SysWOW64\system_t.dll
Filesize
495B

MD5
70eac4020cb5284dd535e21b4e702253

SHA1
2345ead46aa9185a3e16ece92f0371ff6ddb8df6

SHA256
a7c4ee29e115f592f030b3d27b2092133620145c8a21f1cfbb099428fc16cd2b

SHA512
0edf891d1d43f2801e69cc4b114f6b36f71e9d7c06f284b731cc8b863e80cce663f9a739641b410edf98445433e4ec141cec7cd3cf42cd6e94411f4e56ddb88b

Download Submit
C:\Windows\SysWOW64\system_t.dll
Filesize
747B

MD5
1c18b11ace3e227bdce55b70e0bb6607

SHA1
09ce8dc28f3d0d92b197d015a6512bc2e824917d

SHA256
f91817f3efa29cc04eea0bbc2b3378f1d7f91744491d803b0fa991ee2687e8ff

SHA512
4afb972072adb5d6a552144239f883bd7917c31183a0b93fc85b45404211da01576ff341f36dcc975633d397fd8210a97d2b9bb35c7606f3a010e47bf8e38360

Download Submit
C:\Windows\System\config_t.dat
Filesize
138B

MD5
ada008f2bbc8bf17b0a0287a289c688a

SHA1
61b609261c81c511aff48b9cd24ee1307c225a56

SHA256
97a7d664f16b924996af78d2ea84f336d8395c8db5829761ad02bf223e88f689

SHA512
08bf0e452c3182a18f427ba861a641922a17a7f7ac2b21b2d04af2e496ab5afacd5c6f44c685b0cf3ca9ed471434af2536a3ce1d13c48eed427368b0de388ffb

Download Submit
C:\Windows\system\config_t.dat
Filesize
182B

MD5
ea72bea48bcb1dcad5a66609b5a1e81e

SHA1
f14a1bfe3d208c3d9d617484b122c779d50a10a6

SHA256
ec3eba5f4e5d72cf0bb6697a6eacc9f73a0eb0e89f0d9e498f48007689c46fb6

SHA512
255e0dae11114231a78773354fe9edbe2fa357fb47d2a5e11d1eec96655ee124356841929d3a27faf9f53bcd140bc855ebe88d8b53289c7cafe7dcc77a49c033

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibilityex.dll
Filesize
45KB

MD5
452660884ebe3e88ddabe2b340113c8a

SHA1
b80d436afcf2f0493f2317ff1a38c9ba329f24b1

SHA256
ed6ad64dad85fe11f3cc786c8de1f5b239115b94e30420860f02e820ffc53924

SHA512
11c0bc211da6e083015d98cde3c34ce7f36fb492a9859936b1294e730f420f6ac8a68ceacb4367977d930b26ee8f99a0fd08eba59b895de23ac3b4d32ddfaa1c

Download Submit