Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 06:03
Static task
static1
Behavioral task
behavioral1
Sample
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe
-
Size
142KB
-
MD5
048725634c77ed7223cd9b91d90b172b
-
SHA1
40628d5ffe1bbd7915a628938a8acac0d9c77ba3
-
SHA256
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51
-
SHA512
ad87648a4003832c7ec6129b2745c119c693f99628295cb318d285b8c5ca23d8ec0a4682fdbe3e8a880de0f6e9b84ed78ae3279c457477d5d6a2b27f1284446c
-
SSDEEP
3072:Urmeq2+/v4ZyY6yZHeLZVDZrHEzgGQNZ2uZlanCt:U6hy5cXZrHRlNou/anC
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\lunfdjuc = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2608 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\lunfdjuc\ImagePath = "C:\\Windows\\SysWOW64\\lunfdjuc\\byjvpqu.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2564 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
byjvpqu.exepid process 2632 byjvpqu.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
byjvpqu.exedescription pid process target process PID 2632 set thread context of 2564 2632 byjvpqu.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2644 sc.exe 2696 sc.exe 2640 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exebyjvpqu.exedescription pid process target process PID 2964 wrote to memory of 2080 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2080 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2080 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2080 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2920 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2920 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2920 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2920 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2644 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2644 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2644 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2644 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2696 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2696 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2696 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2696 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2640 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2640 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2640 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2640 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2608 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe netsh.exe PID 2964 wrote to memory of 2608 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe netsh.exe PID 2964 wrote to memory of 2608 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe netsh.exe PID 2964 wrote to memory of 2608 2964 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe netsh.exe PID 2632 wrote to memory of 2564 2632 byjvpqu.exe svchost.exe PID 2632 wrote to memory of 2564 2632 byjvpqu.exe svchost.exe PID 2632 wrote to memory of 2564 2632 byjvpqu.exe svchost.exe PID 2632 wrote to memory of 2564 2632 byjvpqu.exe svchost.exe PID 2632 wrote to memory of 2564 2632 byjvpqu.exe svchost.exe PID 2632 wrote to memory of 2564 2632 byjvpqu.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lunfdjuc\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\byjvpqu.exe" C:\Windows\SysWOW64\lunfdjuc\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create lunfdjuc binPath= "C:\Windows\SysWOW64\lunfdjuc\byjvpqu.exe /d\"C:\Users\Admin\AppData\Local\Temp\048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description lunfdjuc "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lunfdjuc2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\lunfdjuc\byjvpqu.exeC:\Windows\SysWOW64\lunfdjuc\byjvpqu.exe /d"C:\Users\Admin\AppData\Local\Temp\048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\byjvpqu.exeFilesize
13.6MB
MD532bc1fa1e913dd55067412e88627085a
SHA16e42bba62a260cb63df903336e92fc9a9999d9da
SHA2569b68982a84c06b6945472e92307a70b0f78e69705b824d2e53dcd62a5c02c109
SHA51211be74e6f75af7eff9f677503f12a550fab45fc4004d19c85d3d542148aecf38f63ef9f940830327a579c7a4b83dfbf889a2568155c01151f6c1adc14a95e244
-
memory/2564-8-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2564-13-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2564-11-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2564-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2564-15-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2632-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2632-14-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2964-0-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2964-2-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2964-1-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2964-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB