Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 16:29
Static task
static1
Behavioral task
behavioral1
Sample
f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe
-
Size
13.6MB
-
MD5
f17d88a0df8a456fd5bb47249102360e
-
SHA1
93a47d4886b3c20869d9ad6b37af0f6609c634ff
-
SHA256
852db1cc9caa9f15b3b0cba0d14e653d286941bf4b0d4998581dac3454a09fff
-
SHA512
61b24621b4367ddf2ff0712812c537f85e1785a935a3062cc6625b3b5fea9ddd84e8792a0f9485ad2ece0279cb0aea1034a4dc4d648e5665c84736c47f4404fe
-
SSDEEP
49152:h8yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyO:h
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 936 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ndjbuvpi\ImagePath = "C:\\Windows\\SysWOW64\\ndjbuvpi\\hzhwecge.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4828 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
hzhwecge.exepid process 2568 hzhwecge.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hzhwecge.exedescription pid process target process PID 2568 set thread context of 4828 2568 hzhwecge.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4996 sc.exe 2752 sc.exe 5112 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4328 4500 WerFault.exe f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe 448 2568 WerFault.exe hzhwecge.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exehzhwecge.exedescription pid process target process PID 4500 wrote to memory of 384 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe cmd.exe PID 4500 wrote to memory of 384 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe cmd.exe PID 4500 wrote to memory of 384 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe cmd.exe PID 4500 wrote to memory of 1404 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe cmd.exe PID 4500 wrote to memory of 1404 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe cmd.exe PID 4500 wrote to memory of 1404 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe cmd.exe PID 4500 wrote to memory of 4996 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 4996 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 4996 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 2752 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 2752 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 2752 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 5112 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 5112 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 5112 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe sc.exe PID 4500 wrote to memory of 936 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe netsh.exe PID 4500 wrote to memory of 936 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe netsh.exe PID 4500 wrote to memory of 936 4500 f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe netsh.exe PID 2568 wrote to memory of 4828 2568 hzhwecge.exe svchost.exe PID 2568 wrote to memory of 4828 2568 hzhwecge.exe svchost.exe PID 2568 wrote to memory of 4828 2568 hzhwecge.exe svchost.exe PID 2568 wrote to memory of 4828 2568 hzhwecge.exe svchost.exe PID 2568 wrote to memory of 4828 2568 hzhwecge.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ndjbuvpi\2⤵PID:384
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hzhwecge.exe" C:\Windows\SysWOW64\ndjbuvpi\2⤵PID:1404
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ndjbuvpi binPath= "C:\Windows\SysWOW64\ndjbuvpi\hzhwecge.exe /d\"C:\Users\Admin\AppData\Local\Temp\f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4996 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ndjbuvpi "wifi internet conection"2⤵
- Launches sc.exe
PID:2752 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ndjbuvpi2⤵
- Launches sc.exe
PID:5112 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 12242⤵
- Program crash
PID:4328
-
C:\Windows\SysWOW64\ndjbuvpi\hzhwecge.exeC:\Windows\SysWOW64\ndjbuvpi\hzhwecge.exe /d"C:\Users\Admin\AppData\Local\Temp\f17d88a0df8a456fd5bb47249102360e_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 5162⤵
- Program crash
PID:448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4500 -ip 45001⤵PID:2344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2568 -ip 25681⤵PID:3908
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.9MB
MD5ce166ece2b7e92d62a5bdc3d04ebfed8
SHA17401b2afee72015dc636cbc161ffc8dfb937d269
SHA256868dcd784c26cd2831fd13cfef3c43fe4687ec2f393e2da987ad698af3c216ba
SHA512b16b51a68bd7db1f0e1c905b9089a4aa9770f3754e77a19e09a026e1cd7fa61134b94b0f725e72c16864f1ffd775adfb6c2e801b2bed02d426a6361dff250978