Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe
-
Size
13.1MB
-
MD5
f1bcb7d5244183f7769af344a006781e
-
SHA1
9a4fb8b9d36d1093b907bd00beb2244d13383300
-
SHA256
a76d1b8d639dd74017ff5501f34a3cb2b59a0730b87a3663c82137a523ef23e3
-
SHA512
8976637ed27c92e7f1a036e33885091a075727d1b56b4ecccddb9b02121d54e539888ebe7ef09dca410691fa41311fdfe73cb69a96c8134e70130e69d77b54f5
-
SSDEEP
49152:T1yvllllllllllllllllllllllllllllllllllllllllllllllllllllllllllln:TA
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qabeaorn = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2444 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qabeaorn\ImagePath = "C:\\Windows\\SysWOW64\\qabeaorn\\rtmxemaq.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2424 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
rtmxemaq.exepid process 2684 rtmxemaq.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rtmxemaq.exedescription pid process target process PID 2684 set thread context of 2424 2684 rtmxemaq.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2656 sc.exe 2560 sc.exe 2636 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exertmxemaq.exedescription pid process target process PID 2940 wrote to memory of 2884 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2884 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2884 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2884 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2548 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2548 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2548 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2548 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 2656 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2656 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2656 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2656 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2560 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2560 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2560 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2560 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2636 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2636 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2636 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2636 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe sc.exe PID 2940 wrote to memory of 2444 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe netsh.exe PID 2940 wrote to memory of 2444 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe netsh.exe PID 2940 wrote to memory of 2444 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe netsh.exe PID 2940 wrote to memory of 2444 2940 f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe netsh.exe PID 2684 wrote to memory of 2424 2684 rtmxemaq.exe svchost.exe PID 2684 wrote to memory of 2424 2684 rtmxemaq.exe svchost.exe PID 2684 wrote to memory of 2424 2684 rtmxemaq.exe svchost.exe PID 2684 wrote to memory of 2424 2684 rtmxemaq.exe svchost.exe PID 2684 wrote to memory of 2424 2684 rtmxemaq.exe svchost.exe PID 2684 wrote to memory of 2424 2684 rtmxemaq.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qabeaorn\2⤵PID:2884
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rtmxemaq.exe" C:\Windows\SysWOW64\qabeaorn\2⤵PID:2548
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qabeaorn binPath= "C:\Windows\SysWOW64\qabeaorn\rtmxemaq.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2656 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qabeaorn "wifi internet conection"2⤵
- Launches sc.exe
PID:2560 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qabeaorn2⤵
- Launches sc.exe
PID:2636 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2444
-
C:\Windows\SysWOW64\qabeaorn\rtmxemaq.exeC:\Windows\SysWOW64\qabeaorn\rtmxemaq.exe /d"C:\Users\Admin\AppData\Local\Temp\f1bcb7d5244183f7769af344a006781e_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2424
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.7MB
MD53ca9bb853c4cbabec75ab94511b38313
SHA1b02afa667ead88fe3e99487d1805cc75a0aee6a7
SHA25652974b1e49c38a24763f0f1e65e805e3f8b5d71b7c855286467ae8f077909daf
SHA51203ba77db69da13fc2a113d2ed30854c5753e9b9b464af9cbb2131fadd9e56ddaa4a256df7ec240536f9bde6216c2e5877cbe0969c95f0c5e8c63fccfabf5dd77