Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 19:25
Static task
static1
Behavioral task
behavioral1
Sample
f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe
-
Size
13.1MB
-
MD5
f1bdc796ba64b96cd4aaaf20ff3da0cc
-
SHA1
3853853e87d469821b136c75f4bc16b09a9c5a2b
-
SHA256
46c879741fc6d476d4ff3edcd1b33c43c5b6107958925d706dd83fb0b1035f20
-
SHA512
e6876df269d2c0559484e37b0da780191c45ae3a6b3d48b7dc01002e5a789e696a6fe7b9674e60d90e94bd5214a7ebb2012a3bd39bf381bc79d40aa33b5bf92a
-
SSDEEP
24576:Vl3YWRibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbn:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\acubwmzs = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2600 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\acubwmzs\ImagePath = "C:\\Windows\\SysWOW64\\acubwmzs\\boenylys.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2496 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
boenylys.exepid process 2660 boenylys.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
boenylys.exedescription pid process target process PID 2660 set thread context of 2496 2660 boenylys.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2596 sc.exe 2732 sc.exe 2656 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exeboenylys.exedescription pid process target process PID 2232 wrote to memory of 2100 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2100 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2100 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2100 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2548 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2548 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2548 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2548 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 2656 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2656 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2656 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2656 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2596 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2596 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2596 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2596 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2732 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2732 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2732 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2732 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe sc.exe PID 2232 wrote to memory of 2600 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe netsh.exe PID 2232 wrote to memory of 2600 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe netsh.exe PID 2232 wrote to memory of 2600 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe netsh.exe PID 2232 wrote to memory of 2600 2232 f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe netsh.exe PID 2660 wrote to memory of 2496 2660 boenylys.exe svchost.exe PID 2660 wrote to memory of 2496 2660 boenylys.exe svchost.exe PID 2660 wrote to memory of 2496 2660 boenylys.exe svchost.exe PID 2660 wrote to memory of 2496 2660 boenylys.exe svchost.exe PID 2660 wrote to memory of 2496 2660 boenylys.exe svchost.exe PID 2660 wrote to memory of 2496 2660 boenylys.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\acubwmzs\2⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\boenylys.exe" C:\Windows\SysWOW64\acubwmzs\2⤵PID:2548
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create acubwmzs binPath= "C:\Windows\SysWOW64\acubwmzs\boenylys.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2656 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description acubwmzs "wifi internet conection"2⤵
- Launches sc.exe
PID:2596 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start acubwmzs2⤵
- Launches sc.exe
PID:2732 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2600
-
C:\Windows\SysWOW64\acubwmzs\boenylys.exeC:\Windows\SysWOW64\acubwmzs\boenylys.exe /d"C:\Users\Admin\AppData\Local\Temp\f1bdc796ba64b96cd4aaaf20ff3da0cc_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2496
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.0MB
MD51c57c13bcdead72d25d4ae273199d8ee
SHA1d23dca1913fe89defd29b3c0ff58623eeef262dd
SHA2560a437c2019bb9d91c17c1bb6703b81b509a1946394b39a51b0526de9a81e5ace
SHA5120fc423dd344d8f7318a7ff9caae0cb71d6f15a415c4e3c0c37837d3af1dcf4f8ba0634cf73fb9d93bdfae7573f5afc27185b002eae07257edb46cb3b2de32980