Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 21:13
Static task
static1
Behavioral task
behavioral1
Sample
f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe
-
Size
12.6MB
-
MD5
f1efb145c5dda056d48a9442dc04926a
-
SHA1
eaebffb29a1611d484e18a11af6dfdabd05fec3e
-
SHA256
d295cb6824f3b1dee15da5e235dd3af4cd06c839a7c56adf62be284c4763ac7a
-
SHA512
d3cdac4f2d34d26d8896dfbc6e4b42d7169b8ecb110067846d35bd893c9540613a16eb98409b5e4997d88475be5127237fc58a2d3978285cb6dfba35d70c7902
-
SSDEEP
196608:XE/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvn:XE
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4588 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\arrsxkc\ImagePath = "C:\\Windows\\SysWOW64\\arrsxkc\\kngomowg.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2220 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
kngomowg.exepid process 2612 kngomowg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kngomowg.exedescription pid process target process PID 2612 set thread context of 2220 2612 kngomowg.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4332 sc.exe 4388 sc.exe 3884 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2764 3064 WerFault.exe f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe 1608 2612 WerFault.exe kngomowg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exekngomowg.exedescription pid process target process PID 3064 wrote to memory of 3408 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe cmd.exe PID 3064 wrote to memory of 3408 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe cmd.exe PID 3064 wrote to memory of 3408 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe cmd.exe PID 3064 wrote to memory of 3536 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe cmd.exe PID 3064 wrote to memory of 3536 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe cmd.exe PID 3064 wrote to memory of 3536 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe cmd.exe PID 3064 wrote to memory of 4332 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 4332 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 4332 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 4388 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 4388 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 4388 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 3884 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 3884 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 3884 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe sc.exe PID 3064 wrote to memory of 4588 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe netsh.exe PID 3064 wrote to memory of 4588 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe netsh.exe PID 3064 wrote to memory of 4588 3064 f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe netsh.exe PID 2612 wrote to memory of 2220 2612 kngomowg.exe svchost.exe PID 2612 wrote to memory of 2220 2612 kngomowg.exe svchost.exe PID 2612 wrote to memory of 2220 2612 kngomowg.exe svchost.exe PID 2612 wrote to memory of 2220 2612 kngomowg.exe svchost.exe PID 2612 wrote to memory of 2220 2612 kngomowg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\arrsxkc\2⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kngomowg.exe" C:\Windows\SysWOW64\arrsxkc\2⤵PID:3536
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create arrsxkc binPath= "C:\Windows\SysWOW64\arrsxkc\kngomowg.exe /d\"C:\Users\Admin\AppData\Local\Temp\f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4332 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description arrsxkc "wifi internet conection"2⤵
- Launches sc.exe
PID:4388 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start arrsxkc2⤵
- Launches sc.exe
PID:3884 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 11962⤵
- Program crash
PID:2764
-
C:\Windows\SysWOW64\arrsxkc\kngomowg.exeC:\Windows\SysWOW64\arrsxkc\kngomowg.exe /d"C:\Users\Admin\AppData\Local\Temp\f1efb145c5dda056d48a9442dc04926a_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 5122⤵
- Program crash
PID:1608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3064 -ip 30641⤵PID:3320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2612 -ip 26121⤵PID:64
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.3MB
MD5100ac28655dc1a450f58eae99b92a74f
SHA1c498269629af96740ba8b5de327590498ac46586
SHA2562a9d43ff1c8bf5965e8e7425ef04710b0225abaa72b36656374f0dc244a109cd
SHA5121013281f9965d68c1e1445fea64b94e438919f7f2936aaa467725671acfe690cfb875be3df55efb8ed999942f565b95fcddbc56b5df21067d53668060a9df176