Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 22:19
Static task
static1
Behavioral task
behavioral1
Sample
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe
-
Size
12.5MB
-
MD5
f474b3b24c28e9731d49632cf52cb20a
-
SHA1
379128e922c6174dd9fe7f16eb1428300860ae00
-
SHA256
2c2ad8fb26b2481604773c7755cc27156ea9a7c6d19993562bd7f3f0777e3931
-
SHA512
226e7ab1d0f5894532ab390960ceb10a6c5ffff97bff475fd7282eafdcd65e4e86251893950c58e48a3e2235ca4ea32f77af44ab084956048ae0e2df0d5151a8
-
SSDEEP
98304:FNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllF:DW
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\zvagoolm = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2644 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\zvagoolm\ImagePath = "C:\\Windows\\SysWOW64\\zvagoolm\\egbhanx.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2740 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
egbhanx.exepid process 2580 egbhanx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
egbhanx.exedescription pid process target process PID 2580 set thread context of 2740 2580 egbhanx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2672 sc.exe 2660 sc.exe 2136 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exeegbhanx.exedescription pid process target process PID 2228 wrote to memory of 3024 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 3024 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 3024 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 3024 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1796 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1796 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1796 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1796 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2672 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2672 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2672 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2672 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2660 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2660 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2660 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2660 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2136 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2136 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2136 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2136 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2644 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe netsh.exe PID 2228 wrote to memory of 2644 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe netsh.exe PID 2228 wrote to memory of 2644 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe netsh.exe PID 2228 wrote to memory of 2644 2228 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe netsh.exe PID 2580 wrote to memory of 2740 2580 egbhanx.exe svchost.exe PID 2580 wrote to memory of 2740 2580 egbhanx.exe svchost.exe PID 2580 wrote to memory of 2740 2580 egbhanx.exe svchost.exe PID 2580 wrote to memory of 2740 2580 egbhanx.exe svchost.exe PID 2580 wrote to memory of 2740 2580 egbhanx.exe svchost.exe PID 2580 wrote to memory of 2740 2580 egbhanx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zvagoolm\2⤵PID:3024
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\egbhanx.exe" C:\Windows\SysWOW64\zvagoolm\2⤵PID:1796
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zvagoolm binPath= "C:\Windows\SysWOW64\zvagoolm\egbhanx.exe /d\"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2672 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zvagoolm "wifi internet conection"2⤵
- Launches sc.exe
PID:2660 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zvagoolm2⤵
- Launches sc.exe
PID:2136 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2644
-
C:\Windows\SysWOW64\zvagoolm\egbhanx.exeC:\Windows\SysWOW64\zvagoolm\egbhanx.exe /d"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\egbhanx.exeFilesize
14.6MB
MD5e65def10047ae2308cfb6ba69379cdb0
SHA1d112a8a71015a096a82bd5f0ed63137c9a6e7598
SHA2561b0eca2b6ca9296b6c4177c1dd12a0efead0890a61337799d9701c10f6e783e7
SHA512f4080e8558641d1a2754e118f0e80c78489fc649607c662b7158800e1518d5ea8a69e66cabc7c4934a5b85c7a05bfe8966869719eb394d04511d814bf6287d39
-
memory/2228-2-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/2228-4-0x0000000000400000-0x00000000036CD000-memory.dmpFilesize
50.8MB
-
memory/2228-7-0x0000000000400000-0x00000000036CD000-memory.dmpFilesize
50.8MB
-
memory/2228-9-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/2228-1-0x00000000037F0000-0x00000000038F0000-memory.dmpFilesize
1024KB
-
memory/2580-18-0x0000000000400000-0x00000000036CD000-memory.dmpFilesize
50.8MB
-
memory/2580-10-0x0000000000400000-0x00000000036CD000-memory.dmpFilesize
50.8MB
-
memory/2580-16-0x0000000003830000-0x0000000003930000-memory.dmpFilesize
1024KB
-
memory/2740-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2740-11-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2740-20-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2740-14-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2740-21-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2740-22-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB