Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 22:19
Static task
static1
Behavioral task
behavioral1
Sample
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe
-
Size
12.5MB
-
MD5
f474b3b24c28e9731d49632cf52cb20a
-
SHA1
379128e922c6174dd9fe7f16eb1428300860ae00
-
SHA256
2c2ad8fb26b2481604773c7755cc27156ea9a7c6d19993562bd7f3f0777e3931
-
SHA512
226e7ab1d0f5894532ab390960ceb10a6c5ffff97bff475fd7282eafdcd65e4e86251893950c58e48a3e2235ca4ea32f77af44ab084956048ae0e2df0d5151a8
-
SSDEEP
98304:FNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllF:DW
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3744 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vxdeekpr\ImagePath = "C:\\Windows\\SysWOW64\\vxdeekpr\\lckisnui.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1788 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
lckisnui.exepid process 4572 lckisnui.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lckisnui.exedescription pid process target process PID 4572 set thread context of 1788 4572 lckisnui.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 5068 sc.exe 3532 sc.exe 2876 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exelckisnui.exedescription pid process target process PID 5096 wrote to memory of 3076 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 5096 wrote to memory of 3076 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 5096 wrote to memory of 3076 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 5096 wrote to memory of 1440 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 5096 wrote to memory of 1440 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 5096 wrote to memory of 1440 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe cmd.exe PID 5096 wrote to memory of 5068 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 5068 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 5068 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 3532 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 3532 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 3532 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 2876 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 2876 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 2876 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe sc.exe PID 5096 wrote to memory of 3744 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe netsh.exe PID 5096 wrote to memory of 3744 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe netsh.exe PID 5096 wrote to memory of 3744 5096 f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe netsh.exe PID 4572 wrote to memory of 1788 4572 lckisnui.exe svchost.exe PID 4572 wrote to memory of 1788 4572 lckisnui.exe svchost.exe PID 4572 wrote to memory of 1788 4572 lckisnui.exe svchost.exe PID 4572 wrote to memory of 1788 4572 lckisnui.exe svchost.exe PID 4572 wrote to memory of 1788 4572 lckisnui.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vxdeekpr\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lckisnui.exe" C:\Windows\SysWOW64\vxdeekpr\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vxdeekpr binPath= "C:\Windows\SysWOW64\vxdeekpr\lckisnui.exe /d\"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vxdeekpr "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vxdeekpr2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\vxdeekpr\lckisnui.exeC:\Windows\SysWOW64\vxdeekpr\lckisnui.exe /d"C:\Users\Admin\AppData\Local\Temp\f474b3b24c28e9731d49632cf52cb20a_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lckisnui.exeFilesize
11.4MB
MD501c2e9512e0c483fb1ec1cbdb80a4bce
SHA17f6ca53839f5df02b86cb348aa08360ffc60afcd
SHA2563af707b1201db9f28ea73e251fc6282cf9fb45aefd98a00999cb90e669d17862
SHA512b7e1ed8fb7d08266094932e5df7d5dfb7b190065e1c704ee3f7ef4a5ec08acf0b560e98c4ff57c08064348a0a419c43fa6866ca9698b74a14b7f4af967af9e12
-
memory/1788-16-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/1788-11-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/1788-15-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/1788-18-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/1788-20-0x0000000000AF0000-0x0000000000B05000-memory.dmpFilesize
84KB
-
memory/4572-10-0x00000000037D0000-0x00000000038D0000-memory.dmpFilesize
1024KB
-
memory/4572-17-0x0000000000400000-0x00000000036CD000-memory.dmpFilesize
50.8MB
-
memory/4572-19-0x0000000000400000-0x00000000036CD000-memory.dmpFilesize
50.8MB
-
memory/5096-4-0x0000000000400000-0x00000000036CD000-memory.dmpFilesize
50.8MB
-
memory/5096-2-0x00000000037F0000-0x0000000003803000-memory.dmpFilesize
76KB
-
memory/5096-6-0x0000000000400000-0x00000000036CD000-memory.dmpFilesize
50.8MB
-
memory/5096-8-0x00000000037F0000-0x0000000003803000-memory.dmpFilesize
76KB
-
memory/5096-1-0x0000000003810000-0x0000000003910000-memory.dmpFilesize
1024KB