Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 00:52
Static task
static1
Behavioral task
behavioral1
Sample
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe
-
Size
10.6MB
-
MD5
f2500e9a3134b4790760b2ef60c0144b
-
SHA1
1c3f9aaa8988227ebad2686e977533d53e51b162
-
SHA256
064748a64b3e6198f3f9b3821f8aa4b74ee9d687503a1e9ded2926308a86517f
-
SHA512
ba69ce0db33d4691641f7dbdc4ae3b2a582e1a47d12d606b0ba1761bf5d442f3e772aeb7327c6ea6293144c3ccb923d86e578db6e3a96f8537584d342576173a
-
SSDEEP
24576:AerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:AsW
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\pnuednnm = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1172 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pnuednnm\ImagePath = "C:\\Windows\\SysWOW64\\pnuednnm\\xgwklzou.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2676 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
xgwklzou.exepid process 2992 xgwklzou.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xgwklzou.exedescription pid process target process PID 2992 set thread context of 2676 2992 xgwklzou.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2564 sc.exe 2292 sc.exe 2628 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exexgwklzou.exedescription pid process target process PID 1356 wrote to memory of 2328 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 1356 wrote to memory of 2328 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 1356 wrote to memory of 2328 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 1356 wrote to memory of 2328 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 1356 wrote to memory of 1152 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 1356 wrote to memory of 1152 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 1356 wrote to memory of 1152 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 1356 wrote to memory of 1152 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 1356 wrote to memory of 2292 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2292 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2292 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2292 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2628 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2628 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2628 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2628 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2564 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2564 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2564 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 2564 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 1356 wrote to memory of 1172 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe netsh.exe PID 1356 wrote to memory of 1172 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe netsh.exe PID 1356 wrote to memory of 1172 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe netsh.exe PID 1356 wrote to memory of 1172 1356 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe netsh.exe PID 2992 wrote to memory of 2676 2992 xgwklzou.exe svchost.exe PID 2992 wrote to memory of 2676 2992 xgwklzou.exe svchost.exe PID 2992 wrote to memory of 2676 2992 xgwklzou.exe svchost.exe PID 2992 wrote to memory of 2676 2992 xgwklzou.exe svchost.exe PID 2992 wrote to memory of 2676 2992 xgwklzou.exe svchost.exe PID 2992 wrote to memory of 2676 2992 xgwklzou.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pnuednnm\2⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xgwklzou.exe" C:\Windows\SysWOW64\pnuednnm\2⤵PID:1152
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create pnuednnm binPath= "C:\Windows\SysWOW64\pnuednnm\xgwklzou.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2292 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description pnuednnm "wifi internet conection"2⤵
- Launches sc.exe
PID:2628 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start pnuednnm2⤵
- Launches sc.exe
PID:2564 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1172
-
C:\Windows\SysWOW64\pnuednnm\xgwklzou.exeC:\Windows\SysWOW64\pnuednnm\xgwklzou.exe /d"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2676
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.8MB
MD57f53a36ea851fea6d57d9230c93817e2
SHA19155c8bb26ea09fefa7505195dd140200f449138
SHA2561859e848a83e4c4d9a7338f56d073b1a375f429d64563ebb2aa960b371d66c3f
SHA512c20fd723e959be1315eada69b9edc1053d201eafd22f885d7b6c092c3ab221aa81fcb0b823354f6a26e65dbb7d1f2b8a80e96163350a1848710229e3aede4e01