Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 00:52
Static task
static1
Behavioral task
behavioral1
Sample
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe
-
Size
10.6MB
-
MD5
f2500e9a3134b4790760b2ef60c0144b
-
SHA1
1c3f9aaa8988227ebad2686e977533d53e51b162
-
SHA256
064748a64b3e6198f3f9b3821f8aa4b74ee9d687503a1e9ded2926308a86517f
-
SHA512
ba69ce0db33d4691641f7dbdc4ae3b2a582e1a47d12d606b0ba1761bf5d442f3e772aeb7327c6ea6293144c3ccb923d86e578db6e3a96f8537584d342576173a
-
SSDEEP
24576:AerU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:AsW
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2280 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bunksdbo\ImagePath = "C:\\Windows\\SysWOW64\\bunksdbo\\yqzherdx.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
yqzherdx.exepid process 3880 yqzherdx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
yqzherdx.exedescription pid process target process PID 3880 set thread context of 5068 3880 yqzherdx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3388 sc.exe 2320 sc.exe 3608 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exeyqzherdx.exedescription pid process target process PID 868 wrote to memory of 3164 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 868 wrote to memory of 3164 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 868 wrote to memory of 3164 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 868 wrote to memory of 736 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 868 wrote to memory of 736 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 868 wrote to memory of 736 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe cmd.exe PID 868 wrote to memory of 3388 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 3388 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 3388 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 2320 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 2320 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 2320 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 3608 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 3608 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 3608 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe sc.exe PID 868 wrote to memory of 2280 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe netsh.exe PID 868 wrote to memory of 2280 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe netsh.exe PID 868 wrote to memory of 2280 868 f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe netsh.exe PID 3880 wrote to memory of 5068 3880 yqzherdx.exe svchost.exe PID 3880 wrote to memory of 5068 3880 yqzherdx.exe svchost.exe PID 3880 wrote to memory of 5068 3880 yqzherdx.exe svchost.exe PID 3880 wrote to memory of 5068 3880 yqzherdx.exe svchost.exe PID 3880 wrote to memory of 5068 3880 yqzherdx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bunksdbo\2⤵PID:3164
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yqzherdx.exe" C:\Windows\SysWOW64\bunksdbo\2⤵PID:736
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bunksdbo binPath= "C:\Windows\SysWOW64\bunksdbo\yqzherdx.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3388 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bunksdbo "wifi internet conection"2⤵
- Launches sc.exe
PID:2320 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bunksdbo2⤵
- Launches sc.exe
PID:3608 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2280
-
C:\Windows\SysWOW64\bunksdbo\yqzherdx.exeC:\Windows\SysWOW64\bunksdbo\yqzherdx.exe /d"C:\Users\Admin\AppData\Local\Temp\f2500e9a3134b4790760b2ef60c0144b_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:5068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
MD51c9e17089fc5153538255a5a42877db3
SHA1a551b4a07a44ff766d584f77b448d3d705f06d77
SHA25667aa33017e5798bc67b434b573ef8b04f1fad4671fea6303fde4381c9e457695
SHA512a125eefe402cc246f310bdc8e2e846f66e07d27a0e02463af302e82db09977484be1e133629adbfb976258108c2b43f9e2a332eee23c78901d1f091efe1f3010