Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 03:18
Static task
static1
Behavioral task
behavioral1
Sample
f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe
-
Size
12.9MB
-
MD5
f2908395b8a8846d7c3752da7ffcc9ad
-
SHA1
16c1bc4e5ac73414c889c3d49de2a67f3b88f517
-
SHA256
c02ce7fba728b8b8d459ff2a48fbbd0986cd474a16e339457b4d0e7ca538036d
-
SHA512
edb752d6c9e28dd06331882d407a0636c92cb97d38298610f8d3ea7fee8d94d7490498ceb4d5432e0ca06f90b9de1d0c592186bd1abce277d4904f18d22f8476
-
SSDEEP
24576:perU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbr:psW
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4088 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vgrilxdo\ImagePath = "C:\\Windows\\SysWOW64\\vgrilxdo\\sktbylxr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
sktbylxr.exepid process 3528 sktbylxr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sktbylxr.exedescription pid process target process PID 3528 set thread context of 2608 3528 sktbylxr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4948 sc.exe 4072 sc.exe 464 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exesktbylxr.exedescription pid process target process PID 1432 wrote to memory of 1284 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe cmd.exe PID 1432 wrote to memory of 1284 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe cmd.exe PID 1432 wrote to memory of 1284 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe cmd.exe PID 1432 wrote to memory of 4968 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe cmd.exe PID 1432 wrote to memory of 4968 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe cmd.exe PID 1432 wrote to memory of 4968 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe cmd.exe PID 1432 wrote to memory of 4072 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 4072 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 4072 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 464 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 464 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 464 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 4948 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 4948 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 4948 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe sc.exe PID 1432 wrote to memory of 4088 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe netsh.exe PID 1432 wrote to memory of 4088 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe netsh.exe PID 1432 wrote to memory of 4088 1432 f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe netsh.exe PID 3528 wrote to memory of 2608 3528 sktbylxr.exe svchost.exe PID 3528 wrote to memory of 2608 3528 sktbylxr.exe svchost.exe PID 3528 wrote to memory of 2608 3528 sktbylxr.exe svchost.exe PID 3528 wrote to memory of 2608 3528 sktbylxr.exe svchost.exe PID 3528 wrote to memory of 2608 3528 sktbylxr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vgrilxdo\2⤵PID:1284
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\sktbylxr.exe" C:\Windows\SysWOW64\vgrilxdo\2⤵PID:4968
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vgrilxdo binPath= "C:\Windows\SysWOW64\vgrilxdo\sktbylxr.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4072 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vgrilxdo "wifi internet conection"2⤵
- Launches sc.exe
PID:464 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vgrilxdo2⤵
- Launches sc.exe
PID:4948 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4088
-
C:\Windows\SysWOW64\vgrilxdo\sktbylxr.exeC:\Windows\SysWOW64\vgrilxdo\sktbylxr.exe /d"C:\Users\Admin\AppData\Local\Temp\f2908395b8a8846d7c3752da7ffcc9ad_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:2608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:1632
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.4MB
MD53b651cc43c9259c127f01ba6c2a7ffaf
SHA15507d20fefae8ffc9802bc5d88ff873c15e37059
SHA2565cfd3da7f31d1c0f3dffc3a1e69a4780a9e8791108217ac15f9119c5024e06ae
SHA5121c73a203709608c4d48afaf5dbf9924ee999863c97a6313dab15a8058b93d111ee087901845b2fb66d57974aa008abc32238b0ca52fd53459ec320bdfa09cc98