Analysis
-
max time kernel
146s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 05:24
Static task
static1
Behavioral task
behavioral1
Sample
f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe
-
Size
10.7MB
-
MD5
f2c7b3dd677d36abe158ada055822669
-
SHA1
06f400ae6e2a2c0a1e8f64e702444a297f37d0f3
-
SHA256
f17a88bf3b89dff62b431dacda445025c5c3764b9bc87bf584df2e4f274996b8
-
SHA512
b59e41c6a44de1e9ca80189581a2d634df6d88b6442ba49d77dddf943043e81ce9a7cf92a5cc6a954d20d4414f9f237526e479718540a7cd16025091b07d3130
-
SSDEEP
98304:w11111111111111111111111111111111111111111111111111111111111111f:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\mbxjvcu = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2556 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mbxjvcu\ImagePath = "C:\\Windows\\SysWOW64\\mbxjvcu\\idhzpaca.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2612 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
idhzpaca.exepid process 2604 idhzpaca.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
idhzpaca.exedescription pid process target process PID 2604 set thread context of 2612 2604 idhzpaca.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 548 sc.exe 2640 sc.exe 2668 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exeidhzpaca.exedescription pid process target process PID 1512 wrote to memory of 1944 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 1944 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 1944 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 1944 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 2904 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 2904 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 2904 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 2904 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 548 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 548 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 548 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 548 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2640 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2640 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2640 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2640 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2668 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2668 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2668 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2668 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe sc.exe PID 1512 wrote to memory of 2556 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe netsh.exe PID 1512 wrote to memory of 2556 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe netsh.exe PID 1512 wrote to memory of 2556 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe netsh.exe PID 1512 wrote to memory of 2556 1512 f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe netsh.exe PID 2604 wrote to memory of 2612 2604 idhzpaca.exe svchost.exe PID 2604 wrote to memory of 2612 2604 idhzpaca.exe svchost.exe PID 2604 wrote to memory of 2612 2604 idhzpaca.exe svchost.exe PID 2604 wrote to memory of 2612 2604 idhzpaca.exe svchost.exe PID 2604 wrote to memory of 2612 2604 idhzpaca.exe svchost.exe PID 2604 wrote to memory of 2612 2604 idhzpaca.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mbxjvcu\2⤵PID:1944
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\idhzpaca.exe" C:\Windows\SysWOW64\mbxjvcu\2⤵PID:2904
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mbxjvcu binPath= "C:\Windows\SysWOW64\mbxjvcu\idhzpaca.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:548 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mbxjvcu "wifi internet conection"2⤵
- Launches sc.exe
PID:2640 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mbxjvcu2⤵
- Launches sc.exe
PID:2668 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2556
-
C:\Windows\SysWOW64\mbxjvcu\idhzpaca.exeC:\Windows\SysWOW64\mbxjvcu\idhzpaca.exe /d"C:\Users\Admin\AppData\Local\Temp\f2c7b3dd677d36abe158ada055822669_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2612
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.2MB
MD5c5906a72f93a91c108533f13d8030b0a
SHA18e1b8f656623786ad8d01b106b73717c90b63f9a
SHA256477c5a698e5312490897d7f73580e68a9907521e8b575cd83ca782e4f1158ba0
SHA512c609f528eba5a04efa0a07334ff4cd051d9a4c91e586ffcd33d20a682e0322b4bca44d01c4563a4a235bbb28619f5575d9805ff7a35a8d42488d0ff7d7b68959