Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 05:12
Static task
static1
Behavioral task
behavioral1
Sample
f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe
-
Size
11.3MB
-
MD5
f2c2dfad2a7c617f933121023f9615a0
-
SHA1
2413e1d32855aaaef23d75cc7da5e73258f59c0f
-
SHA256
32286087d4e5a88e15e2d34114b10047826640627628d7b269d37eef35585db7
-
SHA512
0a235f74cceebc2fd51d8472762091a958d6d43ca00bedad058cee00fa48b90e063eff78ac60610668e1a42427d25d105c8d4625079a7753e29b1c441c46eda0
-
SSDEEP
98304:nNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllH:NW
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 5348 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wwjxkyu\ImagePath = "C:\\Windows\\SysWOW64\\wwjxkyu\\gidjcpz.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 5268 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
gidjcpz.exepid process 1152 gidjcpz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gidjcpz.exedescription pid process target process PID 1152 set thread context of 5268 1152 gidjcpz.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2228 sc.exe 5432 sc.exe 2224 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exegidjcpz.exedescription pid process target process PID 656 wrote to memory of 5552 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe cmd.exe PID 656 wrote to memory of 5552 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe cmd.exe PID 656 wrote to memory of 5552 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe cmd.exe PID 656 wrote to memory of 1080 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe cmd.exe PID 656 wrote to memory of 1080 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe cmd.exe PID 656 wrote to memory of 1080 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe cmd.exe PID 656 wrote to memory of 2228 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 2228 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 2228 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 5432 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 5432 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 5432 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 2224 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 2224 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 2224 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe sc.exe PID 656 wrote to memory of 5348 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe netsh.exe PID 656 wrote to memory of 5348 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe netsh.exe PID 656 wrote to memory of 5348 656 f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe netsh.exe PID 1152 wrote to memory of 5268 1152 gidjcpz.exe svchost.exe PID 1152 wrote to memory of 5268 1152 gidjcpz.exe svchost.exe PID 1152 wrote to memory of 5268 1152 gidjcpz.exe svchost.exe PID 1152 wrote to memory of 5268 1152 gidjcpz.exe svchost.exe PID 1152 wrote to memory of 5268 1152 gidjcpz.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wwjxkyu\2⤵PID:5552
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gidjcpz.exe" C:\Windows\SysWOW64\wwjxkyu\2⤵PID:1080
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wwjxkyu binPath= "C:\Windows\SysWOW64\wwjxkyu\gidjcpz.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2228 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wwjxkyu "wifi internet conection"2⤵
- Launches sc.exe
PID:5432 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wwjxkyu2⤵
- Launches sc.exe
PID:2224 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:5348
-
C:\Windows\SysWOW64\wwjxkyu\gidjcpz.exeC:\Windows\SysWOW64\wwjxkyu\gidjcpz.exe /d"C:\Users\Admin\AppData\Local\Temp\f2c2dfad2a7c617f933121023f9615a0_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:5268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:4892
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.0MB
MD59817e67f0fa3deb3f25b3a36f43567ae
SHA1f437d6a202b46d0f8b16d99c78f12ebccb516f8e
SHA256c50c5344f3ca8be4267882a0e4c7de1edcdb93e7dd538a980e186d5aaaaec86a
SHA512b0cac5923daada574ef6052575a9c2f3c679b0e1ed4f005de4755891d07334e2e411d010bb5d082b94ad391634c92a6f46ade9bade6efb2051dbeede11608412