Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 06:20
Static task
static1
Behavioral task
behavioral1
Sample
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe
-
Size
11.6MB
-
MD5
f2e10e6ce6156dc38f07293998121415
-
SHA1
0367b75e7cc5eac8322c18c711144e0b14868e8b
-
SHA256
5904e1ce6715d90d01f24f33168326b95b1096de8fbb7d4ec670516e1249587a
-
SHA512
016dcff3b313312297f315be1c10c0bccdf23dee9e2288b4087592e788cf7963575cbdf896dcfdc6745f1d6c298c0f210f436c8bc0e5d6a1fb68150cce97a2ee
-
SSDEEP
24576:zfARRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR3:z
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rnitylgm = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3060 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rnitylgm\ImagePath = "C:\\Windows\\SysWOW64\\rnitylgm\\ctpwnmqu.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3020 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
ctpwnmqu.exepid process 2548 ctpwnmqu.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ctpwnmqu.exedescription pid process target process PID 2548 set thread context of 3020 2548 ctpwnmqu.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1664 sc.exe 2636 sc.exe 2852 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exectpwnmqu.exedescription pid process target process PID 3000 wrote to memory of 1072 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3000 wrote to memory of 1072 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3000 wrote to memory of 1072 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3000 wrote to memory of 1072 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3000 wrote to memory of 2828 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3000 wrote to memory of 2828 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3000 wrote to memory of 2828 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3000 wrote to memory of 2828 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3000 wrote to memory of 1664 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 1664 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 1664 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 1664 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 2636 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 2636 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 2636 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 2636 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 2852 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 2852 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 2852 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 2852 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3000 wrote to memory of 3060 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe netsh.exe PID 3000 wrote to memory of 3060 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe netsh.exe PID 3000 wrote to memory of 3060 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe netsh.exe PID 3000 wrote to memory of 3060 3000 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe netsh.exe PID 2548 wrote to memory of 3020 2548 ctpwnmqu.exe svchost.exe PID 2548 wrote to memory of 3020 2548 ctpwnmqu.exe svchost.exe PID 2548 wrote to memory of 3020 2548 ctpwnmqu.exe svchost.exe PID 2548 wrote to memory of 3020 2548 ctpwnmqu.exe svchost.exe PID 2548 wrote to memory of 3020 2548 ctpwnmqu.exe svchost.exe PID 2548 wrote to memory of 3020 2548 ctpwnmqu.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rnitylgm\2⤵PID:1072
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ctpwnmqu.exe" C:\Windows\SysWOW64\rnitylgm\2⤵PID:2828
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rnitylgm binPath= "C:\Windows\SysWOW64\rnitylgm\ctpwnmqu.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1664 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rnitylgm "wifi internet conection"2⤵
- Launches sc.exe
PID:2636 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rnitylgm2⤵
- Launches sc.exe
PID:2852 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:3060
-
C:\Windows\SysWOW64\rnitylgm\ctpwnmqu.exeC:\Windows\SysWOW64\rnitylgm\ctpwnmqu.exe /d"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:3020
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ctpwnmqu.exeFilesize
10.8MB
MD5afd4a3d6ce6082292cf4636e527f5150
SHA1caa7bbf3f26690e959ff1c5948d80507efa6cf7d
SHA25610a6c25571f31d567352e41149156722af4d5e96a31fc1ab435fabc598123c91
SHA512fe29c815df9d64a4fc132cd85b24a5a278eb372061c7aa150890f8bb2e955e4e555414292737ccf0289c39aed5cb31edbd7a0d208b5543c7a907abb1ba36600f
-
memory/2548-10-0x0000000002850000-0x0000000002950000-memory.dmpFilesize
1024KB
-
memory/2548-12-0x0000000000400000-0x00000000027A8000-memory.dmpFilesize
35.7MB
-
memory/2548-16-0x0000000000400000-0x00000000027A8000-memory.dmpFilesize
35.7MB
-
memory/3000-1-0x0000000002910000-0x0000000002A10000-memory.dmpFilesize
1024KB
-
memory/3000-4-0x0000000000400000-0x00000000027A8000-memory.dmpFilesize
35.7MB
-
memory/3000-7-0x0000000000400000-0x00000000027A8000-memory.dmpFilesize
35.7MB
-
memory/3000-8-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/3000-2-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/3020-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3020-11-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/3020-15-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/3020-19-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/3020-20-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/3020-21-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/3020-22-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB