Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 06:20
Static task
static1
Behavioral task
behavioral1
Sample
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe
-
Size
11.6MB
-
MD5
f2e10e6ce6156dc38f07293998121415
-
SHA1
0367b75e7cc5eac8322c18c711144e0b14868e8b
-
SHA256
5904e1ce6715d90d01f24f33168326b95b1096de8fbb7d4ec670516e1249587a
-
SHA512
016dcff3b313312297f315be1c10c0bccdf23dee9e2288b4087592e788cf7963575cbdf896dcfdc6745f1d6c298c0f210f436c8bc0e5d6a1fb68150cce97a2ee
-
SSDEEP
24576:zfARRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR3:z
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 792 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\thrvxrxj\ImagePath = "C:\\Windows\\SysWOW64\\thrvxrxj\\gpjogfaw.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4044 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
gpjogfaw.exepid process 3648 gpjogfaw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gpjogfaw.exedescription pid process target process PID 3648 set thread context of 4044 3648 gpjogfaw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3164 sc.exe 2840 sc.exe 3232 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3568 3752 WerFault.exe f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe 4796 3648 WerFault.exe gpjogfaw.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exegpjogfaw.exedescription pid process target process PID 3752 wrote to memory of 4840 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3752 wrote to memory of 4840 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3752 wrote to memory of 4840 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3752 wrote to memory of 1708 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3752 wrote to memory of 1708 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3752 wrote to memory of 1708 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe cmd.exe PID 3752 wrote to memory of 3164 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 3164 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 3164 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 2840 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 2840 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 2840 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 3232 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 3232 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 3232 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe sc.exe PID 3752 wrote to memory of 792 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe netsh.exe PID 3752 wrote to memory of 792 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe netsh.exe PID 3752 wrote to memory of 792 3752 f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe netsh.exe PID 3648 wrote to memory of 4044 3648 gpjogfaw.exe svchost.exe PID 3648 wrote to memory of 4044 3648 gpjogfaw.exe svchost.exe PID 3648 wrote to memory of 4044 3648 gpjogfaw.exe svchost.exe PID 3648 wrote to memory of 4044 3648 gpjogfaw.exe svchost.exe PID 3648 wrote to memory of 4044 3648 gpjogfaw.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\thrvxrxj\2⤵PID:4840
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gpjogfaw.exe" C:\Windows\SysWOW64\thrvxrxj\2⤵PID:1708
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create thrvxrxj binPath= "C:\Windows\SysWOW64\thrvxrxj\gpjogfaw.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3164 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description thrvxrxj "wifi internet conection"2⤵
- Launches sc.exe
PID:2840 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start thrvxrxj2⤵
- Launches sc.exe
PID:3232 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 10442⤵
- Program crash
PID:3568
-
C:\Windows\SysWOW64\thrvxrxj\gpjogfaw.exeC:\Windows\SysWOW64\thrvxrxj\gpjogfaw.exe /d"C:\Users\Admin\AppData\Local\Temp\f2e10e6ce6156dc38f07293998121415_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 5202⤵
- Program crash
PID:4796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3752 -ip 37521⤵PID:2256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3648 -ip 36481⤵PID:3112
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.1MB
MD517ad26b4268d073477fe36d767b6d8b9
SHA182a87453a68446909628c2b6aa12019be23cccc6
SHA2565b6370d4266bae4bd65cca7274bac763e1b01f89103b4fcdf84e308f41719bd6
SHA5127e1b5ba75cf48f8a0b805737afb87b3aac55ff2458a8962f8df4b6aae3b9b9479a21a33d80e348911d95f38c11f8272d1b9778c4f0a1916a7a50786137a7dfcc