Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 06:37
Static task
static1
Behavioral task
behavioral1
Sample
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe
-
Size
14.8MB
-
MD5
f2e83482658169cfb723595f03ed4c73
-
SHA1
5974b5b2d036ab80ac3a823406e69d1e56a930f7
-
SHA256
2127d8998f0d3f04259848e7f11e6353cf71078cacfd2c23b6276323cead9718
-
SHA512
b7a6e94181f7edc606fbc6aa0f8f768f7a684c6f13a8d945fe5b749f8a689b9a90d27bd01cd4ae74a7498a03d67ecd0d585eb4b3555ce20b78176bac17736a6f
-
SSDEEP
6144:gvk9RADRUv1CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC3:ZRAD
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qvcanwup = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2648 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qvcanwup\ImagePath = "C:\\Windows\\SysWOW64\\qvcanwup\\nwonwimd.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2664 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
nwonwimd.exepid process 2680 nwonwimd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nwonwimd.exedescription pid process target process PID 2680 set thread context of 2664 2680 nwonwimd.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2632 sc.exe 2768 sc.exe 3068 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exenwonwimd.exedescription pid process target process PID 3040 wrote to memory of 2144 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 2144 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 2144 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 2144 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 2516 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 2516 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 2516 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 2516 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 2768 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 2768 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 2768 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 2768 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 3068 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 3068 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 3068 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 3068 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 2632 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 2632 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 2632 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 3040 wrote to memory of 2632 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 2680 wrote to memory of 2664 2680 nwonwimd.exe svchost.exe PID 2680 wrote to memory of 2664 2680 nwonwimd.exe svchost.exe PID 2680 wrote to memory of 2664 2680 nwonwimd.exe svchost.exe PID 2680 wrote to memory of 2664 2680 nwonwimd.exe svchost.exe PID 2680 wrote to memory of 2664 2680 nwonwimd.exe svchost.exe PID 2680 wrote to memory of 2664 2680 nwonwimd.exe svchost.exe PID 3040 wrote to memory of 2648 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe netsh.exe PID 3040 wrote to memory of 2648 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe netsh.exe PID 3040 wrote to memory of 2648 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe netsh.exe PID 3040 wrote to memory of 2648 3040 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qvcanwup\2⤵PID:2144
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nwonwimd.exe" C:\Windows\SysWOW64\qvcanwup\2⤵PID:2516
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qvcanwup binPath= "C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2768 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qvcanwup "wifi internet conection"2⤵
- Launches sc.exe
PID:3068 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qvcanwup2⤵
- Launches sc.exe
PID:2632 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2648
-
C:\Windows\SysWOW64\qvcanwup\nwonwimd.exeC:\Windows\SysWOW64\qvcanwup\nwonwimd.exe /d"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.0MB
MD5ac9ec22f425d5273ad42836a12214315
SHA1e3f05e090ef4e9c8331c3ad2123d7040285581f3
SHA25655124e8c2028af5ecc2b9392ce5e823eaebe82b1cc0e55d6a145f15c0a6a3277
SHA512c57d555d1198128a863300ba22f425253b63a0662c14a6c11c997c51bbfd7b7d4a5cb139fa9d92b3882a04d43c8389eefa1d1854fb1d4fc023414d2f5e0cd2ed