Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 06:37
Static task
static1
Behavioral task
behavioral1
Sample
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe
-
Size
14.8MB
-
MD5
f2e83482658169cfb723595f03ed4c73
-
SHA1
5974b5b2d036ab80ac3a823406e69d1e56a930f7
-
SHA256
2127d8998f0d3f04259848e7f11e6353cf71078cacfd2c23b6276323cead9718
-
SHA512
b7a6e94181f7edc606fbc6aa0f8f768f7a684c6f13a8d945fe5b749f8a689b9a90d27bd01cd4ae74a7498a03d67ecd0d585eb4b3555ce20b78176bac17736a6f
-
SSDEEP
6144:gvk9RADRUv1CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC3:ZRAD
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4412 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\eetzfolv\ImagePath = "C:\\Windows\\SysWOW64\\eetzfolv\\gidulfmf.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3696 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
gidulfmf.exepid process 2904 gidulfmf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gidulfmf.exedescription pid process target process PID 2904 set thread context of 3696 2904 gidulfmf.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4580 sc.exe 224 sc.exe 3280 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exegidulfmf.exedescription pid process target process PID 4028 wrote to memory of 3120 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 4028 wrote to memory of 3120 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 4028 wrote to memory of 3120 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 4028 wrote to memory of 3996 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 4028 wrote to memory of 3996 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 4028 wrote to memory of 3996 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe cmd.exe PID 4028 wrote to memory of 4580 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 4580 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 4580 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 224 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 224 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 224 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 3280 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 3280 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 3280 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe sc.exe PID 4028 wrote to memory of 4412 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe netsh.exe PID 4028 wrote to memory of 4412 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe netsh.exe PID 4028 wrote to memory of 4412 4028 f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe netsh.exe PID 2904 wrote to memory of 3696 2904 gidulfmf.exe svchost.exe PID 2904 wrote to memory of 3696 2904 gidulfmf.exe svchost.exe PID 2904 wrote to memory of 3696 2904 gidulfmf.exe svchost.exe PID 2904 wrote to memory of 3696 2904 gidulfmf.exe svchost.exe PID 2904 wrote to memory of 3696 2904 gidulfmf.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eetzfolv\2⤵PID:3120
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gidulfmf.exe" C:\Windows\SysWOW64\eetzfolv\2⤵PID:3996
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create eetzfolv binPath= "C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4580 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description eetzfolv "wifi internet conection"2⤵
- Launches sc.exe
PID:224 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start eetzfolv2⤵
- Launches sc.exe
PID:3280 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4412
-
C:\Windows\SysWOW64\eetzfolv\gidulfmf.exeC:\Windows\SysWOW64\eetzfolv\gidulfmf.exe /d"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:3696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:4016
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.6MB
MD528d85f0c0190db876bb6849d34c3424d
SHA1bd38bb101ef716d9f2723a9f6a1216385a9062a5
SHA25666015469685512ebaac33725e2e9bb822ec4a50a10ac74cc69069719e1c9e39b
SHA5129ae4ad4cb4e18380205787f31955d6537db4495fd6fe3417b83b6ff13f2ea0379edde9f954a2326814ab132bc2c74bdffc58bf46c0228b85212fe9573d05c09f