Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 07:35
Static task
static1
Behavioral task
behavioral1
Sample
f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe
-
Size
14.8MB
-
MD5
f3015e7fa8a419f7f1110881d4a15abf
-
SHA1
2bb0e90e81ce18596a98bb7f72eaabf63e1147f1
-
SHA256
c89d2e5ffe20c5e936a9df89dbe29d684442bdb0ec0401fdf7e34e25963866fc
-
SHA512
ed53c70614f15716e277d984d5d3131af53c407befcd72ad7398b06da3f18af7fd95d58db5eeb9c0cd16a3dc6f8334576c1236f9881738fd0785b9d3337bd06d
-
SSDEEP
49152:Tuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu:
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1012 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\owtyvebl\ImagePath = "C:\\Windows\\SysWOW64\\owtyvebl\\xkbkcprl.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4328 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
xkbkcprl.exepid process 3344 xkbkcprl.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xkbkcprl.exedescription pid process target process PID 3344 set thread context of 4328 3344 xkbkcprl.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4200 sc.exe 4108 sc.exe 2980 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1620 2624 WerFault.exe f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe 4232 3344 WerFault.exe xkbkcprl.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exexkbkcprl.exedescription pid process target process PID 2624 wrote to memory of 4724 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe cmd.exe PID 2624 wrote to memory of 4724 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe cmd.exe PID 2624 wrote to memory of 4724 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe cmd.exe PID 2624 wrote to memory of 1484 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe cmd.exe PID 2624 wrote to memory of 1484 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe cmd.exe PID 2624 wrote to memory of 1484 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe cmd.exe PID 2624 wrote to memory of 4200 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 4200 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 4200 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 4108 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 4108 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 4108 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 2980 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 2980 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 2980 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe sc.exe PID 2624 wrote to memory of 1012 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe netsh.exe PID 2624 wrote to memory of 1012 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe netsh.exe PID 2624 wrote to memory of 1012 2624 f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 4328 3344 xkbkcprl.exe svchost.exe PID 3344 wrote to memory of 4328 3344 xkbkcprl.exe svchost.exe PID 3344 wrote to memory of 4328 3344 xkbkcprl.exe svchost.exe PID 3344 wrote to memory of 4328 3344 xkbkcprl.exe svchost.exe PID 3344 wrote to memory of 4328 3344 xkbkcprl.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\owtyvebl\2⤵PID:4724
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xkbkcprl.exe" C:\Windows\SysWOW64\owtyvebl\2⤵PID:1484
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create owtyvebl binPath= "C:\Windows\SysWOW64\owtyvebl\xkbkcprl.exe /d\"C:\Users\Admin\AppData\Local\Temp\f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4200 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description owtyvebl "wifi internet conection"2⤵
- Launches sc.exe
PID:4108 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start owtyvebl2⤵
- Launches sc.exe
PID:2980 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 8882⤵
- Program crash
PID:1620
-
C:\Windows\SysWOW64\owtyvebl\xkbkcprl.exeC:\Windows\SysWOW64\owtyvebl\xkbkcprl.exe /d"C:\Users\Admin\AppData\Local\Temp\f3015e7fa8a419f7f1110881d4a15abf_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 5162⤵
- Program crash
PID:4232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2624 -ip 26241⤵PID:2088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3344 -ip 33441⤵PID:3980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.0MB
MD56b9cce3f1a6c0796a7facb59ab3eee8d
SHA18d623a773e1fb4014bfef487093f2ce0d1a35ea4
SHA25629a0597affa64c55121f86c7fa43744c1f86bdb73b042de0fca61246a39a9910
SHA512def39af4bbad7f0cb40ab0893b33efe6f5714c33456ca593318690f697c0775607a2d5e23330b8ae48953f57aca50da7af4d54ed67b679d462adbe1dcf6104c5