Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 09:19
Static task
static1
Behavioral task
behavioral1
Sample
f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe
-
Size
14.5MB
-
MD5
f32bc79d3ad21de604fa37038da7e745
-
SHA1
51ce5b09338e62e7bd869cd2939c50ec011f1782
-
SHA256
3f487cd4fe611496acdd0cb193385e2bb233d535e99b5f6caadcf172150f38a5
-
SHA512
692cb21d4f9078953449114c7a3743fa201fdb391c89577a59c72d3e2bbc4f77174723a8f36f395cb508df82fbd24b989e11caa9c496f4ad85c9fc4931b45cdc
-
SSDEEP
196608:sb/////////////////////////////////////////////////////////////H:s
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\sjegljgf = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2444 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sjegljgf\ImagePath = "C:\\Windows\\SysWOW64\\sjegljgf\\jzzzofld.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2536 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
jzzzofld.exepid process 944 jzzzofld.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jzzzofld.exedescription pid process target process PID 944 set thread context of 2536 944 jzzzofld.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2572 sc.exe 2832 sc.exe 2156 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exejzzzofld.exedescription pid process target process PID 2228 wrote to memory of 1744 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1744 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1744 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 1744 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2520 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2520 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2520 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2520 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2572 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2572 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2572 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2572 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2832 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2832 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2832 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2832 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2156 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2156 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2156 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2156 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe sc.exe PID 2228 wrote to memory of 2444 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe netsh.exe PID 2228 wrote to memory of 2444 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe netsh.exe PID 2228 wrote to memory of 2444 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe netsh.exe PID 2228 wrote to memory of 2444 2228 f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe netsh.exe PID 944 wrote to memory of 2536 944 jzzzofld.exe svchost.exe PID 944 wrote to memory of 2536 944 jzzzofld.exe svchost.exe PID 944 wrote to memory of 2536 944 jzzzofld.exe svchost.exe PID 944 wrote to memory of 2536 944 jzzzofld.exe svchost.exe PID 944 wrote to memory of 2536 944 jzzzofld.exe svchost.exe PID 944 wrote to memory of 2536 944 jzzzofld.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sjegljgf\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jzzzofld.exe" C:\Windows\SysWOW64\sjegljgf\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create sjegljgf binPath= "C:\Windows\SysWOW64\sjegljgf\jzzzofld.exe /d\"C:\Users\Admin\AppData\Local\Temp\f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description sjegljgf "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start sjegljgf2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\sjegljgf\jzzzofld.exeC:\Windows\SysWOW64\sjegljgf\jzzzofld.exe /d"C:\Users\Admin\AppData\Local\Temp\f32bc79d3ad21de604fa37038da7e745_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jzzzofld.exeFilesize
10.5MB
MD5a94724ad7e598ac564dab496363d1ed8
SHA18359432828016342bfa9743fdae44830800306cc
SHA256ac7b4fe779cef69ca5e64e263d50842c5aed2f48ab61947e5a2dcaa3c4172838
SHA5123929b2a3802faf8415c4f6906e4798bfa9e00efe7e641959e3aacf3581feb238a002ca4312340e9390b54d1fa7a66049b35000a9fc3015eb733582b12c1f275a
-
memory/944-11-0x0000000000400000-0x0000000000870000-memory.dmpFilesize
4.4MB
-
memory/944-10-0x0000000000A40000-0x0000000000B40000-memory.dmpFilesize
1024KB
-
memory/944-15-0x0000000000400000-0x0000000000870000-memory.dmpFilesize
4.4MB
-
memory/2228-2-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/2228-4-0x0000000000400000-0x0000000000870000-memory.dmpFilesize
4.4MB
-
memory/2228-7-0x0000000000400000-0x0000000000870000-memory.dmpFilesize
4.4MB
-
memory/2228-1-0x0000000000930000-0x0000000000A30000-memory.dmpFilesize
1024KB
-
memory/2536-9-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2536-14-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2536-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2536-18-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2536-19-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2536-20-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB