Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 17:15
Static task
static1
Behavioral task
behavioral1
Sample
f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe
-
Size
13.8MB
-
MD5
f3f2db53df6a8bfacad1f9505974507b
-
SHA1
af188ac402c82241975cb6ff17faf8314fd6c80d
-
SHA256
610cb49791e670b6896af06ee549ee7aa56979e10e0b353044949ccb3ad42c7e
-
SHA512
a1ec956694c021bb4a89c1b0543e52462461e2ffcc70f04ea29a3f4c509784e65997602835df1867905e2cc466c1f8bd8d7755abee8d3a33ce02ab40a38426e4
-
SSDEEP
49152:cjrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrn:W
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1000 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qljxajsp\ImagePath = "C:\\Windows\\SysWOW64\\qljxajsp\\wijdyuvs.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4672 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
wijdyuvs.exepid process 4896 wijdyuvs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wijdyuvs.exedescription pid process target process PID 4896 set thread context of 4672 4896 wijdyuvs.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2680 sc.exe 816 sc.exe 3592 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exewijdyuvs.exedescription pid process target process PID 1240 wrote to memory of 1804 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe cmd.exe PID 1240 wrote to memory of 1804 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe cmd.exe PID 1240 wrote to memory of 1804 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe cmd.exe PID 1240 wrote to memory of 4808 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe cmd.exe PID 1240 wrote to memory of 4808 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe cmd.exe PID 1240 wrote to memory of 4808 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe cmd.exe PID 1240 wrote to memory of 3592 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 3592 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 3592 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 2680 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 2680 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 2680 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 816 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 816 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 816 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe sc.exe PID 1240 wrote to memory of 1000 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe netsh.exe PID 1240 wrote to memory of 1000 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe netsh.exe PID 1240 wrote to memory of 1000 1240 f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe netsh.exe PID 4896 wrote to memory of 4672 4896 wijdyuvs.exe svchost.exe PID 4896 wrote to memory of 4672 4896 wijdyuvs.exe svchost.exe PID 4896 wrote to memory of 4672 4896 wijdyuvs.exe svchost.exe PID 4896 wrote to memory of 4672 4896 wijdyuvs.exe svchost.exe PID 4896 wrote to memory of 4672 4896 wijdyuvs.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qljxajsp\2⤵PID:1804
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wijdyuvs.exe" C:\Windows\SysWOW64\qljxajsp\2⤵PID:4808
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qljxajsp binPath= "C:\Windows\SysWOW64\qljxajsp\wijdyuvs.exe /d\"C:\Users\Admin\AppData\Local\Temp\f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:3592 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qljxajsp "wifi internet conection"2⤵
- Launches sc.exe
PID:2680 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qljxajsp2⤵
- Launches sc.exe
PID:816 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:1000
-
C:\Windows\SysWOW64\qljxajsp\wijdyuvs.exeC:\Windows\SysWOW64\qljxajsp\wijdyuvs.exe /d"C:\Users\Admin\AppData\Local\Temp\f3f2db53df6a8bfacad1f9505974507b_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4672
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wijdyuvs.exeFilesize
11.9MB
MD54ae26df2155ca5113a6e89a3282d2a5e
SHA12e10cba82015bae0c26bbc0ad5443b57fcbc43f3
SHA25643e33a702d4a434826f2e70fab36b0ca8f21e4b9f3b8d87740b588aa2b596e87
SHA5124bc92daebd431fceb8515c6a1008bcf51168059c9b6f91be77d27776dc7b94728a480d040f85c91aaa7a244bbf56c30c26f67fd5a99b8697a9027dd974fc4246
-
memory/1240-2-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1240-1-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/1240-3-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1240-6-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1240-0-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4672-16-0x0000000001260000-0x0000000001275000-memory.dmpFilesize
84KB
-
memory/4672-18-0x0000000001260000-0x0000000001275000-memory.dmpFilesize
84KB
-
memory/4672-11-0x0000000001260000-0x0000000001275000-memory.dmpFilesize
84KB
-
memory/4672-17-0x0000000001260000-0x0000000001275000-memory.dmpFilesize
84KB
-
memory/4672-15-0x0000000001260000-0x0000000001275000-memory.dmpFilesize
84KB
-
memory/4896-8-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4896-12-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4896-10-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB