Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe
-
Size
12.8MB
-
MD5
f4379df92ea34be1cb41c7e3536ecb0c
-
SHA1
82206de9b5c6c49ed2d50670f5c7864d3c5b8585
-
SHA256
9eaf3abe529ee8d32d56010c1995a57c5b471e45590d6186cbbc32f734fcd2fc
-
SHA512
611aae0075b43c8903d3a2637b1927009ed7742999784548a167deff7e7d73f04def46ce802757c4372cfa1238f32d275279afec9de6f4f865c343021da3e986
-
SSDEEP
24576:PUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmX:PF15
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nbairrra = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2056 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nbairrra\ImagePath = "C:\\Windows\\SysWOW64\\nbairrra\\erndlsnx.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2400 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
erndlsnx.exepid process 2788 erndlsnx.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
erndlsnx.exedescription pid process target process PID 2788 set thread context of 2400 2788 erndlsnx.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2732 sc.exe 2652 sc.exe 2708 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exeerndlsnx.exedescription pid process target process PID 2020 wrote to memory of 1152 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 1152 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 1152 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 1152 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2980 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2980 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2980 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2980 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe cmd.exe PID 2020 wrote to memory of 2652 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2652 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2652 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2652 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2708 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2708 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2708 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2708 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2732 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2732 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2732 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2732 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe sc.exe PID 2020 wrote to memory of 2056 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe netsh.exe PID 2020 wrote to memory of 2056 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe netsh.exe PID 2020 wrote to memory of 2056 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe netsh.exe PID 2020 wrote to memory of 2056 2020 f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe netsh.exe PID 2788 wrote to memory of 2400 2788 erndlsnx.exe svchost.exe PID 2788 wrote to memory of 2400 2788 erndlsnx.exe svchost.exe PID 2788 wrote to memory of 2400 2788 erndlsnx.exe svchost.exe PID 2788 wrote to memory of 2400 2788 erndlsnx.exe svchost.exe PID 2788 wrote to memory of 2400 2788 erndlsnx.exe svchost.exe PID 2788 wrote to memory of 2400 2788 erndlsnx.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nbairrra\2⤵PID:1152
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\erndlsnx.exe" C:\Windows\SysWOW64\nbairrra\2⤵PID:2980
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nbairrra binPath= "C:\Windows\SysWOW64\nbairrra\erndlsnx.exe /d\"C:\Users\Admin\AppData\Local\Temp\f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2652 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nbairrra "wifi internet conection"2⤵
- Launches sc.exe
PID:2708 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nbairrra2⤵
- Launches sc.exe
PID:2732 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2056
-
C:\Windows\SysWOW64\nbairrra\erndlsnx.exeC:\Windows\SysWOW64\nbairrra\erndlsnx.exe /d"C:\Users\Admin\AppData\Local\Temp\f4379df92ea34be1cb41c7e3536ecb0c_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2400
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\erndlsnx.exeFilesize
10.6MB
MD5e99893b3f0be566d2877469cab934ec4
SHA177fc81095f87e0ce1394188aea90802c535b14e4
SHA2564238d19792154fe016f9e99ca388078e5f326d47c1baefd18895013a9908dcc7
SHA512ff0711ac895eb5643b088357c46ec0dea84ed30bad86a4a715e4b2654cd167c62c8efd560c1788c007f94fae3255fff54a7c1d494d29bb633295f89425266b28
-
memory/2020-2-0x0000000000230000-0x0000000000243000-memory.dmpFilesize
76KB
-
memory/2020-3-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2020-8-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2020-9-0x0000000000230000-0x0000000000243000-memory.dmpFilesize
76KB
-
memory/2020-1-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/2400-20-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2400-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2400-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2400-22-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2400-15-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2400-21-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2788-11-0x00000000005A0000-0x00000000006A0000-memory.dmpFilesize
1024KB
-
memory/2788-17-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2788-13-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB