Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe
-
Size
12.9MB
-
MD5
f4c26a587ceedc4e1f881db4635d2e46
-
SHA1
222207a71d9e9e3eb534b4fdbd644e848f1c24e0
-
SHA256
683fa1172ed26a953994f43177ceff28ee665a14736e73fc6f91f9fe330545a0
-
SHA512
722be7f412946c0b4a29b611afea11f0d5ca8b4d3263904299a2102a7a58dd1cb5a115f56a298820ade78b89c229e372189648db33de1cd2c13a8b09cc2a2463
-
SSDEEP
196608:vV8YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY/:
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\stajuqdg = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2600 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\stajuqdg\ImagePath = "C:\\Windows\\SysWOW64\\stajuqdg\\pvgrjyse.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2444 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
pvgrjyse.exepid process 3032 pvgrjyse.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pvgrjyse.exedescription pid process target process PID 3032 set thread context of 2444 3032 pvgrjyse.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2648 sc.exe 2592 sc.exe 2712 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exepvgrjyse.exedescription pid process target process PID 2524 wrote to memory of 2004 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 2004 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 2004 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 2004 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 3020 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 3020 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 3020 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 3020 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe cmd.exe PID 2524 wrote to memory of 2648 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2648 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2648 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2648 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2592 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2592 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2592 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2592 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2712 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2712 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2712 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2712 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe sc.exe PID 2524 wrote to memory of 2600 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe netsh.exe PID 2524 wrote to memory of 2600 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe netsh.exe PID 2524 wrote to memory of 2600 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe netsh.exe PID 2524 wrote to memory of 2600 2524 f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe netsh.exe PID 3032 wrote to memory of 2444 3032 pvgrjyse.exe svchost.exe PID 3032 wrote to memory of 2444 3032 pvgrjyse.exe svchost.exe PID 3032 wrote to memory of 2444 3032 pvgrjyse.exe svchost.exe PID 3032 wrote to memory of 2444 3032 pvgrjyse.exe svchost.exe PID 3032 wrote to memory of 2444 3032 pvgrjyse.exe svchost.exe PID 3032 wrote to memory of 2444 3032 pvgrjyse.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\stajuqdg\2⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pvgrjyse.exe" C:\Windows\SysWOW64\stajuqdg\2⤵PID:3020
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create stajuqdg binPath= "C:\Windows\SysWOW64\stajuqdg\pvgrjyse.exe /d\"C:\Users\Admin\AppData\Local\Temp\f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2648 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description stajuqdg "wifi internet conection"2⤵
- Launches sc.exe
PID:2592 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start stajuqdg2⤵
- Launches sc.exe
PID:2712 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2600
-
C:\Windows\SysWOW64\stajuqdg\pvgrjyse.exeC:\Windows\SysWOW64\stajuqdg\pvgrjyse.exe /d"C:\Users\Admin\AppData\Local\Temp\f4c26a587ceedc4e1f881db4635d2e46_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pvgrjyse.exeFilesize
10.9MB
MD5c9716a8dd1dc365868438cfc7961c1f8
SHA1afe80977fd34795c9d4b74b91cc805def4888e34
SHA256cef7b7ab3512958f26c4b4021765c5c18e5e64b6a0a8373d08139436fe145b17
SHA51218f76e5fc3d169d073a77d42d0b26dc7724c44b5f7f24306b300b3a1d3f9beed247821cd954c317fb1f7b6a575a230bcbddeb94eb0e43d96fd55a305e107a22a
-
memory/2444-9-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2444-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2444-12-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2444-18-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2444-19-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2444-20-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2444-21-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2524-4-0x0000000000400000-0x00000000008EA000-memory.dmpFilesize
4.9MB
-
memory/2524-1-0x0000000000A80000-0x0000000000B80000-memory.dmpFilesize
1024KB
-
memory/2524-7-0x0000000000400000-0x00000000008EA000-memory.dmpFilesize
4.9MB
-
memory/2524-3-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/3032-14-0x00000000009A0000-0x0000000000AA0000-memory.dmpFilesize
1024KB
-
memory/3032-15-0x0000000000400000-0x00000000008EA000-memory.dmpFilesize
4.9MB