Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe
-
Size
10.4MB
-
MD5
f570f71d8285dce6ba5ac8ead17b0435
-
SHA1
ab4efe5cba052b2ba724222540043c90d9d6980c
-
SHA256
62b95f3ef9cdf1e9c528d859c4d4116e114cf90b9711e1bc486ab4d034bd574e
-
SHA512
56034472678e5d6610f1cb9b59f4b3a60c96b281b3fceb529742cdf51ec213c08e16a6b8e1748a06d461ff3d69bf7defdcac8cad10968c64d3c10135093de62f
-
SSDEEP
6144:fpcqzKUTS5Yde/qyQK8ZtqTMIKC/eUPFwUnyaAjLo7pU6eD:PKUO54e/q60tmT7/xPFwVjs7G6
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\tgqtwtsp = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2696 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tgqtwtsp\ImagePath = "C:\\Windows\\SysWOW64\\tgqtwtsp\\gyddkcwa.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2740 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
gyddkcwa.exepid process 2256 gyddkcwa.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gyddkcwa.exedescription pid process target process PID 2256 set thread context of 2740 2256 gyddkcwa.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1920 sc.exe 2652 sc.exe 2548 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exegyddkcwa.exedescription pid process target process PID 2176 wrote to memory of 1088 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe cmd.exe PID 2176 wrote to memory of 1088 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe cmd.exe PID 2176 wrote to memory of 1088 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe cmd.exe PID 2176 wrote to memory of 1088 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe cmd.exe PID 2176 wrote to memory of 2496 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe cmd.exe PID 2176 wrote to memory of 2496 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe cmd.exe PID 2176 wrote to memory of 2496 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe cmd.exe PID 2176 wrote to memory of 2496 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe cmd.exe PID 2176 wrote to memory of 1920 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 1920 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 1920 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 1920 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2652 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2652 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2652 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2652 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2548 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2548 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2548 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2548 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe sc.exe PID 2176 wrote to memory of 2696 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe netsh.exe PID 2176 wrote to memory of 2696 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe netsh.exe PID 2176 wrote to memory of 2696 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe netsh.exe PID 2176 wrote to memory of 2696 2176 f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe netsh.exe PID 2256 wrote to memory of 2740 2256 gyddkcwa.exe svchost.exe PID 2256 wrote to memory of 2740 2256 gyddkcwa.exe svchost.exe PID 2256 wrote to memory of 2740 2256 gyddkcwa.exe svchost.exe PID 2256 wrote to memory of 2740 2256 gyddkcwa.exe svchost.exe PID 2256 wrote to memory of 2740 2256 gyddkcwa.exe svchost.exe PID 2256 wrote to memory of 2740 2256 gyddkcwa.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tgqtwtsp\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gyddkcwa.exe" C:\Windows\SysWOW64\tgqtwtsp\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create tgqtwtsp binPath= "C:\Windows\SysWOW64\tgqtwtsp\gyddkcwa.exe /d\"C:\Users\Admin\AppData\Local\Temp\f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description tgqtwtsp "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start tgqtwtsp2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\tgqtwtsp\gyddkcwa.exeC:\Windows\SysWOW64\tgqtwtsp\gyddkcwa.exe /d"C:\Users\Admin\AppData\Local\Temp\f570f71d8285dce6ba5ac8ead17b0435_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gyddkcwa.exeFilesize
14.2MB
MD52c6c6990ed2ef0879cde931d2c5c4e58
SHA120f5e2960f35c74329a0b242ce1d40b412029690
SHA256516de4e6d211c7133c855c5d50204f2a884cdbd3ced12a20849b91fa59607e56
SHA512eb8487833a8f46f62116ac651dd3bbe90f37dee67ae2ae9c8d458f0007de8199314960729a1e20e655e3dcec214679992be861098a579eda1a9db494eb4e7ee6
-
memory/2176-2-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/2176-3-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2176-8-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2176-1-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/2256-15-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2256-9-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/2256-11-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2740-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2740-14-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2740-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2740-18-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2740-19-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2740-20-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB