Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 12:44
Static task
static1
Behavioral task
behavioral1
Sample
f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe
-
Size
13.5MB
-
MD5
f5cbfe63e02723b835516647584848d4
-
SHA1
07dd6af989d6d11f4efcf5a9594912d851b10135
-
SHA256
6d11a016ff70b46205d7ef21efb3fa132b878580a77ed923566257751dd7a11d
-
SHA512
a5143335125344278d49a9eb6be29bbd8fb05aa84d00e01e5e05b2bee4243a8d45c2f469cb46f5e04af70679511b6a1ebc3ea261894dca3bb0fa0a498321b91f
-
SSDEEP
6144:x2BxZXDssssssssssssssssssssssssssssssssssssssssssssssssssssssssk:x4V
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\dhmexdxr = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2556 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dhmexdxr\ImagePath = "C:\\Windows\\SysWOW64\\dhmexdxr\\ddcithor.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2484 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
ddcithor.exepid process 2532 ddcithor.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ddcithor.exedescription pid process target process PID 2532 set thread context of 2484 2532 ddcithor.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2752 sc.exe 2552 sc.exe 2620 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f5cbfe63e02723b835516647584848d4_JaffaCakes118.exeddcithor.exedescription pid process target process PID 1760 wrote to memory of 3056 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 3056 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 3056 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 3056 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 2568 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 2568 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 2568 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 2568 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 2752 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2752 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2752 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2752 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2552 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2552 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2552 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2552 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2620 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2620 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2620 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2620 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe sc.exe PID 1760 wrote to memory of 2556 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe netsh.exe PID 1760 wrote to memory of 2556 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe netsh.exe PID 1760 wrote to memory of 2556 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe netsh.exe PID 1760 wrote to memory of 2556 1760 f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe netsh.exe PID 2532 wrote to memory of 2484 2532 ddcithor.exe svchost.exe PID 2532 wrote to memory of 2484 2532 ddcithor.exe svchost.exe PID 2532 wrote to memory of 2484 2532 ddcithor.exe svchost.exe PID 2532 wrote to memory of 2484 2532 ddcithor.exe svchost.exe PID 2532 wrote to memory of 2484 2532 ddcithor.exe svchost.exe PID 2532 wrote to memory of 2484 2532 ddcithor.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dhmexdxr\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ddcithor.exe" C:\Windows\SysWOW64\dhmexdxr\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create dhmexdxr binPath= "C:\Windows\SysWOW64\dhmexdxr\ddcithor.exe /d\"C:\Users\Admin\AppData\Local\Temp\f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description dhmexdxr "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start dhmexdxr2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\dhmexdxr\ddcithor.exeC:\Windows\SysWOW64\dhmexdxr\ddcithor.exe /d"C:\Users\Admin\AppData\Local\Temp\f5cbfe63e02723b835516647584848d4_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ddcithor.exeFilesize
10.2MB
MD5a903e7a15f48ac727e8a99b6344cd1d1
SHA12a8bbdd0a5e9f8667a7fa7ac663a9a875ecc1c40
SHA256f2a45e63cd66bdf32e2b7ce3f7577bcdbb14a99f6cb45b6b7428353eef1fb4cb
SHA512278769c871d9d6d62e6a1374f5f981fb1d5605a56fb0ca79176f1a4d58e03bd720d25d35ad9302e63a95b8d9643210f4389c311deab59e0c3a05f1266ff1fc58
-
memory/1760-2-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1760-1-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1760-0-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1760-5-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2484-12-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2484-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2484-9-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2484-17-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2484-18-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2484-19-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2532-8-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2532-7-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2532-15-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB