Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 21:36
Static task
static1
Behavioral task
behavioral1
Sample
f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe
-
Size
13.4MB
-
MD5
f8cc259a0c835f7c01a3d4a76fbbf0e9
-
SHA1
37bd6f7e3c970355684bbe521ade1bef750cea74
-
SHA256
d070f43729c000ac138d6666b1ec932d5b513f94fd4eeba1f549811146a25a01
-
SHA512
fadab6c9f3a4bba02ce0ea4a967aba52ed04ce0096796bce8d2cf66ff91a45767cde6ed646d672355afc74791f377fa2c02b499c6c2eb6490f7c7674396dce63
-
SSDEEP
24576:5Uqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmH:5F15
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\zsrxnaip = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2544 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\zsrxnaip\ImagePath = "C:\\Windows\\SysWOW64\\zsrxnaip\\veqwgbxn.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2584 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
veqwgbxn.exepid process 2740 veqwgbxn.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
veqwgbxn.exedescription pid process target process PID 2740 set thread context of 2584 2740 veqwgbxn.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2568 sc.exe 2520 sc.exe 2676 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exeveqwgbxn.exedescription pid process target process PID 2788 wrote to memory of 1240 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 1240 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 1240 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 1240 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 1968 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 1968 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 1968 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 1968 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe cmd.exe PID 2788 wrote to memory of 2520 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2520 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2520 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2520 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2676 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2676 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2676 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2676 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2568 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2568 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2568 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2568 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe sc.exe PID 2788 wrote to memory of 2544 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe netsh.exe PID 2788 wrote to memory of 2544 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe netsh.exe PID 2788 wrote to memory of 2544 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe netsh.exe PID 2788 wrote to memory of 2544 2788 f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe netsh.exe PID 2740 wrote to memory of 2584 2740 veqwgbxn.exe svchost.exe PID 2740 wrote to memory of 2584 2740 veqwgbxn.exe svchost.exe PID 2740 wrote to memory of 2584 2740 veqwgbxn.exe svchost.exe PID 2740 wrote to memory of 2584 2740 veqwgbxn.exe svchost.exe PID 2740 wrote to memory of 2584 2740 veqwgbxn.exe svchost.exe PID 2740 wrote to memory of 2584 2740 veqwgbxn.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zsrxnaip\2⤵PID:1240
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\veqwgbxn.exe" C:\Windows\SysWOW64\zsrxnaip\2⤵PID:1968
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zsrxnaip binPath= "C:\Windows\SysWOW64\zsrxnaip\veqwgbxn.exe /d\"C:\Users\Admin\AppData\Local\Temp\f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2520 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zsrxnaip "wifi internet conection"2⤵
- Launches sc.exe
PID:2676 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zsrxnaip2⤵
- Launches sc.exe
PID:2568 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2544
-
C:\Windows\SysWOW64\zsrxnaip\veqwgbxn.exeC:\Windows\SysWOW64\zsrxnaip\veqwgbxn.exe /d"C:\Users\Admin\AppData\Local\Temp\f8cc259a0c835f7c01a3d4a76fbbf0e9_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.0MB
MD5be90322f34ea4117afe828b2bc65de3e
SHA1f6f0310419ba7ba88d14783df434a25ba436e5d4
SHA256ea00bb468b500c73746846b22935d2d394d44f3bf313917255f04b61e0c83a1f
SHA51266a4f0c69c29fdd73b66c32435f5be702d0568568effad86d6245c18d8d37f88c5190586eb4f40edeefac1501c7a7c7880ce497b512bf7e33f96641c73cff9e2