Analysis
-
max time kernel
164s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 05:06
Static task
static1
Behavioral task
behavioral1
Sample
f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe
-
Size
14.7MB
-
MD5
f75321be65ccd1fb27f978e8ec360738
-
SHA1
60cefa28535cc8f77cc1b8e6aaf03ba6762f5e38
-
SHA256
d9cc026783b0511da70d785bbd3093e11bb0927115bc7409d25b1c9ae3d1e7e1
-
SHA512
81e650c4e50195dadec6f1bde08c4296cf1938fbe7563bd5598f824558e047dcc0030c0e9d99ec89ea41c4905c309254e8717c4e910470afd4d95a7bd6e5ff22
-
SSDEEP
12288:GRXQK44fy611111111111111111111111111111111111111111111111111111H:GRx2
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\zaoupwpo = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2424 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\zaoupwpo\ImagePath = "C:\\Windows\\SysWOW64\\zaoupwpo\\pkogwhjh.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 828 svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
hqkphgbx.exepkogwhjh.exepid process 2916 hqkphgbx.exe 2684 pkogwhjh.exe -
Loads dropped DLL 2 IoCs
Processes:
f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exepid process 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\abpvqxqp = "\"C:\\Users\\Admin\\hqkphgbx.exe\"" f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pkogwhjh.exedescription pid process target process PID 2684 set thread context of 828 2684 pkogwhjh.exe svchost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 2444 sc.exe 2432 sc.exe 2664 sc.exe 2500 sc.exe 572 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exehqkphgbx.exepkogwhjh.exedescription pid process target process PID 2264 wrote to memory of 2616 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe cmd.exe PID 2264 wrote to memory of 2616 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe cmd.exe PID 2264 wrote to memory of 2616 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe cmd.exe PID 2264 wrote to memory of 2616 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe cmd.exe PID 2264 wrote to memory of 2608 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe cmd.exe PID 2264 wrote to memory of 2608 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe cmd.exe PID 2264 wrote to memory of 2608 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe cmd.exe PID 2264 wrote to memory of 2608 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe cmd.exe PID 2264 wrote to memory of 2444 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2444 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2444 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2444 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2432 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2432 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2432 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2432 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2664 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2664 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2664 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2664 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe sc.exe PID 2264 wrote to memory of 2424 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe netsh.exe PID 2264 wrote to memory of 2424 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe netsh.exe PID 2264 wrote to memory of 2424 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe netsh.exe PID 2264 wrote to memory of 2424 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe netsh.exe PID 2264 wrote to memory of 2916 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe hqkphgbx.exe PID 2264 wrote to memory of 2916 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe hqkphgbx.exe PID 2264 wrote to memory of 2916 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe hqkphgbx.exe PID 2264 wrote to memory of 2916 2264 f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe hqkphgbx.exe PID 2916 wrote to memory of 676 2916 hqkphgbx.exe cmd.exe PID 2916 wrote to memory of 676 2916 hqkphgbx.exe cmd.exe PID 2916 wrote to memory of 676 2916 hqkphgbx.exe cmd.exe PID 2916 wrote to memory of 676 2916 hqkphgbx.exe cmd.exe PID 2916 wrote to memory of 2500 2916 hqkphgbx.exe sc.exe PID 2916 wrote to memory of 2500 2916 hqkphgbx.exe sc.exe PID 2916 wrote to memory of 2500 2916 hqkphgbx.exe sc.exe PID 2916 wrote to memory of 2500 2916 hqkphgbx.exe sc.exe PID 2916 wrote to memory of 572 2916 hqkphgbx.exe sc.exe PID 2916 wrote to memory of 572 2916 hqkphgbx.exe sc.exe PID 2916 wrote to memory of 572 2916 hqkphgbx.exe sc.exe PID 2916 wrote to memory of 572 2916 hqkphgbx.exe sc.exe PID 2684 wrote to memory of 828 2684 pkogwhjh.exe svchost.exe PID 2684 wrote to memory of 828 2684 pkogwhjh.exe svchost.exe PID 2684 wrote to memory of 828 2684 pkogwhjh.exe svchost.exe PID 2684 wrote to memory of 828 2684 pkogwhjh.exe svchost.exe PID 2684 wrote to memory of 828 2684 pkogwhjh.exe svchost.exe PID 2684 wrote to memory of 828 2684 pkogwhjh.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zaoupwpo\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pkogwhjh.exe" C:\Windows\SysWOW64\zaoupwpo\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zaoupwpo binPath= "C:\Windows\SysWOW64\zaoupwpo\pkogwhjh.exe /d\"C:\Users\Admin\AppData\Local\Temp\f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zaoupwpo "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zaoupwpo2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Users\Admin\hqkphgbx.exe"C:\Users\Admin\hqkphgbx.exe" /d"C:\Users\Admin\AppData\Local\Temp\f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kwvjuemg.exe" C:\Windows\SysWOW64\zaoupwpo\3⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config zaoupwpo binPath= "C:\Windows\SysWOW64\zaoupwpo\kwvjuemg.exe /d\"C:\Users\Admin\hqkphgbx.exe\""3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zaoupwpo3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\zaoupwpo\pkogwhjh.exeC:\Windows\SysWOW64\zaoupwpo\pkogwhjh.exe /d"C:\Users\Admin\AppData\Local\Temp\f75321be65ccd1fb27f978e8ec360738_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kwvjuemg.exeFilesize
13.0MB
MD5c64a07ac5bfa97d14c04fae29e8d8b8a
SHA154249617c27ae789f2c1327fb4ef84307b715444
SHA25662802d9427b10a9ae052c665cb58a41b641cafc8ee779e7c82a319a3390283b3
SHA512e9e0e474101903714cdaa40184cf511a233baf7d18fcc5d74450ed94f5020b4398e706d2400a643a947302e8b6c4db59295ce0d5df0e09e565a35c1fb2d2f47e
-
C:\Users\Admin\AppData\Local\Temp\pkogwhjh.exeFilesize
12.4MB
MD51fe7c5f13cd2deb84cabe8a410e9b8a7
SHA1655c943a06a3dda67d2c64edd9148a3458d189af
SHA25657f08b21148319bf0b48ff919ee5d5c3be8b7720a7e0d71184ea85d9d610713a
SHA512a29754eb6efe9fd721a6393f7914720cd99d870ff82925bc6e8a06fdb933831e470d208118ae23669ee80dadce90ca374875352a167f5400525f9d1c63b7bacc
-
\Users\Admin\hqkphgbx.exeFilesize
14.1MB
MD5567817bc387628d35d2a272638d17260
SHA1e2391f282c8296a6359e24f600b1764e724e7992
SHA256eb62c4fe385093a49b75e8b317f5b320cb96801a62e2b8b8e3e1d0567075a11e
SHA5128be7d62529a7f183f24667f1f7eec6b2c96138cfc47ae90602bddc49477b72e4474a41e355510ca8012f62ce83217cb57df5650336b12b5f10e110040c7649bd
-
memory/828-29-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/828-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/828-35-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/828-38-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/828-37-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/828-32-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2264-21-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/2264-2-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/2264-4-0x0000000000400000-0x0000000003359000-memory.dmpFilesize
47.3MB
-
memory/2264-7-0x0000000000400000-0x0000000003359000-memory.dmpFilesize
47.3MB
-
memory/2264-18-0x0000000000400000-0x0000000003359000-memory.dmpFilesize
47.3MB
-
memory/2264-1-0x00000000033E0000-0x00000000034E0000-memory.dmpFilesize
1024KB
-
memory/2684-27-0x00000000034A0000-0x00000000035A0000-memory.dmpFilesize
1024KB
-
memory/2684-26-0x0000000000400000-0x0000000003359000-memory.dmpFilesize
47.3MB
-
memory/2684-28-0x0000000000400000-0x0000000003359000-memory.dmpFilesize
47.3MB
-
memory/2684-36-0x0000000000400000-0x0000000003359000-memory.dmpFilesize
47.3MB
-
memory/2916-17-0x0000000000400000-0x0000000003359000-memory.dmpFilesize
47.3MB
-
memory/2916-24-0x0000000000400000-0x0000000003359000-memory.dmpFilesize
47.3MB
-
memory/2916-16-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB