Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 06:37
Static task
static1
Behavioral task
behavioral1
Sample
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe
-
Size
10.1MB
-
MD5
f777ab88e7988a6197689c84bd5c200b
-
SHA1
9b8f94fe18fcfcbbb6ca1736751d6ca5ee417766
-
SHA256
cc405e27cf3c45f22534764ed6c2c3d7dc46264b4c275cfc53b3cf6707c211a5
-
SHA512
9e9730d5ee6629003f29dcd9193ccd09acfa52256439a8408019273fd12b5c87138de4459d659c63a7eb505cc81039a50767ca33adf687a389a40aeb6ba64436
-
SSDEEP
12288:Iz+wSUpBMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMs:Iz8
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nyqjdkzi = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2916 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nyqjdkzi\ImagePath = "C:\\Windows\\SysWOW64\\nyqjdkzi\\lsffitlg.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2584 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
lsffitlg.exepid process 2492 lsffitlg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lsffitlg.exedescription pid process target process PID 2492 set thread context of 2584 2492 lsffitlg.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1560 sc.exe 1832 sc.exe 2752 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exelsffitlg.exedescription pid process target process PID 2076 wrote to memory of 2300 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 2076 wrote to memory of 2300 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 2076 wrote to memory of 2300 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 2076 wrote to memory of 2300 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 2076 wrote to memory of 2832 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 2076 wrote to memory of 2832 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 2076 wrote to memory of 2832 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 2076 wrote to memory of 2832 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 2076 wrote to memory of 1560 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 1560 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 1560 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 1560 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 1832 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 1832 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 1832 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 1832 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 2752 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 2752 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 2752 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 2752 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 2076 wrote to memory of 2916 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe netsh.exe PID 2076 wrote to memory of 2916 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe netsh.exe PID 2076 wrote to memory of 2916 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe netsh.exe PID 2076 wrote to memory of 2916 2076 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe netsh.exe PID 2492 wrote to memory of 2584 2492 lsffitlg.exe svchost.exe PID 2492 wrote to memory of 2584 2492 lsffitlg.exe svchost.exe PID 2492 wrote to memory of 2584 2492 lsffitlg.exe svchost.exe PID 2492 wrote to memory of 2584 2492 lsffitlg.exe svchost.exe PID 2492 wrote to memory of 2584 2492 lsffitlg.exe svchost.exe PID 2492 wrote to memory of 2584 2492 lsffitlg.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nyqjdkzi\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lsffitlg.exe" C:\Windows\SysWOW64\nyqjdkzi\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nyqjdkzi binPath= "C:\Windows\SysWOW64\nyqjdkzi\lsffitlg.exe /d\"C:\Users\Admin\AppData\Local\Temp\f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nyqjdkzi "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nyqjdkzi2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\nyqjdkzi\lsffitlg.exeC:\Windows\SysWOW64\nyqjdkzi\lsffitlg.exe /d"C:\Users\Admin\AppData\Local\Temp\f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lsffitlg.exeFilesize
10.2MB
MD5d913e876cddecd8d8f755e4b461c2e0d
SHA1abb88f4c6463dd540e13db7debfbac2713668fc3
SHA2561e03a9fe364c33fb84f7e66b74458a9132859330580677e4b0720b02b0544f12
SHA512b4980a6a2e9c6660787661bcb2e1719794ea37bda9b095823ca6c8016c07e3af559d60e1c125d4757bb58e012f92b3e734aec9464e1b52118437937e6dacdf47
-
memory/2076-0-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2076-3-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2076-2-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2076-1-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2076-7-0x00000000050E0000-0x00000000050F1000-memory.dmpFilesize
68KB
-
memory/2076-6-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2492-17-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2492-18-0x00000000050E0000-0x00000000050F1000-memory.dmpFilesize
68KB
-
memory/2492-11-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2492-10-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2584-15-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2584-21-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2584-22-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2584-20-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2584-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2584-12-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2584-23-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB