Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 06:37
Static task
static1
Behavioral task
behavioral1
Sample
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe
-
Size
10.1MB
-
MD5
f777ab88e7988a6197689c84bd5c200b
-
SHA1
9b8f94fe18fcfcbbb6ca1736751d6ca5ee417766
-
SHA256
cc405e27cf3c45f22534764ed6c2c3d7dc46264b4c275cfc53b3cf6707c211a5
-
SHA512
9e9730d5ee6629003f29dcd9193ccd09acfa52256439a8408019273fd12b5c87138de4459d659c63a7eb505cc81039a50767ca33adf687a389a40aeb6ba64436
-
SSDEEP
12288:Iz+wSUpBMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMs:Iz8
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3996 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yfldoquq\ImagePath = "C:\\Windows\\SysWOW64\\yfldoquq\\vewvequl.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\International\Geo\Nation f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3992 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
vewvequl.exepid process 4924 vewvequl.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vewvequl.exedescription pid process target process PID 4924 set thread context of 3992 4924 vewvequl.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4896 sc.exe 1812 sc.exe 4768 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exevewvequl.exedescription pid process target process PID 4808 wrote to memory of 2128 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 4808 wrote to memory of 2128 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 4808 wrote to memory of 2128 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 4808 wrote to memory of 4560 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 4808 wrote to memory of 4560 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 4808 wrote to memory of 4560 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe cmd.exe PID 4808 wrote to memory of 1812 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 1812 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 1812 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 4768 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 4768 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 4768 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 4896 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 4896 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 4896 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe sc.exe PID 4808 wrote to memory of 3996 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe netsh.exe PID 4808 wrote to memory of 3996 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe netsh.exe PID 4808 wrote to memory of 3996 4808 f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe netsh.exe PID 4924 wrote to memory of 3992 4924 vewvequl.exe svchost.exe PID 4924 wrote to memory of 3992 4924 vewvequl.exe svchost.exe PID 4924 wrote to memory of 3992 4924 vewvequl.exe svchost.exe PID 4924 wrote to memory of 3992 4924 vewvequl.exe svchost.exe PID 4924 wrote to memory of 3992 4924 vewvequl.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yfldoquq\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vewvequl.exe" C:\Windows\SysWOW64\yfldoquq\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create yfldoquq binPath= "C:\Windows\SysWOW64\yfldoquq\vewvequl.exe /d\"C:\Users\Admin\AppData\Local\Temp\f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description yfldoquq "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start yfldoquq2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\yfldoquq\vewvequl.exeC:\Windows\SysWOW64\yfldoquq\vewvequl.exe /d"C:\Users\Admin\AppData\Local\Temp\f777ab88e7988a6197689c84bd5c200b_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vewvequl.exeFilesize
14.9MB
MD586ccea191b283ba1923980c40b24e3d8
SHA19515dc33eab7c7c95c0310b6d692dc4726ce3eb8
SHA256174c1117161ed764af6666350fdcea90f0eaa6a381387192a3d8a992d9babf2b
SHA512e84b9b033ba1fc1a5e686f62f4dda0140f9c6d460ebe287082feea120aaca916cd82a85676524f01c7f9d31e37185bbecf48886c206ba7e8db30d3d8c5e4cb65
-
memory/3992-11-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/3992-18-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/3992-17-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/3992-16-0x0000000000E20000-0x0000000000E35000-memory.dmpFilesize
84KB
-
memory/4808-3-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/4808-7-0x000000005F000000-0x000000005F011000-memory.dmpFilesize
68KB
-
memory/4808-6-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4808-0-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4808-1-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/4808-2-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4924-9-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4924-10-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4924-12-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB