Analysis
-
max time kernel
144s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe
-
Size
11.3MB
-
MD5
f7baffc6d2cfb545920c4a09c852b138
-
SHA1
8c8064183e636a58f6e8cc12eb3c4a60ba1a34bd
-
SHA256
49dab872a5b2e9907b73be258b4bbba2f86677af674ed12a6a3f40b3e7543c84
-
SHA512
85007d6de19c3f2db2ba6a26a23832fbb8ed13e8d5584792d33262557eca363b2c285e9d9e56a492f8792f81eeb2723d18c8ed9d05b1c66305229bf88aa9bac4
-
SSDEEP
49152:fOawK7777777777777777777777777777777777777777777777777777777777f:fm
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qvlkrhyo = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2968 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qvlkrhyo\ImagePath = "C:\\Windows\\SysWOW64\\qvlkrhyo\\eauagiar.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2528 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
eauagiar.exepid process 2216 eauagiar.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
eauagiar.exedescription pid process target process PID 2216 set thread context of 2528 2216 eauagiar.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2548 sc.exe 1916 sc.exe 2568 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exeeauagiar.exedescription pid process target process PID 1716 wrote to memory of 2372 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2372 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2372 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2372 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2672 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2672 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2672 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 2672 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe cmd.exe PID 1716 wrote to memory of 1916 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 1916 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 1916 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 1916 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2568 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2568 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2568 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2568 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2548 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2548 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2548 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2548 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe sc.exe PID 1716 wrote to memory of 2968 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe netsh.exe PID 1716 wrote to memory of 2968 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe netsh.exe PID 1716 wrote to memory of 2968 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe netsh.exe PID 1716 wrote to memory of 2968 1716 f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe netsh.exe PID 2216 wrote to memory of 2528 2216 eauagiar.exe svchost.exe PID 2216 wrote to memory of 2528 2216 eauagiar.exe svchost.exe PID 2216 wrote to memory of 2528 2216 eauagiar.exe svchost.exe PID 2216 wrote to memory of 2528 2216 eauagiar.exe svchost.exe PID 2216 wrote to memory of 2528 2216 eauagiar.exe svchost.exe PID 2216 wrote to memory of 2528 2216 eauagiar.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qvlkrhyo\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\eauagiar.exe" C:\Windows\SysWOW64\qvlkrhyo\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qvlkrhyo binPath= "C:\Windows\SysWOW64\qvlkrhyo\eauagiar.exe /d\"C:\Users\Admin\AppData\Local\Temp\f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qvlkrhyo "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qvlkrhyo2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\qvlkrhyo\eauagiar.exeC:\Windows\SysWOW64\qvlkrhyo\eauagiar.exe /d"C:\Users\Admin\AppData\Local\Temp\f7baffc6d2cfb545920c4a09c852b138_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eauagiar.exeFilesize
14.8MB
MD5397f27eddc2e9d9c101fcdd1c2fccb95
SHA17d46457b1decac7d5fb228491dd753d6c6c445da
SHA2566380b753f52f4a954094c8881d06ffaea49f158291812735b25774bf77b9ac9f
SHA51264c2b232e67fecf1e68e380fab2e9f8caecbf24803e1aab88327c91356a22c3fbf6d975f7197e9026298e534b7e6bc02e32aa11810400ab4397029680c5fac3e
-
memory/1716-1-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1716-4-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1716-3-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/1716-6-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2216-16-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2216-9-0x00000000004F0000-0x00000000005F0000-memory.dmpFilesize
1024KB
-
memory/2216-11-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2528-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2528-10-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2528-14-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2528-18-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2528-19-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2528-20-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB