Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 04:53
Static task
static1
Behavioral task
behavioral1
Sample
fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe
-
Size
11.5MB
-
MD5
fbf7f5a1d66ec9bd0a2e87620f4b6436
-
SHA1
7ba7cb141c344e42e70fa8aeaadfbc67cb5a7556
-
SHA256
dacb0e8a5b8abd37770016b0ea137fe0ddc7a098a00fdcf37246daca01b15762
-
SHA512
31180bfc9255be6f8f02780793492ebe28d56725819eb181d0289f2e1e260e4109c1a0f37c540ffd237164afc656fff6a8a9b31c9fcb6bc140d9110d0d75315c
-
SSDEEP
24576:DjCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee+:D/D
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2228 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vrathjrj\ImagePath = "C:\\Windows\\SysWOW64\\vrathjrj\\skppwoim.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
skppwoim.exepid process 4160 skppwoim.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
skppwoim.exedescription pid process target process PID 4160 set thread context of 3568 4160 skppwoim.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1652 sc.exe 5100 sc.exe 2952 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exeskppwoim.exedescription pid process target process PID 4416 wrote to memory of 4536 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe cmd.exe PID 4416 wrote to memory of 4536 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe cmd.exe PID 4416 wrote to memory of 4536 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe cmd.exe PID 4416 wrote to memory of 3596 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe cmd.exe PID 4416 wrote to memory of 3596 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe cmd.exe PID 4416 wrote to memory of 3596 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe cmd.exe PID 4416 wrote to memory of 2952 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 2952 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 2952 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 1652 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 1652 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 1652 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 5100 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 5100 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 5100 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe sc.exe PID 4416 wrote to memory of 2228 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe netsh.exe PID 4416 wrote to memory of 2228 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe netsh.exe PID 4416 wrote to memory of 2228 4416 fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe netsh.exe PID 4160 wrote to memory of 3568 4160 skppwoim.exe svchost.exe PID 4160 wrote to memory of 3568 4160 skppwoim.exe svchost.exe PID 4160 wrote to memory of 3568 4160 skppwoim.exe svchost.exe PID 4160 wrote to memory of 3568 4160 skppwoim.exe svchost.exe PID 4160 wrote to memory of 3568 4160 skppwoim.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vrathjrj\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\skppwoim.exe" C:\Windows\SysWOW64\vrathjrj\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vrathjrj binPath= "C:\Windows\SysWOW64\vrathjrj\skppwoim.exe /d\"C:\Users\Admin\AppData\Local\Temp\fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vrathjrj "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vrathjrj2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\vrathjrj\skppwoim.exeC:\Windows\SysWOW64\vrathjrj\skppwoim.exe /d"C:\Users\Admin\AppData\Local\Temp\fbf7f5a1d66ec9bd0a2e87620f4b6436_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\skppwoim.exeFilesize
14.8MB
MD5fb53a3645626f491923c495997330c8d
SHA1da6c44e90b85ea788c4076b7ed67d1b02213ccfe
SHA256ad93fa58692bf500dc7f4a54513d87f0cceeaf9a955bc3d366abd2e2bbcaeedb
SHA512311e78a1740839ff21a31f1082d881ce31157c11767b901bef6232b9afd34e7fe18d93badf8f54d65ef4ec1d64dcfdf7ec6cc9f1ee25429fe9c51342b0926a37
-
memory/3568-10-0x0000000000460000-0x0000000000475000-memory.dmpFilesize
84KB
-
memory/3568-13-0x0000000000460000-0x0000000000475000-memory.dmpFilesize
84KB
-
memory/3568-25-0x0000000000460000-0x0000000000475000-memory.dmpFilesize
84KB
-
memory/3568-16-0x0000000000460000-0x0000000000475000-memory.dmpFilesize
84KB
-
memory/3568-15-0x0000000000460000-0x0000000000475000-memory.dmpFilesize
84KB
-
memory/4160-17-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4160-9-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4160-8-0x00000000005E0000-0x00000000006E0000-memory.dmpFilesize
1024KB
-
memory/4160-23-0x0000000000D40000-0x0000000000D53000-memory.dmpFilesize
76KB
-
memory/4416-1-0x00000000005A0000-0x00000000006A0000-memory.dmpFilesize
1024KB
-
memory/4416-14-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4416-3-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/4416-20-0x00000000005A0000-0x00000000006A0000-memory.dmpFilesize
1024KB
-
memory/4416-2-0x00000000021C0000-0x00000000021D3000-memory.dmpFilesize
76KB