Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 06:23
Static task
static1
Behavioral task
behavioral1
Sample
fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe
-
Size
12.6MB
-
MD5
fc209b18b7ab86f3a8c755f3f3af34f1
-
SHA1
b9e857abc7c7748e8854fbd0a3b849bade3416a5
-
SHA256
6686cae9b3cdb8c87880aba95dd27f5b540ad54c0bdbd65b8b8b5f90cf38b644
-
SHA512
30ec26ceeedecf299a4d9f6fa2c61656396df4265c71b3e285d0d149d9fded2a88ee161da9e55200cd74f363c101bbd3ffe2b38e991c76fe6c00b20a33df0c9b
-
SSDEEP
3072:h5BNmJpGugiP5MRMF7xZk8w1Y5jQUSK5WwEm5FafNCbyyyxKH:h/xiP62F7M8w18NSK5WwB7byFx6
Malware Config
Extracted
tofsee
176.111.174.19
defeatwax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\cbsrjwhq = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2680 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cbsrjwhq\ImagePath = "C:\\Windows\\SysWOW64\\cbsrjwhq\\vbumnyyt.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2408 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
vbumnyyt.exepid process 1760 vbumnyyt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbumnyyt.exedescription pid process target process PID 1760 set thread context of 2408 1760 vbumnyyt.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2636 sc.exe 2676 sc.exe 2612 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exevbumnyyt.exedescription pid process target process PID 2292 wrote to memory of 1536 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 1536 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 1536 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 1536 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 2896 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 2896 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 2896 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 2896 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 2636 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2636 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2636 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2636 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2676 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2676 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2676 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2676 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2612 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2612 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2612 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2612 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe sc.exe PID 2292 wrote to memory of 2680 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe netsh.exe PID 2292 wrote to memory of 2680 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe netsh.exe PID 2292 wrote to memory of 2680 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe netsh.exe PID 2292 wrote to memory of 2680 2292 fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe netsh.exe PID 1760 wrote to memory of 2408 1760 vbumnyyt.exe svchost.exe PID 1760 wrote to memory of 2408 1760 vbumnyyt.exe svchost.exe PID 1760 wrote to memory of 2408 1760 vbumnyyt.exe svchost.exe PID 1760 wrote to memory of 2408 1760 vbumnyyt.exe svchost.exe PID 1760 wrote to memory of 2408 1760 vbumnyyt.exe svchost.exe PID 1760 wrote to memory of 2408 1760 vbumnyyt.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cbsrjwhq\2⤵PID:1536
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vbumnyyt.exe" C:\Windows\SysWOW64\cbsrjwhq\2⤵PID:2896
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create cbsrjwhq binPath= "C:\Windows\SysWOW64\cbsrjwhq\vbumnyyt.exe /d\"C:\Users\Admin\AppData\Local\Temp\fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2636 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description cbsrjwhq "wifi internet conection"2⤵
- Launches sc.exe
PID:2676 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start cbsrjwhq2⤵
- Launches sc.exe
PID:2612 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2680
-
C:\Windows\SysWOW64\cbsrjwhq\vbumnyyt.exeC:\Windows\SysWOW64\cbsrjwhq\vbumnyyt.exe /d"C:\Users\Admin\AppData\Local\Temp\fc209b18b7ab86f3a8c755f3f3af34f1_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vbumnyyt.exeFilesize
14.2MB
MD55d70ec609db3225db8283438b97cfb82
SHA188a91ee4f70843cc51696957f957f1d7b722068a
SHA2566acd47253b24c6511501880f678c7bcab80bbf2c7a98d9032ac686e3562e29ed
SHA5126d7aa6109960600324328cd2d41108caa098e858333cf4928722a55e158e25a9b298258fd32b6a95dafe59d901453c1651896065c64124faf3d65843bee7fad8
-
memory/1760-10-0x0000000000A90000-0x0000000000B90000-memory.dmpFilesize
1024KB
-
memory/1760-17-0x0000000000400000-0x000000000099E000-memory.dmpFilesize
5.6MB
-
memory/1760-12-0x0000000000400000-0x000000000099E000-memory.dmpFilesize
5.6MB
-
memory/2292-6-0x0000000000400000-0x000000000099E000-memory.dmpFilesize
5.6MB
-
memory/2292-8-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/2292-1-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB
-
memory/2292-2-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/2292-4-0x0000000000400000-0x000000000099E000-memory.dmpFilesize
5.6MB
-
memory/2408-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2408-15-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2408-11-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2408-19-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2408-20-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2408-21-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB