Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 11:03
Static task
static1
Behavioral task
behavioral1
Sample
fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe
-
Size
14.6MB
-
MD5
fc9d27ffa867f7f49dee1251dae0344e
-
SHA1
442c6b101cc68df05cafe8503d4b24647dfe980f
-
SHA256
fe7eb1248703a1dad025d2a6095acc77e8b3731cf282ac652a0b6d490ea0832f
-
SHA512
d1fe29b5fe0d2ffa19ecd9641086954df472bd7876ecdf14cbf84f0b3f8365985adddcdc927fa81ce160d7de67ac3216d05b8b8542cfa52b4978073342e9fcd1
-
SSDEEP
49152:wjrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrX:S
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ftcwiqae = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2116 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ftcwiqae\ImagePath = "C:\\Windows\\SysWOW64\\ftcwiqae\\bivvyjbw.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2872 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
bivvyjbw.exepid process 2876 bivvyjbw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bivvyjbw.exedescription pid process target process PID 2876 set thread context of 2872 2876 bivvyjbw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2636 sc.exe 2720 sc.exe 2160 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exebivvyjbw.exedescription pid process target process PID 2216 wrote to memory of 3016 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 3016 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 3016 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 3016 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 3032 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 3032 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 3032 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 3032 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 2160 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2160 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2160 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2160 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2636 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2636 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2636 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2636 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2720 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2720 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2720 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2216 wrote to memory of 2720 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe sc.exe PID 2876 wrote to memory of 2872 2876 bivvyjbw.exe svchost.exe PID 2876 wrote to memory of 2872 2876 bivvyjbw.exe svchost.exe PID 2876 wrote to memory of 2872 2876 bivvyjbw.exe svchost.exe PID 2876 wrote to memory of 2872 2876 bivvyjbw.exe svchost.exe PID 2876 wrote to memory of 2872 2876 bivvyjbw.exe svchost.exe PID 2876 wrote to memory of 2872 2876 bivvyjbw.exe svchost.exe PID 2216 wrote to memory of 2116 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe netsh.exe PID 2216 wrote to memory of 2116 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe netsh.exe PID 2216 wrote to memory of 2116 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe netsh.exe PID 2216 wrote to memory of 2116 2216 fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ftcwiqae\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bivvyjbw.exe" C:\Windows\SysWOW64\ftcwiqae\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ftcwiqae binPath= "C:\Windows\SysWOW64\ftcwiqae\bivvyjbw.exe /d\"C:\Users\Admin\AppData\Local\Temp\fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ftcwiqae "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ftcwiqae2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ftcwiqae\bivvyjbw.exeC:\Windows\SysWOW64\ftcwiqae\bivvyjbw.exe /d"C:\Users\Admin\AppData\Local\Temp\fc9d27ffa867f7f49dee1251dae0344e_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bivvyjbw.exeFilesize
13.0MB
MD5b0bb40064f710a644022f62fe1789c2c
SHA1bf0abca0abf4b34a98ab4d649db83bb1b528471d
SHA25682cc46350ec95f428a9456a9ded7bf8f30c7dd078bee93b6cb2f8166869814d9
SHA512bf6c239a7fee5c9d6fbfcf1a600ce223edb6451b2d19fa46fdf8bed12af1d6be84570d3b29d3202cabd80061df672ccde04809b11f63b2df3237c8aad6484a76
-
memory/2216-18-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2216-1-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2216-3-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2216-2-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2216-0-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2872-17-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2872-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2872-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2872-13-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2872-19-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2872-20-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2872-21-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2876-9-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2876-14-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2876-7-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB