Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 04:54
Static task
static1
Behavioral task
behavioral1
Sample
fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe
-
Size
13.1MB
-
MD5
fe7a83b2a9459c727de31bf862e8b412
-
SHA1
37cf0cf28262bfb9952fe203d09102ab00361c59
-
SHA256
0458983712551856bbe9a43e57f2171cb6a11ca2ba7fb5cfbf70d937a9d52764
-
SHA512
089ce3de2784486fe479e893da198c9de36cac7f8d4d4b72b0290892e3eb00ed829cb9b5794f8333857c6ad2f546f38df4ae9d19cb2a6c05dd17d6d3300b1296
-
SSDEEP
49152:f3Skkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk:f3
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\wkrmfvus = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2548 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wkrmfvus\ImagePath = "C:\\Windows\\SysWOW64\\wkrmfvus\\ntephwqc.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2580 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
ntephwqc.exepid process 2436 ntephwqc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ntephwqc.exedescription pid process target process PID 2436 set thread context of 2580 2436 ntephwqc.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2564 sc.exe 2756 sc.exe 2704 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exentephwqc.exedescription pid process target process PID 1876 wrote to memory of 2960 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe cmd.exe PID 1876 wrote to memory of 2960 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe cmd.exe PID 1876 wrote to memory of 2960 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe cmd.exe PID 1876 wrote to memory of 2960 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe cmd.exe PID 1876 wrote to memory of 2628 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe cmd.exe PID 1876 wrote to memory of 2628 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe cmd.exe PID 1876 wrote to memory of 2628 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe cmd.exe PID 1876 wrote to memory of 2628 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe cmd.exe PID 1876 wrote to memory of 2564 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2564 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2564 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2564 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2756 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2756 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2756 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2756 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2704 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2704 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2704 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2704 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe sc.exe PID 1876 wrote to memory of 2548 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe netsh.exe PID 1876 wrote to memory of 2548 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe netsh.exe PID 1876 wrote to memory of 2548 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe netsh.exe PID 1876 wrote to memory of 2548 1876 fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe netsh.exe PID 2436 wrote to memory of 2580 2436 ntephwqc.exe svchost.exe PID 2436 wrote to memory of 2580 2436 ntephwqc.exe svchost.exe PID 2436 wrote to memory of 2580 2436 ntephwqc.exe svchost.exe PID 2436 wrote to memory of 2580 2436 ntephwqc.exe svchost.exe PID 2436 wrote to memory of 2580 2436 ntephwqc.exe svchost.exe PID 2436 wrote to memory of 2580 2436 ntephwqc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wkrmfvus\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ntephwqc.exe" C:\Windows\SysWOW64\wkrmfvus\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wkrmfvus binPath= "C:\Windows\SysWOW64\wkrmfvus\ntephwqc.exe /d\"C:\Users\Admin\AppData\Local\Temp\fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wkrmfvus "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wkrmfvus2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\wkrmfvus\ntephwqc.exeC:\Windows\SysWOW64\wkrmfvus\ntephwqc.exe /d"C:\Users\Admin\AppData\Local\Temp\fe7a83b2a9459c727de31bf862e8b412_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ntephwqc.exeFilesize
13.8MB
MD5386830e4cba46992843febce6f486f96
SHA123ab1e4d8654446b1a6c558d4e7c8f50d16efba4
SHA2566923b1c91f57cd7b03b0aa72a36508c3a68242169a69e34ce5597a431d29af0e
SHA51276507297f80980eec805a13f05dacf0d0cbe74b4efc4aafac8951187dfe2f218d99db15542c5027b634bd0f723d784f365225966d9e921110a245eb0b35911a8
-
memory/1876-2-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1876-4-0x0000000000400000-0x0000000000C14000-memory.dmpFilesize
8.1MB
-
memory/1876-7-0x0000000000400000-0x0000000000C14000-memory.dmpFilesize
8.1MB
-
memory/1876-8-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/1876-1-0x0000000000DF0000-0x0000000000EF0000-memory.dmpFilesize
1024KB
-
memory/2436-14-0x0000000000D90000-0x0000000000E90000-memory.dmpFilesize
1024KB
-
memory/2436-17-0x0000000000400000-0x0000000000C14000-memory.dmpFilesize
8.1MB
-
memory/2580-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2580-13-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2580-10-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2580-19-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2580-20-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2580-21-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB
-
memory/2580-22-0x00000000000C0000-0x00000000000D5000-memory.dmpFilesize
84KB