Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 10:02
Static task
static1
Behavioral task
behavioral1
Sample
ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe
-
Size
10.9MB
-
MD5
ff075df77fab0160980f37ef43349a38
-
SHA1
e52baf5a86caa2e97cfa1523f1d33c9ae146e2de
-
SHA256
9c6f6cff204e5bc37c30d879e38c328d44a15040deab3fccf7d0b49bd3d0a24d
-
SHA512
f4c0ee4fcfe5ecc8c87052164d9fb0fbfe9abafb47839a8e79b1d06e971904d5205d904790c0b425e0929a285c11b252b98cb4a1d2a3ddc3a220a1b32a503af8
-
SSDEEP
24576:ijDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBH:inh
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\tmtszral = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2632 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tmtszral\ImagePath = "C:\\Windows\\SysWOW64\\tmtszral\\dqhqivxr.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2448 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
dqhqivxr.exepid process 2616 dqhqivxr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dqhqivxr.exedescription pid process target process PID 2616 set thread context of 2448 2616 dqhqivxr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2584 sc.exe 2724 sc.exe 2672 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ff075df77fab0160980f37ef43349a38_JaffaCakes118.exedqhqivxr.exedescription pid process target process PID 2984 wrote to memory of 2856 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe cmd.exe PID 2984 wrote to memory of 2856 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe cmd.exe PID 2984 wrote to memory of 2856 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe cmd.exe PID 2984 wrote to memory of 2856 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe cmd.exe PID 2984 wrote to memory of 2256 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe cmd.exe PID 2984 wrote to memory of 2256 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe cmd.exe PID 2984 wrote to memory of 2256 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe cmd.exe PID 2984 wrote to memory of 2256 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe cmd.exe PID 2984 wrote to memory of 2584 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2584 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2584 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2584 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2724 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2724 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2724 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2724 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2672 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2672 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2672 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2672 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe sc.exe PID 2984 wrote to memory of 2632 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe netsh.exe PID 2984 wrote to memory of 2632 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe netsh.exe PID 2984 wrote to memory of 2632 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe netsh.exe PID 2984 wrote to memory of 2632 2984 ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe netsh.exe PID 2616 wrote to memory of 2448 2616 dqhqivxr.exe svchost.exe PID 2616 wrote to memory of 2448 2616 dqhqivxr.exe svchost.exe PID 2616 wrote to memory of 2448 2616 dqhqivxr.exe svchost.exe PID 2616 wrote to memory of 2448 2616 dqhqivxr.exe svchost.exe PID 2616 wrote to memory of 2448 2616 dqhqivxr.exe svchost.exe PID 2616 wrote to memory of 2448 2616 dqhqivxr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tmtszral\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dqhqivxr.exe" C:\Windows\SysWOW64\tmtszral\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create tmtszral binPath= "C:\Windows\SysWOW64\tmtszral\dqhqivxr.exe /d\"C:\Users\Admin\AppData\Local\Temp\ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description tmtszral "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start tmtszral2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\tmtszral\dqhqivxr.exeC:\Windows\SysWOW64\tmtszral\dqhqivxr.exe /d"C:\Users\Admin\AppData\Local\Temp\ff075df77fab0160980f37ef43349a38_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dqhqivxr.exeFilesize
14.4MB
MD5d37f791619368d678e87e4ecfa4b3794
SHA1fb0d9e3983e028bd05764f813bd33ec4b355d2fe
SHA2566554c5fe710bccad972829d4892a072626c63dab6ded315114adc3799e977b11
SHA51207c43493cf5c0925697b33611cbd75fd4e1cfbf9157f44a0f965e064852af3f9372a570f6a5f67a1680a1e8e10a16572b12c37c69e2d91b5a3c6ef15f2029045
-
memory/2448-12-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2448-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2448-9-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2448-18-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2448-19-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2448-20-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2616-13-0x00000000005D0000-0x00000000006D0000-memory.dmpFilesize
1024KB
-
memory/2616-15-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2984-3-0x00000000003C0000-0x00000000003D3000-memory.dmpFilesize
76KB
-
memory/2984-4-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2984-8-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/2984-1-0x00000000008B0000-0x00000000009B0000-memory.dmpFilesize
1024KB