Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 11:29
Static task
static1
Behavioral task
behavioral1
Sample
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe
-
Size
12.9MB
-
MD5
ff2d8d859e9c246c9bce95dc1dddb084
-
SHA1
7ca34991606aaf8d7eb29f5f5c50171336631139
-
SHA256
9f8cabbcbae05dcc56614cd84875ba9c1b0553bacaf210506a8b24cf177fe61c
-
SHA512
0898b5e0d887ef5211b0afca20beb6138aad5a4f87e1a9e50b5e55c16d430a31f803a5d4e8574c659ebe48571059088a83898e5471b75d3f367d0ebdb3c29325
-
SSDEEP
6144:/xd8MIg5KkE8ZQFg60ECx+ylPZbheJlhLixkMPt/t/t/t/t/t/t/t/t/t/t/t/tz:v8MI05ZQFgdgylPY1GkM
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\usyvzmo = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2720 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\usyvzmo\ImagePath = "C:\\Windows\\SysWOW64\\usyvzmo\\qzhfyadd.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2436 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
qzhfyadd.exepid process 2596 qzhfyadd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qzhfyadd.exedescription pid process target process PID 2596 set thread context of 2436 2596 qzhfyadd.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2072 sc.exe 2860 sc.exe 2612 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exeqzhfyadd.exedescription pid process target process PID 2824 wrote to memory of 2056 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2056 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2056 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2056 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2948 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2948 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2948 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2948 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2824 wrote to memory of 2072 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2072 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2072 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2072 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2860 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2860 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2860 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2860 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2612 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2612 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2612 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2612 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2824 wrote to memory of 2720 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe netsh.exe PID 2824 wrote to memory of 2720 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe netsh.exe PID 2824 wrote to memory of 2720 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe netsh.exe PID 2824 wrote to memory of 2720 2824 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe netsh.exe PID 2596 wrote to memory of 2436 2596 qzhfyadd.exe svchost.exe PID 2596 wrote to memory of 2436 2596 qzhfyadd.exe svchost.exe PID 2596 wrote to memory of 2436 2596 qzhfyadd.exe svchost.exe PID 2596 wrote to memory of 2436 2596 qzhfyadd.exe svchost.exe PID 2596 wrote to memory of 2436 2596 qzhfyadd.exe svchost.exe PID 2596 wrote to memory of 2436 2596 qzhfyadd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\usyvzmo\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qzhfyadd.exe" C:\Windows\SysWOW64\usyvzmo\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create usyvzmo binPath= "C:\Windows\SysWOW64\usyvzmo\qzhfyadd.exe /d\"C:\Users\Admin\AppData\Local\Temp\ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description usyvzmo "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start usyvzmo2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\usyvzmo\qzhfyadd.exeC:\Windows\SysWOW64\usyvzmo\qzhfyadd.exe /d"C:\Users\Admin\AppData\Local\Temp\ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qzhfyadd.exeFilesize
13.5MB
MD5174342bc64be265075e254a3a0527405
SHA1a1821854e6702e04d07c28ac7ffd1f738cc396af
SHA256d8c1d834c7edc39c23e59fd95cd7c16034cda68d9c07cc1b9f256eacd61801ca
SHA5121e22e0f173103f6899198630fa0ce82d7e2d5cfa9eeb96f833ed4ac17a57fb515f2b7ecf3339020855b8a069aeeb6705d0fd3c492acba036e3160956c87752b2
-
memory/2436-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2436-9-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2436-13-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2436-19-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2436-20-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2436-21-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2596-10-0x0000000003400000-0x0000000003500000-memory.dmpFilesize
1024KB
-
memory/2596-15-0x0000000000400000-0x000000000324F000-memory.dmpFilesize
46.3MB
-
memory/2596-17-0x0000000000400000-0x000000000324F000-memory.dmpFilesize
46.3MB
-
memory/2824-4-0x0000000000400000-0x000000000324F000-memory.dmpFilesize
46.3MB
-
memory/2824-3-0x00000000001B0000-0x00000000001C3000-memory.dmpFilesize
76KB
-
memory/2824-8-0x0000000000400000-0x000000000324F000-memory.dmpFilesize
46.3MB
-
memory/2824-1-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB