Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 11:29
Static task
static1
Behavioral task
behavioral1
Sample
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe
-
Size
12.9MB
-
MD5
ff2d8d859e9c246c9bce95dc1dddb084
-
SHA1
7ca34991606aaf8d7eb29f5f5c50171336631139
-
SHA256
9f8cabbcbae05dcc56614cd84875ba9c1b0553bacaf210506a8b24cf177fe61c
-
SHA512
0898b5e0d887ef5211b0afca20beb6138aad5a4f87e1a9e50b5e55c16d430a31f803a5d4e8574c659ebe48571059088a83898e5471b75d3f367d0ebdb3c29325
-
SSDEEP
6144:/xd8MIg5KkE8ZQFg60ECx+ylPZbheJlhLixkMPt/t/t/t/t/t/t/t/t/t/t/t/tz:v8MI05ZQFgdgylPY1GkM
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3596 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zlnghspw\ImagePath = "C:\\Windows\\SysWOW64\\zlnghspw\\gpftuixd.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1508 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
gpftuixd.exepid process 5068 gpftuixd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gpftuixd.exedescription pid process target process PID 5068 set thread context of 1508 5068 gpftuixd.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3016 sc.exe 4796 sc.exe 4744 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exegpftuixd.exedescription pid process target process PID 2576 wrote to memory of 4940 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 4940 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 4940 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 4620 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 4620 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 4620 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 3016 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 3016 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 3016 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 4796 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 4796 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 4796 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 4744 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 4744 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 4744 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe sc.exe PID 2576 wrote to memory of 3596 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe netsh.exe PID 2576 wrote to memory of 3596 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe netsh.exe PID 2576 wrote to memory of 3596 2576 ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe netsh.exe PID 5068 wrote to memory of 1508 5068 gpftuixd.exe svchost.exe PID 5068 wrote to memory of 1508 5068 gpftuixd.exe svchost.exe PID 5068 wrote to memory of 1508 5068 gpftuixd.exe svchost.exe PID 5068 wrote to memory of 1508 5068 gpftuixd.exe svchost.exe PID 5068 wrote to memory of 1508 5068 gpftuixd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zlnghspw\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gpftuixd.exe" C:\Windows\SysWOW64\zlnghspw\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create zlnghspw binPath= "C:\Windows\SysWOW64\zlnghspw\gpftuixd.exe /d\"C:\Users\Admin\AppData\Local\Temp\ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description zlnghspw "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start zlnghspw2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\zlnghspw\gpftuixd.exeC:\Windows\SysWOW64\zlnghspw\gpftuixd.exe /d"C:\Users\Admin\AppData\Local\Temp\ff2d8d859e9c246c9bce95dc1dddb084_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gpftuixd.exeFilesize
10.0MB
MD5d923727ebeec9caf180e8ddb075e1b6e
SHA1569d154da78f318c10358dcdf95bba7f1698c8b0
SHA256879b5f5c5c7f1907675320a4d733d1475f14c3af43424879ff1e9f4ef43c00da
SHA512c2c3b8b3260c184514b4b02e9c3e51938e14869a40bae213b0e54464e9c8a918b1abbd83afe8384bccd0c527449caa30cc31268b201c026e5f9ff623e8e85a68
-
memory/1508-17-0x0000000000830000-0x0000000000845000-memory.dmpFilesize
84KB
-
memory/1508-11-0x0000000000830000-0x0000000000845000-memory.dmpFilesize
84KB
-
memory/1508-15-0x0000000000830000-0x0000000000845000-memory.dmpFilesize
84KB
-
memory/1508-19-0x0000000000830000-0x0000000000845000-memory.dmpFilesize
84KB
-
memory/1508-18-0x0000000000830000-0x0000000000845000-memory.dmpFilesize
84KB
-
memory/2576-2-0x0000000003400000-0x0000000003413000-memory.dmpFilesize
76KB
-
memory/2576-4-0x0000000000400000-0x000000000324F000-memory.dmpFilesize
46.3MB
-
memory/2576-8-0x0000000000400000-0x000000000324F000-memory.dmpFilesize
46.3MB
-
memory/2576-9-0x0000000003400000-0x0000000003413000-memory.dmpFilesize
76KB
-
memory/2576-1-0x0000000003420000-0x0000000003520000-memory.dmpFilesize
1024KB
-
memory/5068-10-0x00000000033A0000-0x00000000034A0000-memory.dmpFilesize
1024KB
-
memory/5068-13-0x0000000000400000-0x000000000324F000-memory.dmpFilesize
46.3MB
-
memory/5068-16-0x0000000000400000-0x000000000324F000-memory.dmpFilesize
46.3MB