Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 01:55
Static task
static1
Behavioral task
behavioral1
Sample
041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe
-
Size
98KB
-
MD5
041f1786762e19b8f29423a19ca0498c
-
SHA1
5ccb39b1480d9c693b429f35b0f7f3e5afb0730e
-
SHA256
8268704a7d561c3b77519503ac645bee86e62991cb3844bc90e12515d468afcd
-
SHA512
41b565b4e981fca822f9c95ea65ef1da13386a199612609d94a4056cc04824abf03e70bdc5e7869ebd47dfc1ed36f5eda40dd665070b9b557e35cd07b726c6ec
-
SSDEEP
1536:2u7R8+GeLxCi1s95kG0tTZaNxas1Y29db/vIHduOfpkwMEkR:2u7RBtlHs9z0PSxJ1T1/vIAEyLEs
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rehtzo = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2428 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rehtzo\ImagePath = "C:\\Windows\\SysWOW64\\rehtzo\\bwdazwst.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2452 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
bwdazwst.exepid process 2512 bwdazwst.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bwdazwst.exedescription pid process target process PID 2512 set thread context of 2452 2512 bwdazwst.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2836 sc.exe 2052 sc.exe 2736 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exebwdazwst.exedescription pid process target process PID 2992 wrote to memory of 1956 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 1956 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 1956 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 1956 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2520 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2520 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2520 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2520 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2836 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2836 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2836 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2836 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2052 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2052 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2052 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2052 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2736 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2736 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2736 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2992 wrote to memory of 2736 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe sc.exe PID 2512 wrote to memory of 2452 2512 bwdazwst.exe svchost.exe PID 2512 wrote to memory of 2452 2512 bwdazwst.exe svchost.exe PID 2512 wrote to memory of 2452 2512 bwdazwst.exe svchost.exe PID 2512 wrote to memory of 2452 2512 bwdazwst.exe svchost.exe PID 2512 wrote to memory of 2452 2512 bwdazwst.exe svchost.exe PID 2512 wrote to memory of 2452 2512 bwdazwst.exe svchost.exe PID 2992 wrote to memory of 2428 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe netsh.exe PID 2992 wrote to memory of 2428 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe netsh.exe PID 2992 wrote to memory of 2428 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe netsh.exe PID 2992 wrote to memory of 2428 2992 041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rehtzo\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bwdazwst.exe" C:\Windows\SysWOW64\rehtzo\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rehtzo binPath= "C:\Windows\SysWOW64\rehtzo\bwdazwst.exe /d\"C:\Users\Admin\AppData\Local\Temp\041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rehtzo "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rehtzo2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\rehtzo\bwdazwst.exeC:\Windows\SysWOW64\rehtzo\bwdazwst.exe /d"C:\Users\Admin\AppData\Local\Temp\041f1786762e19b8f29423a19ca0498c_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bwdazwst.exeFilesize
12.2MB
MD5725e6d8af0ca2832df99145f9fe701ab
SHA124594dc32ef3b44dac2717d1324401e0f418de07
SHA256c668d5faf7a3bfb9ce533c8ee424d02f969c0374987222bc73776910238a8d86
SHA51236457f23f9af312c7b76f068432ee094e01e5dd759fe812515a641b49f31954943197acca41c1723818deaf43a311af8042ea82215ab610559a12d210a6d6acb
-
memory/2452-10-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2452-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2452-7-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2452-14-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2452-15-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2512-6-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2512-11-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2992-2-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2992-1-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2992-0-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2992-13-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB