Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 06:03
Static task
static1
Behavioral task
behavioral1
Sample
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe
-
Size
142KB
-
MD5
048725634c77ed7223cd9b91d90b172b
-
SHA1
40628d5ffe1bbd7915a628938a8acac0d9c77ba3
-
SHA256
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51
-
SHA512
ad87648a4003832c7ec6129b2745c119c693f99628295cb318d285b8c5ca23d8ec0a4682fdbe3e8a880de0f6e9b84ed78ae3279c457477d5d6a2b27f1284446c
-
SSDEEP
3072:Urmeq2+/v4ZyY6yZHeLZVDZrHEzgGQNZ2uZlanCt:U6hy5cXZrHRlNou/anC
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3460 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kvnsswpd\ImagePath = "C:\\Windows\\SysWOW64\\kvnsswpd\\ecqcdywc.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4600 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
ecqcdywc.exepid process 4916 ecqcdywc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ecqcdywc.exedescription pid process target process PID 4916 set thread context of 4600 4916 ecqcdywc.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3196 sc.exe 4964 sc.exe 3024 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exeecqcdywc.exedescription pid process target process PID 2300 wrote to memory of 4152 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2300 wrote to memory of 4152 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2300 wrote to memory of 4152 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2300 wrote to memory of 2208 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2300 wrote to memory of 2208 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2300 wrote to memory of 2208 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe cmd.exe PID 2300 wrote to memory of 3196 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 3196 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 3196 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 4964 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 4964 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 4964 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 3024 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 3024 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 3024 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe sc.exe PID 2300 wrote to memory of 3460 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe netsh.exe PID 2300 wrote to memory of 3460 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe netsh.exe PID 2300 wrote to memory of 3460 2300 048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe netsh.exe PID 4916 wrote to memory of 4600 4916 ecqcdywc.exe svchost.exe PID 4916 wrote to memory of 4600 4916 ecqcdywc.exe svchost.exe PID 4916 wrote to memory of 4600 4916 ecqcdywc.exe svchost.exe PID 4916 wrote to memory of 4600 4916 ecqcdywc.exe svchost.exe PID 4916 wrote to memory of 4600 4916 ecqcdywc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kvnsswpd\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ecqcdywc.exe" C:\Windows\SysWOW64\kvnsswpd\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kvnsswpd binPath= "C:\Windows\SysWOW64\kvnsswpd\ecqcdywc.exe /d\"C:\Users\Admin\AppData\Local\Temp\048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kvnsswpd "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kvnsswpd2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\kvnsswpd\ecqcdywc.exeC:\Windows\SysWOW64\kvnsswpd\ecqcdywc.exe /d"C:\Users\Admin\AppData\Local\Temp\048725634c77ed7223cd9b91d90b172b_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ecqcdywc.exeFilesize
14.7MB
MD553051f6b080cba19b0013b9867034ca1
SHA106ee07c3cd0db9ee3839c92a18e09cfd55f8d4fb
SHA2563fda8c82e0ac6427da28bd4b83478227055c099df07eb87e2d7b92455483c763
SHA512ac99f0644ec6653f9df86cb3110e1a3987275eddb34a311805c46f3009c6c94baf75c98f7cd985d61718ff7d68705bff5cceb5dda475a5d0d7bbe5221e2321f8
-
memory/2300-0-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/2300-1-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2300-2-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/2300-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4600-8-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/4600-11-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/4600-12-0x0000000000AB0000-0x0000000000AC5000-memory.dmpFilesize
84KB
-
memory/4916-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4916-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB