Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 09:29
Behavioral task
behavioral1
Sample
04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe
-
Size
11.3MB
-
MD5
04e17a3cf981140f0babf1eba3b1a30a
-
SHA1
1d72cbeadca5d725f63dc51e8bbcb8ec1af5805c
-
SHA256
447e116c206c6b28e3447d54d271eba35db13bae7edaa673cfa9cc207db05ea7
-
SHA512
8095d51b0ec02e2528c38b7770758aef4d3b8106cd0dce4912dcedb32d7d88d980e38e66474116d3a55d9955044d4f9f8dbf8ee96154982a24ee2065f262e7fb
-
SSDEEP
6144:j5VCb4QuzFRpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7:F8NKFRp
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3160 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ucvfwlos\ImagePath = "C:\\Windows\\SysWOW64\\ucvfwlos\\qhadkxji.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2616 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
qhadkxji.exepid process 2720 qhadkxji.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qhadkxji.exedescription pid process target process PID 2720 set thread context of 2616 2720 qhadkxji.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 692 sc.exe 5088 sc.exe 3172 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exeqhadkxji.exedescription pid process target process PID 212 wrote to memory of 556 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe cmd.exe PID 212 wrote to memory of 556 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe cmd.exe PID 212 wrote to memory of 556 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe cmd.exe PID 212 wrote to memory of 704 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe cmd.exe PID 212 wrote to memory of 704 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe cmd.exe PID 212 wrote to memory of 704 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe cmd.exe PID 212 wrote to memory of 692 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 212 wrote to memory of 692 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 212 wrote to memory of 692 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 212 wrote to memory of 5088 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 212 wrote to memory of 5088 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 212 wrote to memory of 5088 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 212 wrote to memory of 3172 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 212 wrote to memory of 3172 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 212 wrote to memory of 3172 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe sc.exe PID 2720 wrote to memory of 2616 2720 qhadkxji.exe svchost.exe PID 2720 wrote to memory of 2616 2720 qhadkxji.exe svchost.exe PID 2720 wrote to memory of 2616 2720 qhadkxji.exe svchost.exe PID 2720 wrote to memory of 2616 2720 qhadkxji.exe svchost.exe PID 2720 wrote to memory of 2616 2720 qhadkxji.exe svchost.exe PID 212 wrote to memory of 3160 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe netsh.exe PID 212 wrote to memory of 3160 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe netsh.exe PID 212 wrote to memory of 3160 212 04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ucvfwlos\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qhadkxji.exe" C:\Windows\SysWOW64\ucvfwlos\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ucvfwlos binPath= "C:\Windows\SysWOW64\ucvfwlos\qhadkxji.exe /d\"C:\Users\Admin\AppData\Local\Temp\04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ucvfwlos "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ucvfwlos2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ucvfwlos\qhadkxji.exeC:\Windows\SysWOW64\ucvfwlos\qhadkxji.exe /d"C:\Users\Admin\AppData\Local\Temp\04e17a3cf981140f0babf1eba3b1a30a_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qhadkxji.exeFilesize
13.5MB
MD51822e3d3d51df482f9c35a92bb66d032
SHA1d6e7cdff8047743f4e0418a5eae3c70ac6bed4c5
SHA256920fd6522a047f6922285bf52e229927a9a053c2d9821b25da54fc7ad69a87fa
SHA5129ad17e086efdec98f9bcda6679f7905919d7145e13cffa647b9a8b42367b4ad5f6b2d07573ba0eb43082d9486f1b632b4d0f6336261c77957d695937315c89b8
-
memory/2616-3-0x00000000012D0000-0x00000000012E5000-memory.dmpFilesize
84KB
-
memory/2616-6-0x00000000012D0000-0x00000000012E5000-memory.dmpFilesize
84KB
-
memory/2616-7-0x00000000012D0000-0x00000000012E5000-memory.dmpFilesize
84KB
-
memory/2616-8-0x00000000012D0000-0x00000000012E5000-memory.dmpFilesize
84KB
-
memory/2616-9-0x00000000012D0000-0x00000000012E5000-memory.dmpFilesize
84KB