Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe
-
Size
142KB
-
MD5
174926665eeacc8ca38196b53f1cb5bb
-
SHA1
c7c0728973c935bdd74a4819f600bab970a0a51c
-
SHA256
980694e35dbab6bfc383714316873fb3e9288df0df617404b4f83c8b6bdb79c8
-
SHA512
3afe95fdc6ddbe6f0bb85643df28f70d4a972e7362eb56baa7d835b08a4f9fcaf2028b84efd11975c257d1cc15c3eaee4ce7ddd2f120fbf96560f9faba9b336b
-
SSDEEP
3072:9X3VXWiUmL3QMSSoJvnra4BcwfMq/eTW8qz8x:iKboJDDBcwt/vQ
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2492 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ixzeanec\ImagePath = "C:\\Windows\\SysWOW64\\ixzeanec\\bkautsbr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4752 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
bkautsbr.exepid process 4004 bkautsbr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bkautsbr.exedescription pid process target process PID 4004 set thread context of 4752 4004 bkautsbr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 3636 sc.exe 1716 sc.exe 1744 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exebkautsbr.exedescription pid process target process PID 1396 wrote to memory of 2792 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe cmd.exe PID 1396 wrote to memory of 2792 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe cmd.exe PID 1396 wrote to memory of 2792 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe cmd.exe PID 1396 wrote to memory of 2328 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe cmd.exe PID 1396 wrote to memory of 2328 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe cmd.exe PID 1396 wrote to memory of 2328 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe cmd.exe PID 1396 wrote to memory of 3636 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 3636 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 3636 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 1716 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 1716 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 1716 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 1744 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 1744 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 1744 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe sc.exe PID 1396 wrote to memory of 2492 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe netsh.exe PID 1396 wrote to memory of 2492 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe netsh.exe PID 1396 wrote to memory of 2492 1396 174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe netsh.exe PID 4004 wrote to memory of 4752 4004 bkautsbr.exe svchost.exe PID 4004 wrote to memory of 4752 4004 bkautsbr.exe svchost.exe PID 4004 wrote to memory of 4752 4004 bkautsbr.exe svchost.exe PID 4004 wrote to memory of 4752 4004 bkautsbr.exe svchost.exe PID 4004 wrote to memory of 4752 4004 bkautsbr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ixzeanec\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bkautsbr.exe" C:\Windows\SysWOW64\ixzeanec\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ixzeanec binPath= "C:\Windows\SysWOW64\ixzeanec\bkautsbr.exe /d\"C:\Users\Admin\AppData\Local\Temp\174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ixzeanec "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ixzeanec2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ixzeanec\bkautsbr.exeC:\Windows\SysWOW64\ixzeanec\bkautsbr.exe /d"C:\Users\Admin\AppData\Local\Temp\174926665eeacc8ca38196b53f1cb5bb_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bkautsbr.exeFilesize
12.4MB
MD594a6b09b3da0db94609b08eb2337d7ce
SHA199b9742c7788e14f3085769cc2c3927f9d3a598b
SHA25634297d3804e4048e25bc208b173e96ab9ac807541edc415f5438099280a4e81d
SHA51250a20923432721098417ba175850de7dddf79aad73f4634218250ef0ec7185465f2600d564c06e6848e6017addd4a287c6d2e38347b94ea16bc3f27339bb1c7e
-
memory/1396-0-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1396-2-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/1396-1-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/1396-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4004-7-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/4004-8-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4004-12-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4752-9-0x0000000000850000-0x0000000000865000-memory.dmpFilesize
84KB
-
memory/4752-11-0x0000000000850000-0x0000000000865000-memory.dmpFilesize
84KB
-
memory/4752-13-0x0000000000850000-0x0000000000865000-memory.dmpFilesize
84KB