Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 17:30
Static task
static1
Behavioral task
behavioral1
Sample
2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe
-
Size
99KB
-
MD5
2b126fbd0352c9ec2f7833af3d0df7ca
-
SHA1
3bf9cee470ad6cf126635570d89d9d9f30cef386
-
SHA256
3546db46d605f744a285fe60fcbacc6b686aa6fae4c32890b030924471e0e59f
-
SHA512
0dfb908197503bf9c1c9deeb015504d1b51d4c00857b34c3862f6c7fd9a4423acb0a068f1b63e2d6757b4c89f2d993e7913767c24d32763afd5e3c1ec43bdcc7
-
SSDEEP
1536:6Ti28Kx4Cm792SAYqEVvsQS5QqmHN4SMwOVth8+T96R9UB4xw7585yWvNtQ:6TJaCmgSAEsNdm26OV0uofUBCw7O5N/
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3008 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\adpxrakv\ImagePath = "C:\\Windows\\SysWOW64\\adpxrakv\\xzulcwdw.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4364 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
xzulcwdw.exepid process 1416 xzulcwdw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xzulcwdw.exedescription pid process target process PID 1416 set thread context of 4364 1416 xzulcwdw.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4128 sc.exe 3324 sc.exe 388 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exexzulcwdw.exedescription pid process target process PID 64 wrote to memory of 1248 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe cmd.exe PID 64 wrote to memory of 1248 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe cmd.exe PID 64 wrote to memory of 1248 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe cmd.exe PID 64 wrote to memory of 212 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe cmd.exe PID 64 wrote to memory of 212 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe cmd.exe PID 64 wrote to memory of 212 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe cmd.exe PID 64 wrote to memory of 388 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 64 wrote to memory of 388 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 64 wrote to memory of 388 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 64 wrote to memory of 4128 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 64 wrote to memory of 4128 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 64 wrote to memory of 4128 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 64 wrote to memory of 3324 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 64 wrote to memory of 3324 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 64 wrote to memory of 3324 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe sc.exe PID 1416 wrote to memory of 4364 1416 xzulcwdw.exe svchost.exe PID 1416 wrote to memory of 4364 1416 xzulcwdw.exe svchost.exe PID 1416 wrote to memory of 4364 1416 xzulcwdw.exe svchost.exe PID 1416 wrote to memory of 4364 1416 xzulcwdw.exe svchost.exe PID 1416 wrote to memory of 4364 1416 xzulcwdw.exe svchost.exe PID 64 wrote to memory of 3008 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe netsh.exe PID 64 wrote to memory of 3008 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe netsh.exe PID 64 wrote to memory of 3008 64 2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\adpxrakv\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xzulcwdw.exe" C:\Windows\SysWOW64\adpxrakv\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create adpxrakv binPath= "C:\Windows\SysWOW64\adpxrakv\xzulcwdw.exe /d\"C:\Users\Admin\AppData\Local\Temp\2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description adpxrakv "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start adpxrakv2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\adpxrakv\xzulcwdw.exeC:\Windows\SysWOW64\adpxrakv\xzulcwdw.exe /d"C:\Users\Admin\AppData\Local\Temp\2b126fbd0352c9ec2f7833af3d0df7ca_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xzulcwdw.exeFilesize
11.9MB
MD59d658d67d80404160208b5f66ba93551
SHA1b62f9fc79c7637b749fd1546ceb95e7e0f65f3de
SHA25682f0b4b66761a5c6d59556f2e7d3ba63f047c667574920da10866008b77bfcf7
SHA512150578aae265e394562f4518aaf8f24ef37d10a58c52efc5d9288823d7235e6bf11248e3144e4e7282b3272f05cc870ec00665fd09e96400c164c4d54afd8ef6
-
memory/64-13-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/64-2-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/64-1-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/64-0-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1416-7-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/1416-6-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1416-10-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4364-8-0x0000000001040000-0x0000000001055000-memory.dmpFilesize
84KB
-
memory/4364-12-0x0000000001040000-0x0000000001055000-memory.dmpFilesize
84KB
-
memory/4364-14-0x0000000001040000-0x0000000001055000-memory.dmpFilesize
84KB
-
memory/4364-15-0x0000000001040000-0x0000000001055000-memory.dmpFilesize
84KB
-
memory/4364-16-0x0000000001040000-0x0000000001055000-memory.dmpFilesize
84KB