Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe
-
Size
142KB
-
MD5
82937ed0681d989a3200fed04a37fc57
-
SHA1
eaee5070f8cbbea37ea0fc03db6cff5380a2b570
-
SHA256
87c6ef971a71bfe43bdfad91943ccfa5be1c895b19a1ae647fa2113664b4d38c
-
SHA512
af5e4a3bd849c72171bf1b79c47577ab490ae66a7f93f73fbca0297cc876445489c23bc64d492013f59b6669c4bff10168313e8682a4c1c37caeed5a3867371e
-
SSDEEP
3072:FN7Re/+fHs+SSoJvnra4BcwfMq/eTW8qrU9f:AW5oJDDBcwt/v6
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\yawkatcn = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2588 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\yawkatcn\ImagePath = "C:\\Windows\\SysWOW64\\yawkatcn\\jnueescy.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2564 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
jnueescy.exepid process 2772 jnueescy.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jnueescy.exedescription pid process target process PID 2772 set thread context of 2564 2772 jnueescy.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2784 sc.exe 2432 sc.exe 2652 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exejnueescy.exedescription pid process target process PID 2964 wrote to memory of 2112 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2112 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2112 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2112 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 3068 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 3068 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 3068 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 3068 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2964 wrote to memory of 2652 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2652 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2652 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2652 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2784 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2784 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2784 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2784 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2432 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2432 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2432 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2432 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2964 wrote to memory of 2588 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe netsh.exe PID 2964 wrote to memory of 2588 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe netsh.exe PID 2964 wrote to memory of 2588 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe netsh.exe PID 2964 wrote to memory of 2588 2964 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe netsh.exe PID 2772 wrote to memory of 2564 2772 jnueescy.exe svchost.exe PID 2772 wrote to memory of 2564 2772 jnueescy.exe svchost.exe PID 2772 wrote to memory of 2564 2772 jnueescy.exe svchost.exe PID 2772 wrote to memory of 2564 2772 jnueescy.exe svchost.exe PID 2772 wrote to memory of 2564 2772 jnueescy.exe svchost.exe PID 2772 wrote to memory of 2564 2772 jnueescy.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yawkatcn\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jnueescy.exe" C:\Windows\SysWOW64\yawkatcn\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create yawkatcn binPath= "C:\Windows\SysWOW64\yawkatcn\jnueescy.exe /d\"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description yawkatcn "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start yawkatcn2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\yawkatcn\jnueescy.exeC:\Windows\SysWOW64\yawkatcn\jnueescy.exe /d"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jnueescy.exeFilesize
10.2MB
MD5a089f5851368b32f1064497f53376569
SHA19a1b1f33b0efe31b8f3aca33c19ad97e9444d445
SHA2568d76e9e5aea8e01bc981fe280bec05454f812e7d3074c97cbce7ce3a4fdfa84d
SHA5127f12f634b1845faf0614d403637aef999666c7a55fd7d3a311889948f69eac42027c02e617f6c1dd23210c5055a3f34853159eef8f6b79b6e08fdc3a99864d38
-
memory/2564-11-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2564-13-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2564-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2564-8-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2564-15-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2772-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2772-14-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2964-0-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2964-1-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2964-2-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/2964-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB