Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe
-
Size
142KB
-
MD5
82937ed0681d989a3200fed04a37fc57
-
SHA1
eaee5070f8cbbea37ea0fc03db6cff5380a2b570
-
SHA256
87c6ef971a71bfe43bdfad91943ccfa5be1c895b19a1ae647fa2113664b4d38c
-
SHA512
af5e4a3bd849c72171bf1b79c47577ab490ae66a7f93f73fbca0297cc876445489c23bc64d492013f59b6669c4bff10168313e8682a4c1c37caeed5a3867371e
-
SSDEEP
3072:FN7Re/+fHs+SSoJvnra4BcwfMq/eTW8qrU9f:AW5oJDDBcwt/v6
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2020 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vgyanlzn\ImagePath = "C:\\Windows\\SysWOW64\\vgyanlzn\\aagcqqwo.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4344 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
aagcqqwo.exepid process 4944 aagcqqwo.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aagcqqwo.exedescription pid process target process PID 4944 set thread context of 4344 4944 aagcqqwo.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4596 sc.exe 5092 sc.exe 2528 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exeaagcqqwo.exedescription pid process target process PID 2804 wrote to memory of 4968 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2804 wrote to memory of 4968 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2804 wrote to memory of 4968 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2804 wrote to memory of 4036 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2804 wrote to memory of 4036 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2804 wrote to memory of 4036 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe cmd.exe PID 2804 wrote to memory of 5092 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 5092 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 5092 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 2528 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 2528 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 2528 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 4596 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 4596 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 4596 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe sc.exe PID 2804 wrote to memory of 2020 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe netsh.exe PID 2804 wrote to memory of 2020 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe netsh.exe PID 2804 wrote to memory of 2020 2804 82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe netsh.exe PID 4944 wrote to memory of 4344 4944 aagcqqwo.exe svchost.exe PID 4944 wrote to memory of 4344 4944 aagcqqwo.exe svchost.exe PID 4944 wrote to memory of 4344 4944 aagcqqwo.exe svchost.exe PID 4944 wrote to memory of 4344 4944 aagcqqwo.exe svchost.exe PID 4944 wrote to memory of 4344 4944 aagcqqwo.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vgyanlzn\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\aagcqqwo.exe" C:\Windows\SysWOW64\vgyanlzn\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create vgyanlzn binPath= "C:\Windows\SysWOW64\vgyanlzn\aagcqqwo.exe /d\"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description vgyanlzn "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start vgyanlzn2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\vgyanlzn\aagcqqwo.exeC:\Windows\SysWOW64\vgyanlzn\aagcqqwo.exe /d"C:\Users\Admin\AppData\Local\Temp\82937ed0681d989a3200fed04a37fc57_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aagcqqwo.exeFilesize
10.1MB
MD53e08f4211773f68ae550eed9953f1777
SHA15e51b5f8d42eefef5b16db8a2c5026ddff9e976c
SHA2569c8297ac1a29538139aa9ad80a0683c9d42a56e62bd663911c0f56ed93ba6f94
SHA5127aa5748d6a59d6a28a7d0eeb6e7c2a34e5494a8266f20cb96cc59502fb68748b132b1ec913aecf8af82bedf8ff98f3f54db4080cd78f660d043e80d9cb688bde
-
memory/2804-0-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2804-1-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2804-2-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/2804-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4344-9-0x00000000010E0000-0x00000000010F5000-memory.dmpFilesize
84KB
-
memory/4344-12-0x00000000010E0000-0x00000000010F5000-memory.dmpFilesize
84KB
-
memory/4344-13-0x00000000010E0000-0x00000000010F5000-memory.dmpFilesize
84KB
-
memory/4944-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4944-8-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/4944-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB