Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 13:01
Static task
static1
Behavioral task
behavioral1
Sample
91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe
-
Size
142KB
-
MD5
91e150cf143714919e8f076e28ffa0af
-
SHA1
9f77919f92363378b6910acec411b1d4b8fce86b
-
SHA256
40ddfa5e9adf75169f553482db151abecf58134e1b80f2681f9528e85fb204c3
-
SHA512
9aad4f50d92d14914d872852939f75c903f892b9ab0d761ee6f4bcea92ca7109b411b2564562b80a876b90de2a92370c3ccc85874939e24b2a281828f4cdad8a
-
SSDEEP
3072:PO8/FLfgq6rzTkYfiL2+jKfgi4m5nuGFU6W6WNU6b37:N94zwFLnKP46uC
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4328 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ypbhsktp\ImagePath = "C:\\Windows\\SysWOW64\\ypbhsktp\\zpthxtow.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 3720 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
zpthxtow.exepid process 1628 zpthxtow.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zpthxtow.exedescription pid process target process PID 1628 set thread context of 3720 1628 zpthxtow.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2252 sc.exe 4536 sc.exe 3628 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exezpthxtow.exedescription pid process target process PID 644 wrote to memory of 4668 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 4668 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 4668 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 452 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 452 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 452 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 2252 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 2252 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 2252 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 4536 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 4536 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 4536 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 3628 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 3628 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 3628 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe sc.exe PID 644 wrote to memory of 4328 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe netsh.exe PID 644 wrote to memory of 4328 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe netsh.exe PID 644 wrote to memory of 4328 644 91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe netsh.exe PID 1628 wrote to memory of 3720 1628 zpthxtow.exe svchost.exe PID 1628 wrote to memory of 3720 1628 zpthxtow.exe svchost.exe PID 1628 wrote to memory of 3720 1628 zpthxtow.exe svchost.exe PID 1628 wrote to memory of 3720 1628 zpthxtow.exe svchost.exe PID 1628 wrote to memory of 3720 1628 zpthxtow.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ypbhsktp\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zpthxtow.exe" C:\Windows\SysWOW64\ypbhsktp\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ypbhsktp binPath= "C:\Windows\SysWOW64\ypbhsktp\zpthxtow.exe /d\"C:\Users\Admin\AppData\Local\Temp\91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ypbhsktp "wifi internet conection"2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ypbhsktp2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ypbhsktp\zpthxtow.exeC:\Windows\SysWOW64\ypbhsktp\zpthxtow.exe /d"C:\Users\Admin\AppData\Local\Temp\91e150cf143714919e8f076e28ffa0af_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zpthxtow.exeFilesize
12.2MB
MD5e3f63d82777f923391c5fcc17a3813e8
SHA10991aa0dfec5e13392e27b217870d68d7ad29659
SHA25693a07e00b55b325ec32db197aa50fd7e0573965b043002a58af2fbe9f9b1f314
SHA512b8c4a7160dfff2db71e2eb3cc3efe2022513812ea159b764b87e0111de5dbc2cfccf644388ba5d02b726cc6dfc8e5082c5d213ee52c44f089aa29634cc55bebf
-
memory/644-0-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/644-1-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/644-2-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/644-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1628-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1628-8-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1628-12-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3720-9-0x0000000000880000-0x0000000000895000-memory.dmpFilesize
84KB
-
memory/3720-11-0x0000000000880000-0x0000000000895000-memory.dmpFilesize
84KB
-
memory/3720-13-0x0000000000880000-0x0000000000895000-memory.dmpFilesize
84KB