Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 14:20
Static task
static1
Behavioral task
behavioral1
Sample
26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe
-
Size
127KB
-
MD5
26f79e78a4b445e1da768ce79e82c95b
-
SHA1
3aedd60770c0179990df20eb9bfc81904297c10d
-
SHA256
03c3bf89ec80ccc2ebb578d871ecda58b8623d0fcaac4fc95981ea15aeaa7ba9
-
SHA512
ace209673d901058793d806c3d033d5c676d33898fc032b39b23f8c4a241694f0e7dba14968076494b64d4d687bd0391d69ab9689e46ef99d076a41983a94e39
-
SSDEEP
3072:DR9RULLkf1SfmmzUhJUVWZ3KOcPpKEK6ARbF:DZaLq1SfmmIoi6BPprKbF
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 724 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bmyscgoy\ImagePath = "C:\\Windows\\SysWOW64\\bmyscgoy\\ddepkljr.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4608 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
ddepkljr.exepid process 4376 ddepkljr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ddepkljr.exedescription pid process target process PID 4376 set thread context of 4608 4376 ddepkljr.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2968 sc.exe 3432 sc.exe 1040 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3756 4848 WerFault.exe 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe 2192 4376 WerFault.exe ddepkljr.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exeddepkljr.exedescription pid process target process PID 4848 wrote to memory of 228 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe cmd.exe PID 4848 wrote to memory of 228 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe cmd.exe PID 4848 wrote to memory of 228 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe cmd.exe PID 4848 wrote to memory of 2600 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe cmd.exe PID 4848 wrote to memory of 2600 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe cmd.exe PID 4848 wrote to memory of 2600 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe cmd.exe PID 4848 wrote to memory of 2968 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 2968 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 2968 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 3432 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 3432 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 3432 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 1040 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 1040 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 1040 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe sc.exe PID 4848 wrote to memory of 724 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe netsh.exe PID 4848 wrote to memory of 724 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe netsh.exe PID 4848 wrote to memory of 724 4848 26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe netsh.exe PID 4376 wrote to memory of 4608 4376 ddepkljr.exe svchost.exe PID 4376 wrote to memory of 4608 4376 ddepkljr.exe svchost.exe PID 4376 wrote to memory of 4608 4376 ddepkljr.exe svchost.exe PID 4376 wrote to memory of 4608 4376 ddepkljr.exe svchost.exe PID 4376 wrote to memory of 4608 4376 ddepkljr.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bmyscgoy\2⤵PID:228
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ddepkljr.exe" C:\Windows\SysWOW64\bmyscgoy\2⤵PID:2600
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create bmyscgoy binPath= "C:\Windows\SysWOW64\bmyscgoy\ddepkljr.exe /d\"C:\Users\Admin\AppData\Local\Temp\26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2968 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description bmyscgoy "wifi internet conection"2⤵
- Launches sc.exe
PID:3432 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start bmyscgoy2⤵
- Launches sc.exe
PID:1040 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 13002⤵
- Program crash
PID:3756
-
C:\Windows\SysWOW64\bmyscgoy\ddepkljr.exeC:\Windows\SysWOW64\bmyscgoy\ddepkljr.exe /d"C:\Users\Admin\AppData\Local\Temp\26f79e78a4b445e1da768ce79e82c95b_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:4608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 5162⤵
- Program crash
PID:2192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4848 -ip 48481⤵PID:1496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4376 -ip 43761⤵PID:2412
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ddepkljr.exeFilesize
14.4MB
MD5d97e762b68517137fc84ee0be32343c7
SHA1b18ad73d124f20ba9ba4a2ea67c4d040a217ed09
SHA256d012d681886e3422dc12eda82259d85a12d024fbbc21af6c007e21c72a396ddc
SHA5121f1dd30521c5688f97a73fe3dd8cd8a8f6c8e1dc3cc6eb55b48008140629b39114ba153384a8cc39b192ce28f7d7ebeed9f56002354ab8517c775ec5e45365ee
-
memory/4376-14-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/4376-20-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/4376-12-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/4376-13-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/4608-15-0x0000000000A40000-0x0000000000A55000-memory.dmpFilesize
84KB
-
memory/4608-17-0x0000000000A40000-0x0000000000A55000-memory.dmpFilesize
84KB
-
memory/4608-18-0x0000000000A40000-0x0000000000A55000-memory.dmpFilesize
84KB
-
memory/4848-10-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4848-9-0x0000000000610000-0x0000000000623000-memory.dmpFilesize
76KB
-
memory/4848-1-0x00000000007A0000-0x00000000008A0000-memory.dmpFilesize
1024KB
-
memory/4848-7-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/4848-3-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4848-2-0x0000000000610000-0x0000000000623000-memory.dmpFilesize
76KB