Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 16:30
Static task
static1
Behavioral task
behavioral1
Sample
4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe
-
Size
10.9MB
-
MD5
4276d6e574f6400e64b3f2a1dae82741
-
SHA1
aa8086e024027c58126f30047092b43651c0da35
-
SHA256
cd49e88abc766e9e6577b1e7d8b0c4b27df164e7067039ae11ff78c2b0166bb2
-
SHA512
859c90ab3290144e7aef08e9fa126943e28a570da620d46365967c15da158e984a99735352d6c2b099d148cdaa7080066f7c51f160e6884f7eecde25235e540f
-
SSDEEP
196608:tXPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP3:t
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\mwiiijtd = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2784 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mwiiijtd\ImagePath = "C:\\Windows\\SysWOW64\\mwiiijtd\\afbtrug.exe" svchost.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2744 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
afbtrug.exepid process 2688 afbtrug.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
afbtrug.exedescription pid process target process PID 2688 set thread context of 2744 2688 afbtrug.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1020 sc.exe 588 sc.exe 264 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exeafbtrug.exedescription pid process target process PID 1748 wrote to memory of 1736 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe cmd.exe PID 1748 wrote to memory of 1736 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe cmd.exe PID 1748 wrote to memory of 1736 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe cmd.exe PID 1748 wrote to memory of 1736 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe cmd.exe PID 1748 wrote to memory of 2336 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe cmd.exe PID 1748 wrote to memory of 2336 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe cmd.exe PID 1748 wrote to memory of 2336 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe cmd.exe PID 1748 wrote to memory of 2336 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe cmd.exe PID 1748 wrote to memory of 1020 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 1020 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 1020 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 1020 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 588 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 588 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 588 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 588 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 264 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 264 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 264 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 264 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe sc.exe PID 1748 wrote to memory of 2784 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe netsh.exe PID 1748 wrote to memory of 2784 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe netsh.exe PID 1748 wrote to memory of 2784 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe netsh.exe PID 1748 wrote to memory of 2784 1748 4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe netsh.exe PID 2688 wrote to memory of 2744 2688 afbtrug.exe svchost.exe PID 2688 wrote to memory of 2744 2688 afbtrug.exe svchost.exe PID 2688 wrote to memory of 2744 2688 afbtrug.exe svchost.exe PID 2688 wrote to memory of 2744 2688 afbtrug.exe svchost.exe PID 2688 wrote to memory of 2744 2688 afbtrug.exe svchost.exe PID 2688 wrote to memory of 2744 2688 afbtrug.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mwiiijtd\2⤵PID:1736
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\afbtrug.exe" C:\Windows\SysWOW64\mwiiijtd\2⤵PID:2336
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create mwiiijtd binPath= "C:\Windows\SysWOW64\mwiiijtd\afbtrug.exe /d\"C:\Users\Admin\AppData\Local\Temp\4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1020 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description mwiiijtd "wifi internet conection"2⤵
- Launches sc.exe
PID:588 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start mwiiijtd2⤵
- Launches sc.exe
PID:264 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2784
-
C:\Windows\SysWOW64\mwiiijtd\afbtrug.exeC:\Windows\SysWOW64\mwiiijtd\afbtrug.exe /d"C:\Users\Admin\AppData\Local\Temp\4276d6e574f6400e64b3f2a1dae82741_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2744
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\afbtrug.exeFilesize
14.7MB
MD536ed6d0885be8e281cb1afdaa29ffd07
SHA15daaf1246d25d0fcf2bbfd45ddcaf3ca7e6f2b4b
SHA256671478a2a36a6c62bfbde1f00ceb78d1f4b50603e267a55730117bd505657f30
SHA512356f6e23ad78d860bbb7ba508de7ab31fec7ce30876e4a3f0d2a956001adeb5cc26492a9bc8c171c769ae4a2ed3fa1e6b404b5efae5f5183222a4712cdd5b459
-
memory/1748-8-0x0000000000400000-0x0000000000871000-memory.dmpFilesize
4.4MB
-
memory/1748-3-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1748-2-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/1748-10-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1748-9-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/1748-1-0x0000000000A10000-0x0000000000B10000-memory.dmpFilesize
1024KB
-
memory/2688-17-0x0000000000400000-0x0000000000871000-memory.dmpFilesize
4.4MB
-
memory/2744-11-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2744-14-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2744-16-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/2744-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2744-18-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB