Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 11:39
Static task
static1
Behavioral task
behavioral1
Sample
6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe
-
Size
10.4MB
-
MD5
6315b5985b59592bcb0b76a12d842a53
-
SHA1
68e27e767670329db251d41fde2cd30a130b7b84
-
SHA256
2cea1b1e165a19acb0c3a4c4c9a73798a20a6f43965863b29266a36f0f8aa49d
-
SHA512
a14da4149fb7749dc3942009a34913b4dab5e9d0d83d01ca7d69c5f526cf33edab79fac083d2908b40b8d61ae9c5b8d48f382cacf8806fdf5c81dfe925084d42
-
SSDEEP
12288:Pp4/GC6zTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTT:PpeG
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1536 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\llydtccf\ImagePath = "C:\\Windows\\SysWOW64\\llydtccf\\qgggvmsk.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2304 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
qgggvmsk.exepid process 4816 qgggvmsk.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qgggvmsk.exedescription pid process target process PID 4816 set thread context of 2304 4816 qgggvmsk.exe svchost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4016 sc.exe 1524 sc.exe 4516 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1340 5040 WerFault.exe 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe 1416 4816 WerFault.exe qgggvmsk.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exeqgggvmsk.exedescription pid process target process PID 5040 wrote to memory of 2964 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe cmd.exe PID 5040 wrote to memory of 2964 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe cmd.exe PID 5040 wrote to memory of 2964 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe cmd.exe PID 5040 wrote to memory of 1232 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe cmd.exe PID 5040 wrote to memory of 1232 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe cmd.exe PID 5040 wrote to memory of 1232 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe cmd.exe PID 5040 wrote to memory of 4016 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 4016 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 4016 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 1524 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 1524 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 1524 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 4516 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 4516 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 4516 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe sc.exe PID 5040 wrote to memory of 1536 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe netsh.exe PID 5040 wrote to memory of 1536 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe netsh.exe PID 5040 wrote to memory of 1536 5040 6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe netsh.exe PID 4816 wrote to memory of 2304 4816 qgggvmsk.exe svchost.exe PID 4816 wrote to memory of 2304 4816 qgggvmsk.exe svchost.exe PID 4816 wrote to memory of 2304 4816 qgggvmsk.exe svchost.exe PID 4816 wrote to memory of 2304 4816 qgggvmsk.exe svchost.exe PID 4816 wrote to memory of 2304 4816 qgggvmsk.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\llydtccf\2⤵PID:2964
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qgggvmsk.exe" C:\Windows\SysWOW64\llydtccf\2⤵PID:1232
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create llydtccf binPath= "C:\Windows\SysWOW64\llydtccf\qgggvmsk.exe /d\"C:\Users\Admin\AppData\Local\Temp\6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:4016 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description llydtccf "wifi internet conection"2⤵
- Launches sc.exe
PID:1524 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start llydtccf2⤵
- Launches sc.exe
PID:4516 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 11882⤵
- Program crash
PID:1340
-
C:\Windows\SysWOW64\llydtccf\qgggvmsk.exeC:\Windows\SysWOW64\llydtccf\qgggvmsk.exe /d"C:\Users\Admin\AppData\Local\Temp\6315b5985b59592bcb0b76a12d842a53_JaffaCakes118.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:2304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 5282⤵
- Program crash
PID:1416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5040 -ip 50401⤵PID:2332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4816 -ip 48161⤵PID:4172
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qgggvmsk.exeFilesize
12.4MB
MD515b37e69dd6c9975e27fa9c2d4cfe0be
SHA1fddae368090de722305a919a10c14ba1e09ffeab
SHA2566aa6e95eeca0350d4af2efd816c739a60a3c0e19f8b70553a033603a5cac1d6d
SHA51261525f1740f2bbce953e9cf39d8383d891489b55e045f17512744fe9b54fc1d39c912a637305d7c3b7b84ce9090dda58b2fedcc38cbd4810b83eb7de68c0593b
-
memory/2304-13-0x00000000009D0000-0x00000000009E5000-memory.dmpFilesize
84KB
-
memory/2304-17-0x00000000009D0000-0x00000000009E5000-memory.dmpFilesize
84KB
-
memory/2304-16-0x00000000009D0000-0x00000000009E5000-memory.dmpFilesize
84KB
-
memory/4816-14-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/4816-11-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/4816-12-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/4816-18-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/5040-9-0x0000000000610000-0x0000000000623000-memory.dmpFilesize
76KB
-
memory/5040-8-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/5040-2-0x0000000000610000-0x0000000000623000-memory.dmpFilesize
76KB
-
memory/5040-10-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/5040-4-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/5040-1-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB