Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-04-2024 03:55
Static task
static1
Behavioral task
behavioral1
Sample
ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
ec9dc86cbda5ad0a0b6c79654e361642
-
SHA1
9363fc43bb1f3534df3afd40812c75028f390cf5
-
SHA256
df8bf20364ce7962c466084b46a93ad6762b2459191b39d0c141d4c9c375e4da
-
SHA512
3d2014114b654a5a23bfbdcd70b3c819272ea33f3581f6b4d7b1980406cce5e4613d08795efebc0815fbdb8a6bab751020ec8713fd750f95594e31af586986d6
-
SSDEEP
12288:WGiW1r7KOT49jaOcsFYJDc9F3nC0Py3gAh7IalhBXRp5DH//rLD5FgRX8A/f0YGs:pYOT4FcsFY3blhBXdPDDgyclh1m
Malware Config
Extracted
nanocore
1.2.2.0
blackbladeinc52.ddns.net:1664
fbbfab5f-08ef-48d2-8383-b548f171bb82
-
activate_away_mode
true
-
backup_connection_host
blackbladeinc52.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-05-26T16:20:34.020102036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1664
-
default_group
NEW MONEY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
fbbfab5f-08ef-48d2-8383-b548f171bb82
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
blackbladeinc52.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exedescription pid process target process PID 2072 set thread context of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2860 schtasks.exe 2848 schtasks.exe 2028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1612 RegSvcs.exe 1612 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1612 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1612 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exeRegSvcs.exedescription pid process target process PID 2072 wrote to memory of 2860 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe schtasks.exe PID 2072 wrote to memory of 2860 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe schtasks.exe PID 2072 wrote to memory of 2860 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe schtasks.exe PID 2072 wrote to memory of 2860 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe schtasks.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 2072 wrote to memory of 1612 2072 ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe RegSvcs.exe PID 1612 wrote to memory of 2848 1612 RegSvcs.exe schtasks.exe PID 1612 wrote to memory of 2848 1612 RegSvcs.exe schtasks.exe PID 1612 wrote to memory of 2848 1612 RegSvcs.exe schtasks.exe PID 1612 wrote to memory of 2848 1612 RegSvcs.exe schtasks.exe PID 1612 wrote to memory of 2028 1612 RegSvcs.exe schtasks.exe PID 1612 wrote to memory of 2028 1612 RegSvcs.exe schtasks.exe PID 1612 wrote to memory of 2028 1612 RegSvcs.exe schtasks.exe PID 1612 wrote to memory of 2028 1612 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ec9dc86cbda5ad0a0b6c79654e361642_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CNPJbUTxJtD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp225F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3034.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp32A5.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp225F.tmpFilesize
1KB
MD52066b4438fa2ebc7d50dfa230ec8cccb
SHA178ae973fae583b6c526bb672e3d034b6367f7fcf
SHA25656fddc622648026e50dddb0292411fd31acd43c9e5b9980b0167243f7c3a9e7c
SHA5123a0b0827b69d296f6768e42f6f8e48bc8295b8722a7694eb24525594d995d4bb8125deb5af7db57d195c1ed9c57567831a022b60cd5f136737e595846ebbd544
-
C:\Users\Admin\AppData\Local\Temp\tmp3034.tmpFilesize
1KB
MD540b11ef601fb28f9b2e69d36857bf2ec
SHA1b6454020ad2ceed193f4792b77001d0bd741b370
SHA256c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5
-
C:\Users\Admin\AppData\Local\Temp\tmp32A5.tmpFilesize
1KB
MD54b7ef560289c0f62d0baf6f14f48a57a
SHA18331acb90dde588aa3196919f6e847f398fd06d1
SHA256062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8
-
memory/1612-21-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1612-25-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1612-41-0x00000000002D0000-0x0000000000310000-memory.dmpFilesize
256KB
-
memory/1612-40-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/1612-11-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1612-13-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1612-15-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1612-17-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1612-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1612-39-0x00000000002D0000-0x0000000000310000-memory.dmpFilesize
256KB
-
memory/1612-23-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1612-38-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/1612-37-0x00000000002D0000-0x0000000000310000-memory.dmpFilesize
256KB
-
memory/1612-27-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/1612-28-0x00000000002D0000-0x0000000000310000-memory.dmpFilesize
256KB
-
memory/1612-29-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/2072-1-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/2072-2-0x00000000002F0000-0x0000000000330000-memory.dmpFilesize
256KB
-
memory/2072-26-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/2072-4-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/2072-0-0x00000000743E0000-0x000000007498B000-memory.dmpFilesize
5.7MB
-
memory/2072-3-0x00000000002F0000-0x0000000000330000-memory.dmpFilesize
256KB
-
memory/2072-5-0x00000000002F0000-0x0000000000330000-memory.dmpFilesize
256KB