Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
-
Size
11.2MB
-
MD5
fe3ec61798741f90f745a0f508f78c33
-
SHA1
a61540c961cbc8cc90715c610ec7e957d4153757
-
SHA256
13e353b5aaf0a49286d0148954759cf4eb844087f28bf0be58f9fe0f8c9df947
-
SHA512
78fee25e34482064bdcbcdb1681c4156d6ecf5db1ede0273cbe8b8e887bd30a30c1fc9f4fc8bd4d7921321386d8728ddc4dfdd0ab44b1c76ed3a490b23d2e9ee
-
SSDEEP
196608:ytgZqGeTGDbev2aL8bpXxOUu8q7WtnlpWGj8zPMw4XtPRk4R3BxCkfHOU08:bqGeTGWv2hlJj8SXtPR/3BxZHlX
Malware Config
Extracted
nanocore
1.2.2.0
lordranseierpilot.from-ms.com:4419
lordranseier.from-de.com:4419
3840f080-c49f-4256-bcbf-eb2fbb38fb91
-
activate_away_mode
true
-
backup_connection_host
lordranseier.from-de.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-10-14T12:02:11.615420136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4419
-
default_group
Olsders
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3840f080-c49f-4256-bcbf-eb2fbb38fb91
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
lordranseierpilot.from-ms.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Vector Magic.exeOlsders_8.exeOlsders_8.exepid process 2516 Vector Magic.exe 2388 Olsders_8.exe 2800 Olsders_8.exe -
Loads dropped DLL 10 IoCs
Processes:
fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exeOlsders_8.exepid process 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe 2388 Olsders_8.exe 2388 Olsders_8.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Olsders_8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Olsders_8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Olsders_8.exedescription pid process target process PID 2388 set thread context of 2800 2388 Olsders_8.exe Olsders_8.exe -
Drops file in Program Files directory 3 IoCs
Processes:
fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Uninstall.exe fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe File created C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Uninstall.ini fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
Processes:
resource yara_rule \Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe nsis_installer_2 \Users\Admin\AppData\Roaming\Olsders_8.exe nsis_installer_1 \Users\Admin\AppData\Roaming\Olsders_8.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Olsders_8.exeOlsders_8.exepid process 2388 Olsders_8.exe 2388 Olsders_8.exe 2388 Olsders_8.exe 2388 Olsders_8.exe 2800 Olsders_8.exe 2800 Olsders_8.exe 2800 Olsders_8.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Olsders_8.exepid process 2800 Olsders_8.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Olsders_8.exepid process 2388 Olsders_8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Olsders_8.exedescription pid process Token: SeDebugPrivilege 2800 Olsders_8.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exeOlsders_8.exedescription pid process target process PID 2232 wrote to memory of 2516 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe Vector Magic.exe PID 2232 wrote to memory of 2516 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe Vector Magic.exe PID 2232 wrote to memory of 2516 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe Vector Magic.exe PID 2232 wrote to memory of 2516 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe Vector Magic.exe PID 2232 wrote to memory of 2388 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe Olsders_8.exe PID 2232 wrote to memory of 2388 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe Olsders_8.exe PID 2232 wrote to memory of 2388 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe Olsders_8.exe PID 2232 wrote to memory of 2388 2232 fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe Olsders_8.exe PID 2388 wrote to memory of 2800 2388 Olsders_8.exe Olsders_8.exe PID 2388 wrote to memory of 2800 2388 Olsders_8.exe Olsders_8.exe PID 2388 wrote to memory of 2800 2388 Olsders_8.exe Olsders_8.exe PID 2388 wrote to memory of 2800 2388 Olsders_8.exe Olsders_8.exe PID 2388 wrote to memory of 2800 2388 Olsders_8.exe Olsders_8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe"C:\Program Files (x86)\© Cedar Lake Ventures, Inc.\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe"2⤵
- Executes dropped EXE
PID:2516 -
C:\Users\Admin\AppData\Roaming\Olsders_8.exe"C:\Users\Admin\AppData\Roaming\Olsders_8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\Olsders_8.exe"C:\Users\Admin\AppData\Roaming\Olsders_8.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5e8992b1cf5ca990fc3781860d82eef4d
SHA13ad636b85ce23d58303e1ab453f55fe7f5eb71b8
SHA25637d5faa577d6643212c71f952e4132f8284a0f997bbc8c665e0584de87f38827
SHA512a827b83bb9019bdfa7fb187364799dd05e1b33c11617d38327f72add41b6a87f85d9788b4caa75b4d65783bd593cd543a0ef66d03639cfaa166c1f9914871f2d
-
\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe
Filesize32.6MB
MD5008447156ab02ae2c7428639b2c812df
SHA19b4de5635152b5d217b7c22f18141ca1efecc52c
SHA256d9ed5b3ba625da9acf731290d3d45cc1192336c8beda5652f757ab8a3d4bdc00
SHA512caa2b5c9d6b23a7763a4aa117b3df2239006710f7f61398b3e059596160d20e98f2fb5ad2b2387d1b235e3d95c031d8fa65b8cd88f7bd294df7d89a540908c2f
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
512KB
MD5f49790681940884fe1df35a094f09b50
SHA15ac2fdc8530239f9a56f185b4ec28adaf0417865
SHA256f54a4d8df2d9b58d1dae11003b21bef238239b16a1823269a8da73aaacdf1aa6
SHA512d812f9cb50265ecba35e65c5add77c5da96633eebb3efbd8d174894725cda7b5457f8e4f3d4ab5a04035361325941bb375d6698f024b829eeff8ce07e8206a53