Analysis Overview
SHA256
12a20684ea5e22d7a0ddd0b02ba1f059df10980506168872b41fcdd17fa1218b
Threat Level: Known bad
The file feaace46c675374f394ee22a65282722_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks computer location settings
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-21 06:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 06:35
Reported
2024-04-21 06:38
Platform
win7-20240221-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
NanoCore
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2944 set thread context of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ArnpksHTejGWn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCEB4.tmp"
C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp"
Network
| Country | Destination | Domain | Proto |
| NL | 194.5.97.10:1990 | tcp | |
| NL | 194.5.97.10:1990 | tcp | |
| NL | 194.5.97.10:1990 | tcp | |
| NL | 194.5.97.10:1990 | tcp | |
| NL | 194.5.97.10:1990 | tcp | |
| NL | 194.5.97.10:1990 | tcp | |
| NL | 194.5.97.10:1990 | tcp |
Files
memory/2944-0-0x0000000001270000-0x0000000001380000-memory.dmp
memory/2944-1-0x00000000742C0000-0x00000000749AE000-memory.dmp
memory/2944-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp
memory/2944-3-0x0000000000590000-0x00000000005A4000-memory.dmp
memory/2944-4-0x00000000742C0000-0x00000000749AE000-memory.dmp
memory/2944-5-0x0000000004DB0000-0x0000000004DF0000-memory.dmp
memory/2944-6-0x00000000011D0000-0x000000000125C000-memory.dmp
memory/2944-7-0x00000000007C0000-0x00000000007FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCEB4.tmp
| MD5 | df6e976d5324ca233c550329bd2f7814 |
| SHA1 | 317d0a713fc8e4e6be9a0f39535dd691203b827f |
| SHA256 | 2b8c9bdfb64f1dc35edce6807cee4b1e792bde58193ef4af697038c03cf585f2 |
| SHA512 | a75d48fa48a25b988ea0e3b1fb03b9298d810e2fcb4637b602a7c7866d13c7c4e703d3d434b5db23321dc3e052eb0fd1d1a2629929a7621e2e3fb3110f1b5e70 |
memory/2468-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2468-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2468-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2468-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2468-21-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2468-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2468-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2944-24-0x00000000742C0000-0x00000000749AE000-memory.dmp
memory/2468-26-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2468-27-0x0000000074240000-0x000000007492E000-memory.dmp
memory/2468-28-0x0000000000660000-0x00000000006A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD0F5.tmp
| MD5 | 88088abf21775e13f02b29d683c6b871 |
| SHA1 | 04fdb71467383a8ba58c57d95e4ada19bc7a4695 |
| SHA256 | 1cd7c16aead2c11b13c370c095077f069acbb776963ae35d2a629064ea3deb8b |
| SHA512 | 67c5945d37e0f8d920d7d8855fce87309efff5658b47624342bf557aa59e1e33a09c4fe20a8b1c10b9107a8b598fde5de76f5b16e914138998ea6d8583c33c0c |
memory/2468-33-0x0000000000440000-0x000000000044A000-memory.dmp
memory/2468-34-0x0000000000450000-0x000000000046E000-memory.dmp
memory/2468-35-0x00000000004B0000-0x00000000004BA000-memory.dmp
memory/2468-36-0x0000000074240000-0x000000007492E000-memory.dmp
memory/2468-37-0x0000000000660000-0x00000000006A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 06:35
Reported
2024-04-21 06:38
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2108 set thread context of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ArnpksHTejGWn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5445.tmp"
C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\feaace46c675374f394ee22a65282722_JaffaCakes118.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp57EF.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| NL | 194.5.97.10:1990 | tcp | |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| NL | 194.5.97.10:1990 | tcp | |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| NL | 194.5.97.10:1990 | tcp | |
| NL | 194.5.97.10:1990 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 194.5.97.10:1990 | tcp | |
| NL | 194.5.97.10:1990 | tcp | |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 199.232.210.172:80 | tcp | |
| US | 199.232.210.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 199.232.210.172:80 | tcp |
Files
memory/2108-0-0x0000000000D10000-0x0000000000E20000-memory.dmp
memory/2108-2-0x00000000751D0000-0x0000000075980000-memory.dmp
memory/2108-1-0x0000000005810000-0x00000000058AC000-memory.dmp
memory/2108-3-0x0000000005E60000-0x0000000006404000-memory.dmp
memory/2108-4-0x00000000058B0000-0x0000000005942000-memory.dmp
memory/2108-5-0x0000000005A20000-0x0000000005A30000-memory.dmp
memory/2108-6-0x00000000057B0000-0x00000000057BA000-memory.dmp
memory/2108-7-0x00000000059B0000-0x0000000005A06000-memory.dmp
memory/2108-8-0x0000000005230000-0x0000000005244000-memory.dmp
memory/2108-9-0x00000000751D0000-0x0000000075980000-memory.dmp
memory/2108-10-0x0000000005A20000-0x0000000005A30000-memory.dmp
memory/2108-11-0x0000000006EF0000-0x0000000006F7C000-memory.dmp
memory/2108-12-0x0000000006F80000-0x0000000006FBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5445.tmp
| MD5 | 6b2355f8a3cbdd34944a0970342485c1 |
| SHA1 | 3f4c04a991391e56604c1967ae11948d938a96d3 |
| SHA256 | bd16fae3861ee2f596662968e79487696b18d823caeffe67fb58aa7018c28151 |
| SHA512 | e875083d7077820745134cd02cd5be44a3590e1eaa4b5e446c375936911be54c6e5b008c0d1cbb2d04dc4dc25ae2a2c4dc0c03109a07daf2bd9c52a6d950d778 |
memory/1608-16-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\feaace46c675374f394ee22a65282722_JaffaCakes118.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/2108-19-0x00000000751D0000-0x0000000075980000-memory.dmp
memory/1608-20-0x00000000751D0000-0x0000000075980000-memory.dmp
memory/1608-21-0x00000000055D0000-0x00000000055E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp57EF.tmp
| MD5 | 88088abf21775e13f02b29d683c6b871 |
| SHA1 | 04fdb71467383a8ba58c57d95e4ada19bc7a4695 |
| SHA256 | 1cd7c16aead2c11b13c370c095077f069acbb776963ae35d2a629064ea3deb8b |
| SHA512 | 67c5945d37e0f8d920d7d8855fce87309efff5658b47624342bf557aa59e1e33a09c4fe20a8b1c10b9107a8b598fde5de76f5b16e914138998ea6d8583c33c0c |
memory/1608-26-0x0000000005580000-0x000000000558A000-memory.dmp
memory/1608-27-0x00000000055B0000-0x00000000055CE000-memory.dmp
memory/1608-28-0x00000000065C0000-0x00000000065CA000-memory.dmp
memory/1608-29-0x00000000751D0000-0x0000000075980000-memory.dmp
memory/1608-30-0x00000000055D0000-0x00000000055E0000-memory.dmp