Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe
-
Size
322KB
-
MD5
010911bc2d16430d96aa7d3d8e884c92
-
SHA1
1a983a0d46928e62a5817c9446586b2ba8bc5750
-
SHA256
330975f098d84c78c5a602f28fee0e6507872c3de822d267cd10e8879ec3aecc
-
SHA512
661cfbfb7efd2fa1c69b72466401390b5337bdb3da316f96e14c185866a9f612d7820d55fd5722c3c58c1f26e5f2dafcafb9535845fe36210b8f4c1c05b99a7f
-
SSDEEP
6144:BQeJ7tb9wLDUdI1W5qTltKkjJQqcpCQFS1hQFuB3B8sT5Q7noux93BfuSvfa/pu:BQeJ7tRwPYhUTlpjJQRMQFSHQw/8sT5g
Malware Config
Extracted
nanocore
1.2.2.0
moranhq.duckdns.org:7719
88f24242-8521-456c-87da-966f281b5b71
-
activate_away_mode
true
-
backup_connection_host
moranhq.duckdns.org
-
backup_dns_server
moranhq.duckdns.org
-
buffer_size
65535
-
build_time
2018-02-01T07:09:17.557579636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7719
-
default_group
CYBER TEAM
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
88f24242-8521-456c-87da-966f281b5b71
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
moranhq.duckdns.org
-
primary_dns_server
moranhq.duckdns.org
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Amkbvc.url 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exedescription pid process target process PID 1876 set thread context of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\DDP Subsystem\ddpss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\DDP Subsystem\ddpss.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2408 schtasks.exe 2840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exeRegAsm.exepid process 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe 2756 RegAsm.exe 2756 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2756 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe Token: SeDebugPrivilege 2756 RegAsm.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.execsc.exeRegAsm.exedescription pid process target process PID 1876 wrote to memory of 2988 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe csc.exe PID 1876 wrote to memory of 2988 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe csc.exe PID 1876 wrote to memory of 2988 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe csc.exe PID 1876 wrote to memory of 2988 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe csc.exe PID 2988 wrote to memory of 2620 2988 csc.exe cvtres.exe PID 2988 wrote to memory of 2620 2988 csc.exe cvtres.exe PID 2988 wrote to memory of 2620 2988 csc.exe cvtres.exe PID 2988 wrote to memory of 2620 2988 csc.exe cvtres.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 1876 wrote to memory of 2756 1876 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2756 wrote to memory of 2408 2756 RegAsm.exe schtasks.exe PID 2756 wrote to memory of 2408 2756 RegAsm.exe schtasks.exe PID 2756 wrote to memory of 2408 2756 RegAsm.exe schtasks.exe PID 2756 wrote to memory of 2408 2756 RegAsm.exe schtasks.exe PID 2756 wrote to memory of 2840 2756 RegAsm.exe schtasks.exe PID 2756 wrote to memory of 2840 2756 RegAsm.exe schtasks.exe PID 2756 wrote to memory of 2840 2756 RegAsm.exe schtasks.exe PID 2756 wrote to memory of 2840 2756 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbsfbugm\pbsfbugm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES140D.tmp" "c:\Users\Admin\AppData\Local\Temp\pbsfbugm\CSC7501D42EACA04CCD8C77AE99ADA6E682.TMP"3⤵PID:2620
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp162F.tmp"3⤵
- Creates scheduled task(s)
PID:2408 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp16BD.tmp"3⤵
- Creates scheduled task(s)
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e9a31fdae6c4ac91588e9815800b6cf1
SHA10c72e1a8bb74a075a9aea2554d48afd695f90c0d
SHA25682c76ebba32b8ab9069595c597d3d117c9d1b04d349e3d43aa4886f23703ef8d
SHA51227ac35557fca32dd20405e6872a220021bb15c7a0214c770f18983295694795ad6b41dfa71ce1d4fed2a1dd02a921a4c72f9c12360f0ca823db2c7f948942782
-
Filesize
13KB
MD5de4fcd0bef2328c99acdce195fd78c4f
SHA1a45c4af4689af99948256fa19fa4b7af349b79c5
SHA256e95d6c0355e44727f95e0949a461184f53186e1f1941d28cdf65d85571e91ba9
SHA512a32646f91a9ed6c5383b32d31d8d39d4576f064e9a874b6d53130a359b4ea9f566cf1dda02222696258f0dc2ffceb014782e77f3aadd6f9374d1288656e1102b
-
Filesize
39KB
MD5a918963ee1e1d80e6a4e1463d453ad4a
SHA1ae472c3f49009775eb78bb9ee68dda83556dde5d
SHA25626512d64fa7f8df5a218b8d5d8626f3822b81e882827ec082ee7fecae654d66f
SHA512009e5591da8a8f11ea1dbe1d1f730591bc741732cdca6821547c94e0c86cfe04712cd0df12bf17e0b5e79c7d8f914f7344f66e341500c892301597c2afc695a8
-
Filesize
1KB
MD5c6f0625bf4c1cdfb699980c9243d3b22
SHA143de1fe580576935516327f17b5da0c656c72851
SHA2568dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA5129ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969
-
Filesize
1KB
MD58e2d5fba24ae8a54087d8e6cadc188c1
SHA1548555025543b4773b8f36301f5fa5003e1c85dc
SHA256f8a3739cca23897792b42a11a21adcce745201fa19f8d84ec66a6e0c5e519759
SHA5129246583d7b08152cd73dc40254013e1ae4b8c93603dbb1f4e6b82624e14b134c59de6c8039b588f14075602768a388121e985f886322ae5fb9ec2eee94d4ea3d
-
Filesize
1KB
MD503ddda88d31dc38716a45572ef92b63f
SHA1643c3cb00abac7488f20e31e28dd26f36b55f7d6
SHA256c433158eea37a3c96241a45807329e460ce1392ed084943eabe881c3dc34636b
SHA512c492fa99feb2c744eb3a57c97d76d57d909f785f5fc8ff0b3ff53176c3e94559b6287a9eb13c9a422893055fab6d3c3a384c28d087b37c2572aff31c23de8259
-
Filesize
24KB
MD5d008b533315d3a3dfe0ab52ba6ca9dd6
SHA1f41143f93a7aebaefe12568d0997a1d6d778a2da
SHA256c9da722a81316670bf37097da756826bac0b39600ccca9e8e360e9b46346987f
SHA5129398c70790dd38bebcc42f247271482ab33deb2b1f679ce8f44d6b3c33d83549c3bc5b04d7bff6e23f4e783f0b548d1d139b1bf0324c13d20df892a7a353de91
-
Filesize
312B
MD520742cb590c70a5ee277fe16988a733d
SHA122e027071a46a6b188be0b2bec4ac0d15ef673d5
SHA2567dd29c94a76e3dcef890d1405392d290ba9d3188f9092d7dfa06dbe0401c6fda
SHA512de26c855e9078a2aab794c1017dd5e222be80c59abc75c74b26dde48d2c552b3c0a838088654ae3332de4d60c31711fd9eacc6195f78020c3f148af85dfaba5a