Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 15:03

General

  • Target

    010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe

  • Size

    322KB

  • MD5

    010911bc2d16430d96aa7d3d8e884c92

  • SHA1

    1a983a0d46928e62a5817c9446586b2ba8bc5750

  • SHA256

    330975f098d84c78c5a602f28fee0e6507872c3de822d267cd10e8879ec3aecc

  • SHA512

    661cfbfb7efd2fa1c69b72466401390b5337bdb3da316f96e14c185866a9f612d7820d55fd5722c3c58c1f26e5f2dafcafb9535845fe36210b8f4c1c05b99a7f

  • SSDEEP

    6144:BQeJ7tb9wLDUdI1W5qTltKkjJQqcpCQFS1hQFuB3B8sT5Q7noux93BfuSvfa/pu:BQeJ7tRwPYhUTlpjJQRMQFSHQw/8sT5g

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

moranhq.duckdns.org:7719

Mutex

88f24242-8521-456c-87da-966f281b5b71

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    moranhq.duckdns.org

  • backup_dns_server

    moranhq.duckdns.org

  • buffer_size

    65535

  • build_time

    2018-02-01T07:09:17.557579636Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    7719

  • default_group

    CYBER TEAM

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    88f24242-8521-456c-87da-966f281b5b71

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    moranhq.duckdns.org

  • primary_dns_server

    moranhq.duckdns.org

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbsfbugm\pbsfbugm.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES140D.tmp" "c:\Users\Admin\AppData\Local\Temp\pbsfbugm\CSC7501D42EACA04CCD8C77AE99ADA6E682.TMP"
        3⤵
          PID:2620
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp162F.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:2408
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "DDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp16BD.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:2840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES140D.tmp

      Filesize

      1KB

      MD5

      e9a31fdae6c4ac91588e9815800b6cf1

      SHA1

      0c72e1a8bb74a075a9aea2554d48afd695f90c0d

      SHA256

      82c76ebba32b8ab9069595c597d3d117c9d1b04d349e3d43aa4886f23703ef8d

      SHA512

      27ac35557fca32dd20405e6872a220021bb15c7a0214c770f18983295694795ad6b41dfa71ce1d4fed2a1dd02a921a4c72f9c12360f0ca823db2c7f948942782

    • C:\Users\Admin\AppData\Local\Temp\pbsfbugm\pbsfbugm.dll

      Filesize

      13KB

      MD5

      de4fcd0bef2328c99acdce195fd78c4f

      SHA1

      a45c4af4689af99948256fa19fa4b7af349b79c5

      SHA256

      e95d6c0355e44727f95e0949a461184f53186e1f1941d28cdf65d85571e91ba9

      SHA512

      a32646f91a9ed6c5383b32d31d8d39d4576f064e9a874b6d53130a359b4ea9f566cf1dda02222696258f0dc2ffceb014782e77f3aadd6f9374d1288656e1102b

    • C:\Users\Admin\AppData\Local\Temp\pbsfbugm\pbsfbugm.pdb

      Filesize

      39KB

      MD5

      a918963ee1e1d80e6a4e1463d453ad4a

      SHA1

      ae472c3f49009775eb78bb9ee68dda83556dde5d

      SHA256

      26512d64fa7f8df5a218b8d5d8626f3822b81e882827ec082ee7fecae654d66f

      SHA512

      009e5591da8a8f11ea1dbe1d1f730591bc741732cdca6821547c94e0c86cfe04712cd0df12bf17e0b5e79c7d8f914f7344f66e341500c892301597c2afc695a8

    • C:\Users\Admin\AppData\Local\Temp\tmp162F.tmp

      Filesize

      1KB

      MD5

      c6f0625bf4c1cdfb699980c9243d3b22

      SHA1

      43de1fe580576935516327f17b5da0c656c72851

      SHA256

      8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

      SHA512

      9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

    • C:\Users\Admin\AppData\Local\Temp\tmp16BD.tmp

      Filesize

      1KB

      MD5

      8e2d5fba24ae8a54087d8e6cadc188c1

      SHA1

      548555025543b4773b8f36301f5fa5003e1c85dc

      SHA256

      f8a3739cca23897792b42a11a21adcce745201fa19f8d84ec66a6e0c5e519759

      SHA512

      9246583d7b08152cd73dc40254013e1ae4b8c93603dbb1f4e6b82624e14b134c59de6c8039b588f14075602768a388121e985f886322ae5fb9ec2eee94d4ea3d

    • \??\c:\Users\Admin\AppData\Local\Temp\pbsfbugm\CSC7501D42EACA04CCD8C77AE99ADA6E682.TMP

      Filesize

      1KB

      MD5

      03ddda88d31dc38716a45572ef92b63f

      SHA1

      643c3cb00abac7488f20e31e28dd26f36b55f7d6

      SHA256

      c433158eea37a3c96241a45807329e460ce1392ed084943eabe881c3dc34636b

      SHA512

      c492fa99feb2c744eb3a57c97d76d57d909f785f5fc8ff0b3ff53176c3e94559b6287a9eb13c9a422893055fab6d3c3a384c28d087b37c2572aff31c23de8259

    • \??\c:\Users\Admin\AppData\Local\Temp\pbsfbugm\pbsfbugm.0.cs

      Filesize

      24KB

      MD5

      d008b533315d3a3dfe0ab52ba6ca9dd6

      SHA1

      f41143f93a7aebaefe12568d0997a1d6d778a2da

      SHA256

      c9da722a81316670bf37097da756826bac0b39600ccca9e8e360e9b46346987f

      SHA512

      9398c70790dd38bebcc42f247271482ab33deb2b1f679ce8f44d6b3c33d83549c3bc5b04d7bff6e23f4e783f0b548d1d139b1bf0324c13d20df892a7a353de91

    • \??\c:\Users\Admin\AppData\Local\Temp\pbsfbugm\pbsfbugm.cmdline

      Filesize

      312B

      MD5

      20742cb590c70a5ee277fe16988a733d

      SHA1

      22e027071a46a6b188be0b2bec4ac0d15ef673d5

      SHA256

      7dd29c94a76e3dcef890d1405392d290ba9d3188f9092d7dfa06dbe0401c6fda

      SHA512

      de26c855e9078a2aab794c1017dd5e222be80c59abc75c74b26dde48d2c552b3c0a838088654ae3332de4d60c31711fd9eacc6195f78020c3f148af85dfaba5a

    • memory/1876-23-0x00000000044C0000-0x00000000044F8000-memory.dmp

      Filesize

      224KB

    • memory/1876-37-0x0000000074590000-0x0000000074C7E000-memory.dmp

      Filesize

      6.9MB

    • memory/1876-19-0x0000000004260000-0x00000000042A2000-memory.dmp

      Filesize

      264KB

    • memory/1876-20-0x0000000000450000-0x000000000045C000-memory.dmp

      Filesize

      48KB

    • memory/1876-0-0x0000000000BE0000-0x0000000000C36000-memory.dmp

      Filesize

      344KB

    • memory/1876-1-0x0000000074590000-0x0000000074C7E000-memory.dmp

      Filesize

      6.9MB

    • memory/1876-4-0x0000000004D30000-0x0000000004D70000-memory.dmp

      Filesize

      256KB

    • memory/1876-17-0x0000000000420000-0x000000000042A000-memory.dmp

      Filesize

      40KB

    • memory/2756-24-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2756-32-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2756-35-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2756-28-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2756-36-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2756-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2756-25-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2756-26-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB