Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe
-
Size
322KB
-
MD5
010911bc2d16430d96aa7d3d8e884c92
-
SHA1
1a983a0d46928e62a5817c9446586b2ba8bc5750
-
SHA256
330975f098d84c78c5a602f28fee0e6507872c3de822d267cd10e8879ec3aecc
-
SHA512
661cfbfb7efd2fa1c69b72466401390b5337bdb3da316f96e14c185866a9f612d7820d55fd5722c3c58c1f26e5f2dafcafb9535845fe36210b8f4c1c05b99a7f
-
SSDEEP
6144:BQeJ7tb9wLDUdI1W5qTltKkjJQqcpCQFS1hQFuB3B8sT5Q7noux93BfuSvfa/pu:BQeJ7tRwPYhUTlpjJQRMQFSHQw/8sT5g
Malware Config
Extracted
nanocore
1.2.2.0
moranhq.duckdns.org:7719
88f24242-8521-456c-87da-966f281b5b71
-
activate_away_mode
true
-
backup_connection_host
moranhq.duckdns.org
-
backup_dns_server
moranhq.duckdns.org
-
buffer_size
65535
-
build_time
2018-02-01T07:09:17.557579636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7719
-
default_group
CYBER TEAM
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
88f24242-8521-456c-87da-966f281b5b71
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
moranhq.duckdns.org
-
primary_dns_server
moranhq.duckdns.org
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Amkbvc.url 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Subsystem = "C:\\Program Files (x86)\\LAN Subsystem\\lanss.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exedescription pid process target process PID 2512 set thread context of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\LAN Subsystem\lanss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\LAN Subsystem\lanss.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2836 schtasks.exe 3592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exeRegAsm.exepid process 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe 2212 RegAsm.exe 2212 RegAsm.exe 2212 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2212 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe Token: SeDebugPrivilege 2212 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.execsc.exeRegAsm.exedescription pid process target process PID 2512 wrote to memory of 3404 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe csc.exe PID 2512 wrote to memory of 3404 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe csc.exe PID 2512 wrote to memory of 3404 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe csc.exe PID 3404 wrote to memory of 2792 3404 csc.exe cvtres.exe PID 3404 wrote to memory of 2792 3404 csc.exe cvtres.exe PID 3404 wrote to memory of 2792 3404 csc.exe cvtres.exe PID 2512 wrote to memory of 1152 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 1152 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 1152 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 3064 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 3064 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 3064 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2512 wrote to memory of 2212 2512 010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe RegAsm.exe PID 2212 wrote to memory of 2836 2212 RegAsm.exe schtasks.exe PID 2212 wrote to memory of 2836 2212 RegAsm.exe schtasks.exe PID 2212 wrote to memory of 2836 2212 RegAsm.exe schtasks.exe PID 2212 wrote to memory of 3592 2212 RegAsm.exe schtasks.exe PID 2212 wrote to memory of 3592 2212 RegAsm.exe schtasks.exe PID 2212 wrote to memory of 3592 2212 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\010911bc2d16430d96aa7d3d8e884c92_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\djxt50ic\djxt50ic.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES323B.tmp" "c:\Users\Admin\AppData\Local\Temp\djxt50ic\CSCB3D17A2F32E4B3A9AB63327AA8047.TMP"3⤵PID:2792
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:1152
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:3064
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp36A0.tmp"3⤵
- Creates scheduled task(s)
PID:2836 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp36EF.tmp"3⤵
- Creates scheduled task(s)
PID:3592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f149383d348c586312cad7f6c8c12293
SHA132e2549ff7b975021f76b4d6a7d5f6b319ff2624
SHA256eb9a8f8cbd2f4be2931de46644d12c346a33352350f700c7c1c28c96addf119e
SHA512d5e528ee6a47b913ccdaf3cec481282e7a0beac7bf662062c555351342a6ffff9466443d5b88365d9e35bd36a305c8a2da95e6ed659c82696cb5898224fa1e46
-
Filesize
13KB
MD54f06264a32fdbf87462f0fff1f3b6b1a
SHA18df70d52e894b1dc6f2662e95d868f8cfe204b31
SHA25677adea3ac347a86bd756ac68a09c76387d3a8fd513e5565e86fad2f30843ce8f
SHA5123c66f0d2dd2e6c2a655d90aa6800ef72f2c4993c914511d6e1561bf36721b17ce039c89569cec50f0165ffccef3f5a9c6717bc8219af23c3eced7df8f1b8dc66
-
Filesize
39KB
MD543692946c0b36e1de9aa2e2bfde570fe
SHA140f2f544ba91055f3bad7b7b5add2292474e0a3f
SHA256bf49ac99b89a1f2aa116c628669a8d7a90fde969fb732973149d75cb5e978cd0
SHA512eb536762f6e510096a5d2f76aef8edf5a5e68f04d231f288f33ca50b7c6dc156ebae6b1a717ebedc755aa4b821b176c57d8fc89f25bed21dbd6417e2b5d1104c
-
Filesize
1KB
MD5c6f0625bf4c1cdfb699980c9243d3b22
SHA143de1fe580576935516327f17b5da0c656c72851
SHA2568dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA5129ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969
-
Filesize
1KB
MD5924694e208642d4d8a4c7e0f0cba0de1
SHA187e9496a918036c3e3902f125b95a47e38548828
SHA2568de0bab59a9fe15f312e81a373382ed992ce5110deb3813f663b92cfc5eae0b6
SHA512ef3cfc08df53777f13fb51fdc0269f6f686c0df57c4dd72f395dc53d1d8ef2b08e33c3601507a45c3cc31a25b70ebf365d0fa93db64e1e851173216a45c49c2c
-
Filesize
1KB
MD5935261e9f404e667b075dcd4d094dccd
SHA1bfce9185c8c945099714ba78ee4d878316b4eeba
SHA25627f22487db75de90cebbfd441f5c7489cd80fd8d1c67095e0eec87faea3dec79
SHA51211c7589d28c39374bfd85acf4a5a7571ecc9e5556d98de522fdefe75e2980c2ef1797dc8044f6bc192d625494c217ad0f5742a45ff70bf203a879ed54d9da831
-
Filesize
24KB
MD5d008b533315d3a3dfe0ab52ba6ca9dd6
SHA1f41143f93a7aebaefe12568d0997a1d6d778a2da
SHA256c9da722a81316670bf37097da756826bac0b39600ccca9e8e360e9b46346987f
SHA5129398c70790dd38bebcc42f247271482ab33deb2b1f679ce8f44d6b3c33d83549c3bc5b04d7bff6e23f4e783f0b548d1d139b1bf0324c13d20df892a7a353de91
-
Filesize
312B
MD5710245565c7c377b999511a452145b6f
SHA1ea179d2b462d1b4af1f160897489788eed8a6335
SHA256b4baeddefc1aafbf6ec3d14481ce21d19bca3550ce0e33e5f8612dc821fe5645
SHA512bb48b2bf312114b106b26fed8301d7ca25c2f1271d3a23ebb40e954eebd681b418168ac3517d1256e607b6dd3c8de52365a4d208ff96d941d460635f87da29ce