Malware Analysis Report

2024-10-23 19:44

Sample ID 240427-g82kradf6t
Target 02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118
SHA256 79eaf2d7188fe253da3171e6b4629105bb5399c125e60c90905b7d7b4ca507a6
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79eaf2d7188fe253da3171e6b4629105bb5399c125e60c90905b7d7b4ca507a6

Threat Level: Known bad

The file 02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Drops startup file

Executes dropped EXE

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 06:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 06:29

Reported

2024-04-27 06:31

Platform

win7-20240220-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svhost.url C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svhost.url C:\Users\Admin\Svhost\Svhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svhost.url C:\Users\Admin\Svhost\Svhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Svhost\Svhost.exe N/A
N/A N/A C:\Users\Admin\Svhost\Svhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Svhost\Svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Svhost\Svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2916 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2664 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Svhost\Svhost.exe
PID 2648 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Svhost\Svhost.exe
PID 2648 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Svhost\Svhost.exe
PID 2648 wrote to memory of 2792 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Svhost\Svhost.exe
PID 2792 wrote to memory of 2904 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2904 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2904 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2904 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2792 wrote to memory of 1624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2648 wrote to memory of 796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Svhost\Svhost.exe
PID 2648 wrote to memory of 796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Svhost\Svhost.exe
PID 2648 wrote to memory of 796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Svhost\Svhost.exe
PID 2648 wrote to memory of 796 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Svhost\Svhost.exe
PID 796 wrote to memory of 784 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 796 wrote to memory of 784 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 796 wrote to memory of 784 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 796 wrote to memory of 784 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 796 wrote to memory of 624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 624 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 2364 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 2364 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 2364 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 2364 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 796 wrote to memory of 2364 N/A C:\Users\Admin\Svhost\Svhost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /query

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /sc MINUTE /tn Svhost /MO 1 /tr "C:\Users\Admin\Svhost\Svhost.exe\

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9FF.tmp"

C:\Windows\system32\taskeng.exe

taskeng.exe {CD20D96C-7C8D-412B-8C43-BFDDC3D4B848} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\Svhost\Svhost.exe

C:\Users\Admin\Svhost\Svhost.exe "C:\Users\Admin\Svhost\Svhost.exe\"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /query

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\Svhost\Svhost.exe

C:\Users\Admin\Svhost\Svhost.exe "C:\Users\Admin\Svhost\Svhost.exe\"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /query

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp

Files

memory/2916-0-0x0000000000B20000-0x0000000000BF2000-memory.dmp

memory/2916-1-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/2916-2-0x0000000004E50000-0x0000000004E90000-memory.dmp

memory/2916-3-0x00000000005D0000-0x0000000000614000-memory.dmp

memory/2916-4-0x00000000004F0000-0x00000000004FC000-memory.dmp

memory/2916-7-0x0000000000650000-0x0000000000688000-memory.dmp

memory/2664-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2664-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2664-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2664-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2664-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2664-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2664-12-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2664-10-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2916-23-0x0000000074AA0000-0x000000007518E000-memory.dmp

memory/2664-24-0x0000000074370000-0x000000007491B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9FF.tmp

MD5 c6f0625bf4c1cdfb699980c9243d3b22
SHA1 43de1fe580576935516327f17b5da0c656c72851
SHA256 8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA512 9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

memory/2664-29-0x0000000074370000-0x000000007491B000-memory.dmp

C:\Users\Admin\Svhost\Svhost.exe

MD5 02a1d12573f25e2c3dc5a3cbeab95ba4
SHA1 148f271664a2d85954fc6ca8e8fe324cb111dc17
SHA256 79eaf2d7188fe253da3171e6b4629105bb5399c125e60c90905b7d7b4ca507a6
SHA512 152ade000175f8bc3ce851f9c9e467e831b97e41304f348bd434534c79e013d901193eb8b8339b9f9813f819bf4072f3c3323cac39a635579cf119a25d78f80c

memory/2792-32-0x0000000000010000-0x00000000000E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svhost.url

MD5 0c54eb2412562940017f1e34af010d6b
SHA1 21f0717a64b764536639c262051f5b56766d6c4a
SHA256 cea3e1c5de6572acee150ab9acfd99a4677ab7f800fba04f1abe5235b8826279
SHA512 9941bd43d15e4fb55affed6d26d6d6cf3fd077346d6a909de6c95acb69cefe3b6c31c8b7167251c96150c5370f44882b23aebaadef425dc8905c8433f75eda8f

memory/796-48-0x0000000001030000-0x0000000001102000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 06:29

Reported

2024-04-27 06:31

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svhost.url C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3796 set thread context of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3796 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3796 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3796 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3796 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3796 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3796 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3796 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1784 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1784 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1784 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\02a1d12573f25e2c3dc5a3cbeab95ba4_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /query

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /sc MINUTE /tn Svhost /MO 1 /tr "C:\Users\Admin\Svhost\Svhost.exe\

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3FD8.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
N/A 127.0.0.1:2299 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
US 8.8.8.8:53 testyme08.duckdns.org udp
US 102.165.33.234:2299 testyme08.duckdns.org tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp
N/A 127.0.0.1:2299 tcp

Files

memory/3796-0-0x0000000000D30000-0x0000000000E02000-memory.dmp

memory/3796-1-0x0000000074870000-0x0000000075020000-memory.dmp

memory/3796-2-0x0000000005C80000-0x0000000006224000-memory.dmp

memory/3796-3-0x00000000056D0000-0x0000000005762000-memory.dmp

memory/3796-4-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/3796-5-0x0000000005690000-0x000000000569A000-memory.dmp

memory/3796-6-0x00000000059E0000-0x0000000005A24000-memory.dmp

memory/3796-7-0x00000000058A0000-0x00000000058AC000-memory.dmp

memory/3796-10-0x0000000005A40000-0x0000000005A78000-memory.dmp

memory/3796-11-0x0000000005B20000-0x0000000005BBC000-memory.dmp

memory/1784-12-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3796-14-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1784-17-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/1784-16-0x00000000706A0000-0x0000000070C51000-memory.dmp

memory/1784-15-0x00000000706A0000-0x0000000070C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3FD8.tmp

MD5 c6f0625bf4c1cdfb699980c9243d3b22
SHA1 43de1fe580576935516327f17b5da0c656c72851
SHA256 8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA512 9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

memory/1784-22-0x00000000706A0000-0x0000000070C51000-memory.dmp

memory/1784-23-0x00000000706A0000-0x0000000070C51000-memory.dmp

memory/1784-24-0x0000000002E40000-0x0000000002E50000-memory.dmp