Analysis
-
max time kernel
137s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 11:34
Static task
static1
Behavioral task
behavioral1
Sample
0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe
-
Size
782KB
-
MD5
0329392630eee094482ce54d45eb6e4d
-
SHA1
d101266680b49f98fa9bfd1f1a7428f8ec1ec1df
-
SHA256
d59d14279f8a1b9887a83a2ea99c6e161c94774f3603e46eeb52b11417c753ab
-
SHA512
9ea5bea90dff0f446181da044b0fb689f08702e3f25af6a70ee65f767659b4b7edb87a1e329e91559b572190b19d4e3a03ed7e1decc19a050aa2198053a68e99
-
SSDEEP
12288:zacwfySyzqwAZj4ziHgkZ0tCNDnTnts6uPmy0n5u8cuWz:+t6ZqPmi2tCN
Malware Config
Extracted
nanocore
1.2.2.0
snopper13.ddns.net:1996
185.208.211.17:1996
639667a7-ccc3-45df-9155-94515c6e197f
-
activate_away_mode
true
-
backup_connection_host
185.208.211.17
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-02-17T08:55:58.187172536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1996
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
639667a7-ccc3-45df-9155-94515c6e197f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
snopper13.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
installutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe" installutil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
installutil.exedescription pid process target process PID 2400 set thread context of 2812 2400 installutil.exe installutil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
installutil.exedescription ioc process File created C:\Program Files (x86)\DOS Manager\dosmgr.exe installutil.exe File opened for modification C:\Program Files (x86)\DOS Manager\dosmgr.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3068 schtasks.exe 2556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
installutil.exeinstallutil.exepid process 2400 installutil.exe 2812 installutil.exe 2812 installutil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
installutil.exepid process 2812 installutil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
installutil.exeinstallutil.exedescription pid process Token: SeDebugPrivilege 2400 installutil.exe Token: SeDebugPrivilege 2812 installutil.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exeinstallutil.exeinstallutil.exedescription pid process target process PID 2888 wrote to memory of 2400 2888 0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe installutil.exe PID 2888 wrote to memory of 2400 2888 0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe installutil.exe PID 2888 wrote to memory of 2400 2888 0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe installutil.exe PID 2888 wrote to memory of 2400 2888 0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe installutil.exe PID 2888 wrote to memory of 2400 2888 0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe installutil.exe PID 2888 wrote to memory of 2400 2888 0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe installutil.exe PID 2888 wrote to memory of 2400 2888 0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2400 wrote to memory of 2812 2400 installutil.exe installutil.exe PID 2812 wrote to memory of 2556 2812 installutil.exe schtasks.exe PID 2812 wrote to memory of 2556 2812 installutil.exe schtasks.exe PID 2812 wrote to memory of 2556 2812 installutil.exe schtasks.exe PID 2812 wrote to memory of 2556 2812 installutil.exe schtasks.exe PID 2812 wrote to memory of 3068 2812 installutil.exe schtasks.exe PID 2812 wrote to memory of 3068 2812 installutil.exe schtasks.exe PID 2812 wrote to memory of 3068 2812 installutil.exe schtasks.exe PID 2812 wrote to memory of 3068 2812 installutil.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\0329392630eee094482ce54d45eb6e4d_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp"4⤵
- Creates scheduled task(s)
PID:2556 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp934B.tmp"4⤵
- Creates scheduled task(s)
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5776580d2028b74ed89bb21146482bdff
SHA1d1a45290dedde63d8539a2fc8af866b430238bc7
SHA256fbad359469fc6aefb5695d01974f4edf50528f51f80d57b9eb0d8f2f81033cc0
SHA512de084f473db26ce159b639b02e7ffa263ae5b6c4c1da9f6932676dae4a6c65f082b1bcac673c45c2e2b84caa06d1860ea6f0545b81fd7b3e4f8fe5e802a160d3
-
Filesize
1KB
MD58f5713b14cee3089852f6c8d2a7a7d57
SHA18bffbea05715c6434ad593cce8a2c737f80ff788
SHA256ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c
SHA51282bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72