Analysis Overview
SHA256
dfaef1fc73070ec9c9c82054c45852aed5bd3cbf3d05b1e5dc3e0da7d9c8bf60
Threat Level: Known bad
The file 085835acd102be8ae20f06e3bcd1c286_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-29 18:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-29 18:35
Reported
2024-04-29 18:37
Platform
win10v2004-20240419-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4104 set thread context of 3924 | N/A | C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe"
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKruiAd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3776.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3AE1.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp |
Files
memory/4104-0-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/4104-1-0x0000000000D00000-0x0000000000D10000-memory.dmp
memory/4104-2-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/2800-3-0x0000000000DB0000-0x0000000000DD0000-memory.dmp
memory/2800-4-0x00007FF9382D0000-0x00007FF938C71000-memory.dmp
memory/2800-5-0x00000000010F0000-0x0000000001100000-memory.dmp
memory/2800-7-0x00007FF9382D0000-0x00007FF938C71000-memory.dmp
memory/2800-6-0x000000001A830000-0x000000001AC04000-memory.dmp
memory/2800-8-0x000000001AE50000-0x000000001AF86000-memory.dmp
memory/2800-9-0x00000000010F0000-0x0000000001100000-memory.dmp
memory/4104-10-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/4104-11-0x0000000000D00000-0x0000000000D10000-memory.dmp
memory/2800-12-0x00007FF9382D0000-0x00007FF938C71000-memory.dmp
memory/2800-13-0x00000000010F0000-0x0000000001100000-memory.dmp
memory/2800-14-0x00000000010F0000-0x0000000001100000-memory.dmp
memory/4104-15-0x0000000000D00000-0x0000000000D10000-memory.dmp
memory/4104-16-0x0000000000D00000-0x0000000000D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3776.tmp
| MD5 | 28a030c7e73df0bc6ae6ab4bd7b588cc |
| SHA1 | 708b9cc656cb69a5d50218157e478ba7427671f5 |
| SHA256 | 7a106127d8ee23947af7a1b4daa25fc2f417f618f265779c6497da9468a41a11 |
| SHA512 | d0a26796e720a07c8ea674be61fa32fb6cdfbad0cd4519336ffc18f1dc7c6d63316f5077c802b61401e884a41ba65d4ce2fe7b39e13638b70fa0b4551f71cf0a |
memory/3924-20-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3924-22-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/3924-23-0x0000000001150000-0x0000000001160000-memory.dmp
memory/4104-24-0x0000000075530000-0x0000000075AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3AE1.tmp
| MD5 | 40b11ef601fb28f9b2e69d36857bf2ec |
| SHA1 | b6454020ad2ceed193f4792b77001d0bd741b370 |
| SHA256 | c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1 |
| SHA512 | e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5 |
memory/3924-29-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/3924-30-0x0000000001150000-0x0000000001160000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-29 18:35
Reported
2024-04-29 18:37
Platform
win7-20240221-en
Max time kernel
134s
Max time network
147s
Command Line
Signatures
NanoCore
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1728 set thread context of 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\085835acd102be8ae20f06e3bcd1c286_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKruiAd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9405.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp"
Network
| Country | Destination | Domain | Proto |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp | |
| NL | 84.38.133.178:6498 | tcp |
Files
memory/1728-0-0x0000000074060000-0x000000007460B000-memory.dmp
memory/1728-1-0x0000000074060000-0x000000007460B000-memory.dmp
memory/1728-2-0x0000000000530000-0x0000000000570000-memory.dmp
memory/1728-3-0x0000000074060000-0x000000007460B000-memory.dmp
memory/1728-4-0x0000000000530000-0x0000000000570000-memory.dmp
memory/1728-5-0x0000000000530000-0x0000000000570000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9405.tmp
| MD5 | 1706ee0130af070e2f7815db1b00258f |
| SHA1 | b7f990745bb1709a1e65ab9d8708f6f4a852c479 |
| SHA256 | b5c3bb13bb12b85878598d7a8fb258f4137029519122abb13a414318ab234c8b |
| SHA512 | bfb74beea8b215df9a872d795395d03535a84d790ffd4059c282923227dd4f9893f0578a295e77f1d022fc0a20c067100499a6d48e96dcbe60439d22a08ce684 |
memory/2888-9-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2888-19-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2888-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1728-24-0x0000000074060000-0x000000007460B000-memory.dmp
memory/2888-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2888-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2888-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2888-21-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2888-11-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp
| MD5 | 40b11ef601fb28f9b2e69d36857bf2ec |
| SHA1 | b6454020ad2ceed193f4792b77001d0bd741b370 |
| SHA256 | c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1 |
| SHA512 | e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5 |