Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 12:57
Behavioral task
behavioral1
Sample
09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
09d030d1ec585852dae7b81ebfaafbfe
-
SHA1
cdee03ffc775b2ace111739dfff16e9df3562357
-
SHA256
ec85dbd5d89df8501bfca3c706ce39ad1b354963cb847c93b088578cb7cea293
-
SHA512
9bc8b6274fabdfc87e7ae1f1c97cb9c00397fb77ddaed24dd252e82c35a6920ba928eb39336ad8df1944dd5aab1f78c55903bbd3610f370cf9b1962e19d5a616
-
SSDEEP
12288:hYV6MorX7qzuC3QHO9FQVHPF51jgc0v4MUjbCA1ka4qBKZwvZ7y99s/rf5zMq:2BXu9HGaVH4C3CHqBKZUZ2ef5z9
Malware Config
Extracted
nanocore
1.2.2.0
grene231.ddns.net:9017
c584df9a-da0c-4bd8-a288-fb65c66b7636
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
127.0.0.1
-
buffer_size
65535
-
build_time
2019-02-13T10:19:07.754095336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9017
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c584df9a-da0c-4bd8-a288-fb65c66b7636
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
grene231.ddns.net
-
primary_dns_server
grene231.ddns.net
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GenValObj.url 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/1648-0-0x0000000000010000-0x0000000000251000-memory.dmp upx behavioral2/memory/1648-20-0x0000000000010000-0x0000000000251000-memory.dmp upx behavioral2/memory/1648-21-0x0000000000010000-0x0000000000251000-memory.dmp upx behavioral2/memory/1648-29-0x0000000000010000-0x0000000000251000-memory.dmp upx behavioral2/memory/1648-35-0x0000000000010000-0x0000000000251000-memory.dmp upx -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1648-20-0x0000000000010000-0x0000000000251000-memory.dmp autoit_exe behavioral2/memory/1648-21-0x0000000000010000-0x0000000000251000-memory.dmp autoit_exe behavioral2/memory/1648-29-0x0000000000010000-0x0000000000251000-memory.dmp autoit_exe behavioral2/memory/1648-35-0x0000000000010000-0x0000000000251000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exedescription pid process target process PID 1648 set thread context of 2684 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exepid process 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 2684 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2684 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exepid process 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exepid process 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exeRegSvcs.exedescription pid process target process PID 1648 wrote to memory of 2684 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe RegSvcs.exe PID 1648 wrote to memory of 2684 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe RegSvcs.exe PID 1648 wrote to memory of 2684 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe RegSvcs.exe PID 1648 wrote to memory of 2684 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe RegSvcs.exe PID 1648 wrote to memory of 2684 1648 09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe RegSvcs.exe PID 2684 wrote to memory of 3672 2684 RegSvcs.exe schtasks.exe PID 2684 wrote to memory of 3672 2684 RegSvcs.exe schtasks.exe PID 2684 wrote to memory of 3672 2684 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09d030d1ec585852dae7b81ebfaafbfe_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp395F.tmp"3⤵
- Creates scheduled task(s)
PID:3672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD540b11ef601fb28f9b2e69d36857bf2ec
SHA1b6454020ad2ceed193f4792b77001d0bd741b370
SHA256c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5