Malware Analysis Report

2024-10-19 07:12

Sample ID 240430-tkneface82
Target 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118
SHA256 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a

Threat Level: Known bad

The file 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 16:07

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 16:07

Reported

2024-04-30 16:09

Platform

win7-20240220-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
PID 2872 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
PID 2872 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
PID 2872 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
PID 2872 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
PID 2872 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
PID 2872 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
PID 2872 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
PID 2976 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

"C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"

C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1507.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1575.tmp"

Network

Country Destination Domain Proto
US 128.226.252.143:54984 tcp
US 128.226.252.143:54984 tcp
US 128.226.252.143:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 128.226.252.143:54984 tcp
US 128.226.252.143:54984 tcp
US 128.226.252.143:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 128.226.252.143:54984 tcp
US 128.226.252.143:54984 tcp

Files

\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

MD5 88b430e9224557e9eeab96a9096a0e3b
SHA1 cb7a4f3efbfe68009c6b1677ed50991e134161e8
SHA256 c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c
SHA512 e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

\Users\Admin\AppData\Local\Temp\SERVICES.EXE

MD5 fbf4540d5b491f75fe1c22ac4815fa83
SHA1 83275825f4b8c75bb0b7395baf910a64d2dffe61
SHA256 e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6
SHA512 1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

memory/2920-17-0x0000000000DB0000-0x0000000000DD8000-memory.dmp

memory/2920-18-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2976-19-0x0000000002140000-0x0000000002180000-memory.dmp

memory/2976-20-0x0000000073450000-0x00000000739FB000-memory.dmp

memory/2976-21-0x0000000073450000-0x00000000739FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1507.tmp

MD5 ceee50b15e8af3709e3b6797b4fe0dff
SHA1 94686fe6430122551a42b8c9871845c0990161f3
SHA256 9d5d630ffb1574bb8c5345c56805fcbd7879d2b9b7b7b799825cc6f33b232ce0
SHA512 372c46f1e7a50282fcc0aec8747fe82b29ec4cad9fa0e8f7a40d831b0e5aeca1925366da0f5edc22eeed5ef412a0f7a3785669a62874f7c4d40b3b089926604d

C:\Users\Admin\AppData\Local\Temp\tmp1575.tmp

MD5 4b7ef560289c0f62d0baf6f14f48a57a
SHA1 8331acb90dde588aa3196919f6e847f398fd06d1
SHA256 062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512 ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

memory/2920-29-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2976-30-0x0000000002140000-0x0000000002180000-memory.dmp

memory/2976-31-0x0000000073450000-0x00000000739FB000-memory.dmp

memory/2976-32-0x0000000073450000-0x00000000739FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 16:07

Reported

2024-04-30 16:09

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
PID 1580 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
PID 1580 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
PID 1580 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
PID 1580 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
PID 1580 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
PID 3212 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

"C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"

C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE

"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp345E.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp352A.tmp"

Network

Country Destination Domain Proto
US 128.226.252.143:54984 tcp
US 8.8.8.8:53 g.bing.com udp
US 128.226.252.143:54984 tcp
US 128.226.252.143:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 128.226.252.143:54984 tcp
US 128.226.252.143:54984 tcp
US 128.226.252.143:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 128.226.252.143:54984 tcp

Files

C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

MD5 88b430e9224557e9eeab96a9096a0e3b
SHA1 cb7a4f3efbfe68009c6b1677ed50991e134161e8
SHA256 c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c
SHA512 e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE

MD5 fbf4540d5b491f75fe1c22ac4815fa83
SHA1 83275825f4b8c75bb0b7395baf910a64d2dffe61
SHA256 e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6
SHA512 1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

memory/3096-19-0x0000000000410000-0x0000000000438000-memory.dmp

memory/3096-20-0x0000000004D80000-0x0000000004E1C000-memory.dmp

memory/3096-21-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/3096-22-0x00000000053D0000-0x0000000005974000-memory.dmp

memory/3096-23-0x0000000004E20000-0x0000000004EB2000-memory.dmp

memory/3212-24-0x0000000073810000-0x0000000073DC1000-memory.dmp

memory/3096-25-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/3096-29-0x0000000004FB0000-0x0000000005006000-memory.dmp

memory/3096-28-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/3212-31-0x0000000073810000-0x0000000073DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp345E.tmp

MD5 ceee50b15e8af3709e3b6797b4fe0dff
SHA1 94686fe6430122551a42b8c9871845c0990161f3
SHA256 9d5d630ffb1574bb8c5345c56805fcbd7879d2b9b7b7b799825cc6f33b232ce0
SHA512 372c46f1e7a50282fcc0aec8747fe82b29ec4cad9fa0e8f7a40d831b0e5aeca1925366da0f5edc22eeed5ef412a0f7a3785669a62874f7c4d40b3b089926604d

C:\Users\Admin\AppData\Local\Temp\tmp352A.tmp

MD5 93d357e6194c8eb8d0616a9f592cc4bf
SHA1 5cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256 a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA512 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

memory/3096-36-0x0000000073EA0000-0x0000000074650000-memory.dmp

memory/3212-37-0x0000000073810000-0x0000000073DC1000-memory.dmp

memory/3096-38-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/3212-39-0x0000000073810000-0x0000000073DC1000-memory.dmp