Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 12:49
Static task
static1
Behavioral task
behavioral1
Sample
17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe
-
Size
941KB
-
MD5
17be2ac55cbe59518142b65a45f3c843
-
SHA1
1b300ed88094e236d4da80d3ca9392adb151a99c
-
SHA256
08ece3e8398eb5fa03b77aa3e34888dc57aca623449a3dd99bdeb921f7496bb6
-
SHA512
2069bf5d7e3b381dee9204ae316b9b105930bd515a1b18a226ac06f3829318cb36dad42a9d7b4e79ba31693a9111d3f0310ad4fac71c2233193a6ac44412f296
-
SSDEEP
3072:Eyvghdg5tcvQ8KmtyfuK4MG7sXgcDU1M93RTiWp2+pt0ajjI0hOTM6yr2rFP0oBd:/LkvxjyH4PQ93A+c6jIvM6uSFP6
Malware Config
Extracted
nanocore
1.2.2.0
sealpage.servepics.com:8443
8b193074-55e7-422d-8e72-a7a8c491e038
-
activate_away_mode
true
-
backup_connection_host
sealpage.servepics.com
- backup_dns_server
-
buffer_size
65535
-
build_time
2018-07-22T17:24:02.091657736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8443
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8b193074-55e7-422d-8e72-a7a8c491e038
-
mutex_timeout
5000
-
prevent_system_sleep
true
- primary_connection_host
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
syhost.exepid process 1660 syhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
syhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" syhost.exe -
Processes:
syhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA syhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exedescription pid process target process PID 2492 set thread context of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
syhost.exedescription ioc process File created C:\Program Files (x86)\WPA Monitor\wpamon.exe syhost.exe File opened for modification C:\Program Files (x86)\WPA Monitor\wpamon.exe syhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3428 schtasks.exe 5248 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exepid process 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exesyhost.exedescription pid process Token: SeDebugPrivilege 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe Token: 33 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe Token: SeDebugPrivilege 1660 syhost.exe Token: SeDebugPrivilege 1660 syhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exesyhost.exedescription pid process target process PID 2492 wrote to memory of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe PID 2492 wrote to memory of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe PID 2492 wrote to memory of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe PID 2492 wrote to memory of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe PID 2492 wrote to memory of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe PID 2492 wrote to memory of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe PID 2492 wrote to memory of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe PID 2492 wrote to memory of 1660 2492 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe syhost.exe PID 1660 wrote to memory of 3428 1660 syhost.exe schtasks.exe PID 1660 wrote to memory of 3428 1660 syhost.exe schtasks.exe PID 1660 wrote to memory of 3428 1660 syhost.exe schtasks.exe PID 1660 wrote to memory of 5248 1660 syhost.exe schtasks.exe PID 1660 wrote to memory of 5248 1660 syhost.exe schtasks.exe PID 1660 wrote to memory of 5248 1660 syhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\syhost.exe"C:\Users\Admin\AppData\Local\Temp\syhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3DD4.tmp"3⤵
- Creates scheduled task(s)
PID:3428 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3E33.tmp"3⤵
- Creates scheduled task(s)
PID:5248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
Filesize
1KB
MD5cbcdc0b2715b9af7f0112d4fbfff39a8
SHA1d60c5de8b75de63dcbe673310cc59230944e65fa
SHA2566b358cc2afb30aba70b4c174c3b52daa230ef6f0287948cb47c49d8310e18fe4
SHA5124d8089cde29084ea5a5c93ed00059e93ae4f2a2ce7d3cd6eea0e8bf86e9e72761b9b19d7b5e9c9659fbd5c44f102e4a6eefda45f90c1b473b5b630bddf95d30c
-
Filesize
1KB
MD5a246b3561d823177f3586e629f144233
SHA10f05d12e55a1d2e5e6a4f307c193882fba093315
SHA2566abae7707b06e52b58f537b335e367cc54b093e899d78f16e94ceaf7ceafca52
SHA5124246aa9a96331e2c7e36b37fa778e31ecae055c77164e0dc673aa50cdec368f08d356ab06ef1a4540816c474828048ab1bebed7e211a4eb929f2918e1fac9c6d