Analysis Overview
SHA256
08ece3e8398eb5fa03b77aa3e34888dc57aca623449a3dd99bdeb921f7496bb6
Threat Level: Known bad
The file 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-05 12:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 12:49
Reported
2024-05-05 12:51
Platform
win7-20240221-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3048 set thread context of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\syhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DDP Service\ddpsv.exe | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DDP Service\ddpsv.exe | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\syhost.exe
"C:\Users\Admin\AppData\Local\Temp\syhost.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp873A.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
Files
memory/3048-0-0x0000000074CD1000-0x0000000074CD2000-memory.dmp
memory/3048-1-0x0000000074CD0000-0x000000007527B000-memory.dmp
memory/3048-2-0x0000000074CD0000-0x000000007527B000-memory.dmp
\Users\Admin\AppData\Local\Temp\syhost.exe
| MD5 | 2e5f1cf69f92392f8829fc9c9263ae9b |
| SHA1 | 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5 |
| SHA256 | 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b |
| SHA512 | f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883 |
memory/3056-8-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3056-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3056-22-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3056-20-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3056-17-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3056-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3056-13-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3056-9-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3056-24-0x0000000074CD0000-0x000000007527B000-memory.dmp
memory/3056-25-0x0000000074CD0000-0x000000007527B000-memory.dmp
memory/3056-26-0x0000000074CD0000-0x000000007527B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp
| MD5 | cbcdc0b2715b9af7f0112d4fbfff39a8 |
| SHA1 | d60c5de8b75de63dcbe673310cc59230944e65fa |
| SHA256 | 6b358cc2afb30aba70b4c174c3b52daa230ef6f0287948cb47c49d8310e18fe4 |
| SHA512 | 4d8089cde29084ea5a5c93ed00059e93ae4f2a2ce7d3cd6eea0e8bf86e9e72761b9b19d7b5e9c9659fbd5c44f102e4a6eefda45f90c1b473b5b630bddf95d30c |
C:\Users\Admin\AppData\Local\Temp\tmp873A.tmp
| MD5 | 93d357e6194c8eb8d0616a9f592cc4bf |
| SHA1 | 5cc3a3d95d82cb88f65cb6dc6c188595fa272808 |
| SHA256 | a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713 |
| SHA512 | 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f |
memory/3048-34-0x0000000074CD0000-0x000000007527B000-memory.dmp
memory/3056-35-0x0000000074CD0000-0x000000007527B000-memory.dmp
memory/3056-36-0x0000000074CD0000-0x000000007527B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-05 12:49
Reported
2024-05-05 12:51
Platform
win10v2004-20240419-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\syhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WPA Monitor\wpamon.exe | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WPA Monitor\wpamon.exe | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\syhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\syhost.exe
"C:\Users\Admin\AppData\Local\Temp\syhost.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3DD4.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3E33.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
| US | 8.8.8.8:53 | sealpage.servepics.com | udp |
Files
memory/2492-0-0x0000000075532000-0x0000000075533000-memory.dmp
memory/2492-1-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/2492-2-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/1660-7-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\syhost.exe
| MD5 | 84c42d0f2c1ae761bef884638bc1eacd |
| SHA1 | 4353881e7f4e9c7610f4e0489183b55bb58bb574 |
| SHA256 | 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3 |
| SHA512 | 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87 |
memory/1660-10-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/1660-11-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/1660-12-0x0000000075530000-0x0000000075AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3DD4.tmp
| MD5 | cbcdc0b2715b9af7f0112d4fbfff39a8 |
| SHA1 | d60c5de8b75de63dcbe673310cc59230944e65fa |
| SHA256 | 6b358cc2afb30aba70b4c174c3b52daa230ef6f0287948cb47c49d8310e18fe4 |
| SHA512 | 4d8089cde29084ea5a5c93ed00059e93ae4f2a2ce7d3cd6eea0e8bf86e9e72761b9b19d7b5e9c9659fbd5c44f102e4a6eefda45f90c1b473b5b630bddf95d30c |
C:\Users\Admin\AppData\Local\Temp\tmp3E33.tmp
| MD5 | a246b3561d823177f3586e629f144233 |
| SHA1 | 0f05d12e55a1d2e5e6a4f307c193882fba093315 |
| SHA256 | 6abae7707b06e52b58f537b335e367cc54b093e899d78f16e94ceaf7ceafca52 |
| SHA512 | 4246aa9a96331e2c7e36b37fa778e31ecae055c77164e0dc673aa50cdec368f08d356ab06ef1a4540816c474828048ab1bebed7e211a4eb929f2918e1fac9c6d |
memory/1660-20-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/2492-22-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/1660-23-0x0000000075530000-0x0000000075AE1000-memory.dmp
memory/1660-24-0x0000000075530000-0x0000000075AE1000-memory.dmp