Malware Analysis Report

2024-10-19 07:12

Sample ID 240505-p2e26sad6s
Target 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118
SHA256 08ece3e8398eb5fa03b77aa3e34888dc57aca623449a3dd99bdeb921f7496bb6
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08ece3e8398eb5fa03b77aa3e34888dc57aca623449a3dd99bdeb921f7496bb6

Threat Level: Known bad

The file 17be2ac55cbe59518142b65a45f3c843_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 12:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 12:49

Reported

2024-05-05 12:51

Platform

win7-20240221-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3048 set thread context of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 3056 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\syhost.exe

"C:\Users\Admin\AppData\Local\Temp\syhost.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp873A.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sealpage.servepics.com udp

Files

memory/3048-0-0x0000000074CD1000-0x0000000074CD2000-memory.dmp

memory/3048-1-0x0000000074CD0000-0x000000007527B000-memory.dmp

memory/3048-2-0x0000000074CD0000-0x000000007527B000-memory.dmp

\Users\Admin\AppData\Local\Temp\syhost.exe

MD5 2e5f1cf69f92392f8829fc9c9263ae9b
SHA1 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA256 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512 f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

memory/3056-8-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3056-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3056-22-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3056-20-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3056-17-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3056-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-13-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3056-9-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3056-24-0x0000000074CD0000-0x000000007527B000-memory.dmp

memory/3056-25-0x0000000074CD0000-0x000000007527B000-memory.dmp

memory/3056-26-0x0000000074CD0000-0x000000007527B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp82E6.tmp

MD5 cbcdc0b2715b9af7f0112d4fbfff39a8
SHA1 d60c5de8b75de63dcbe673310cc59230944e65fa
SHA256 6b358cc2afb30aba70b4c174c3b52daa230ef6f0287948cb47c49d8310e18fe4
SHA512 4d8089cde29084ea5a5c93ed00059e93ae4f2a2ce7d3cd6eea0e8bf86e9e72761b9b19d7b5e9c9659fbd5c44f102e4a6eefda45f90c1b473b5b630bddf95d30c

C:\Users\Admin\AppData\Local\Temp\tmp873A.tmp

MD5 93d357e6194c8eb8d0616a9f592cc4bf
SHA1 5cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256 a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA512 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

memory/3048-34-0x0000000074CD0000-0x000000007527B000-memory.dmp

memory/3056-35-0x0000000074CD0000-0x000000007527B000-memory.dmp

memory/3056-36-0x0000000074CD0000-0x000000007527B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 12:49

Reported

2024-05-05 12:51

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WPA Monitor\wpamon.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A
File opened for modification C:\Program Files (x86)\WPA Monitor\wpamon.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 2492 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 2492 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 2492 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 2492 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 2492 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 2492 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 2492 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\syhost.exe
PID 1660 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 5248 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 5248 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 5248 N/A C:\Users\Admin\AppData\Local\Temp\syhost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\17be2ac55cbe59518142b65a45f3c843_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\syhost.exe

"C:\Users\Admin\AppData\Local\Temp\syhost.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3DD4.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3E33.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp
US 8.8.8.8:53 sealpage.servepics.com udp

Files

memory/2492-0-0x0000000075532000-0x0000000075533000-memory.dmp

memory/2492-1-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/2492-2-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/1660-7-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\syhost.exe

MD5 84c42d0f2c1ae761bef884638bc1eacd
SHA1 4353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA512 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

memory/1660-10-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/1660-11-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/1660-12-0x0000000075530000-0x0000000075AE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3DD4.tmp

MD5 cbcdc0b2715b9af7f0112d4fbfff39a8
SHA1 d60c5de8b75de63dcbe673310cc59230944e65fa
SHA256 6b358cc2afb30aba70b4c174c3b52daa230ef6f0287948cb47c49d8310e18fe4
SHA512 4d8089cde29084ea5a5c93ed00059e93ae4f2a2ce7d3cd6eea0e8bf86e9e72761b9b19d7b5e9c9659fbd5c44f102e4a6eefda45f90c1b473b5b630bddf95d30c

C:\Users\Admin\AppData\Local\Temp\tmp3E33.tmp

MD5 a246b3561d823177f3586e629f144233
SHA1 0f05d12e55a1d2e5e6a4f307c193882fba093315
SHA256 6abae7707b06e52b58f537b335e367cc54b093e899d78f16e94ceaf7ceafca52
SHA512 4246aa9a96331e2c7e36b37fa778e31ecae055c77164e0dc673aa50cdec368f08d356ab06ef1a4540816c474828048ab1bebed7e211a4eb929f2918e1fac9c6d

memory/1660-20-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/2492-22-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/1660-23-0x0000000075530000-0x0000000075AE1000-memory.dmp

memory/1660-24-0x0000000075530000-0x0000000075AE1000-memory.dmp