Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
1ae326db57b33cc93e2b1b99b9e552ab
-
SHA1
658f48da751b7e1f6e23b7b70ceee2b6a2f3c1aa
-
SHA256
676fe2646ff710578e7597e7876a7bac3f9189b044bd74c09d01a5cc8643d4e3
-
SHA512
a4c4db0a1d31e307f138415f6c946e21909ea23c11ee1db60d128ee1d49df8340f9d9c0b40650a3a8bf92c7423e7c694ebe4da5526d4d86d1c72bc9eb36c511f
-
SSDEEP
24576:Iu6Jx3O0c+JY5UZ+XC0kGso/WaLkHBucQhUSSdUa71WY:iI0c++OCvkGsUWaJSdsY
Malware Config
Extracted
nanocore
1.2.2.0
mybackups.duckdns.org:4782
127.0.0.1:4782
846b578f-46a7-4eba-8502-1b7afab3c003
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-08-16T13:52:47.988123336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4782
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
846b578f-46a7-4eba-8502-1b7afab3c003
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mybackups.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Regsm001.exeRegsm001.exepid process 680 Regsm001.exe 940 Regsm001.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\windows\Regsm001.exe autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exeRegsm001.exeRegsm001.exedescription pid process target process PID 2812 set thread context of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 680 set thread context of 1920 680 Regsm001.exe RegAsm.exe PID 940 set thread context of 2676 940 Regsm001.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1772 schtasks.exe 2216 schtasks.exe 2640 schtasks.exe 1660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 3064 RegAsm.exe 3064 RegAsm.exe 3064 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 3064 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3064 RegAsm.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exeRegAsm.exetaskeng.exeRegsm001.exeRegsm001.exedescription pid process target process PID 2812 wrote to memory of 2216 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 2216 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 2216 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 2216 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2812 wrote to memory of 3064 2812 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 3064 wrote to memory of 2640 3064 RegAsm.exe schtasks.exe PID 3064 wrote to memory of 2640 3064 RegAsm.exe schtasks.exe PID 3064 wrote to memory of 2640 3064 RegAsm.exe schtasks.exe PID 3064 wrote to memory of 2640 3064 RegAsm.exe schtasks.exe PID 2780 wrote to memory of 680 2780 taskeng.exe Regsm001.exe PID 2780 wrote to memory of 680 2780 taskeng.exe Regsm001.exe PID 2780 wrote to memory of 680 2780 taskeng.exe Regsm001.exe PID 2780 wrote to memory of 680 2780 taskeng.exe Regsm001.exe PID 680 wrote to memory of 1660 680 Regsm001.exe schtasks.exe PID 680 wrote to memory of 1660 680 Regsm001.exe schtasks.exe PID 680 wrote to memory of 1660 680 Regsm001.exe schtasks.exe PID 680 wrote to memory of 1660 680 Regsm001.exe schtasks.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 680 wrote to memory of 1920 680 Regsm001.exe RegAsm.exe PID 2780 wrote to memory of 940 2780 taskeng.exe Regsm001.exe PID 2780 wrote to memory of 940 2780 taskeng.exe Regsm001.exe PID 2780 wrote to memory of 940 2780 taskeng.exe Regsm001.exe PID 2780 wrote to memory of 940 2780 taskeng.exe Regsm001.exe PID 940 wrote to memory of 1772 940 Regsm001.exe schtasks.exe PID 940 wrote to memory of 1772 940 Regsm001.exe schtasks.exe PID 940 wrote to memory of 1772 940 Regsm001.exe schtasks.exe PID 940 wrote to memory of 1772 940 Regsm001.exe schtasks.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe PID 940 wrote to memory of 2676 940 Regsm001.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn Regsm001 /tr "C:\Users\Admin\windows\Regsm001.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE060.tmp"3⤵
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\taskeng.exetaskeng.exe {3A847D2B-00B1-4C64-B155-35031B1BD3B7} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\windows\Regsm001.exeC:\Users\Admin\windows\Regsm001.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn Regsm001 /tr "C:\Users\Admin\windows\Regsm001.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1660 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:1920
-
C:\Users\Admin\windows\Regsm001.exeC:\Users\Admin\windows\Regsm001.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn Regsm001 /tr "C:\Users\Admin\windows\Regsm001.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c6f0625bf4c1cdfb699980c9243d3b22
SHA143de1fe580576935516327f17b5da0c656c72851
SHA2568dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA5129ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969
-
Filesize
1.3MB
MD51ae326db57b33cc93e2b1b99b9e552ab
SHA1658f48da751b7e1f6e23b7b70ceee2b6a2f3c1aa
SHA256676fe2646ff710578e7597e7876a7bac3f9189b044bd74c09d01a5cc8643d4e3
SHA512a4c4db0a1d31e307f138415f6c946e21909ea23c11ee1db60d128ee1d49df8340f9d9c0b40650a3a8bf92c7423e7c694ebe4da5526d4d86d1c72bc9eb36c511f