Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
1ae326db57b33cc93e2b1b99b9e552ab
-
SHA1
658f48da751b7e1f6e23b7b70ceee2b6a2f3c1aa
-
SHA256
676fe2646ff710578e7597e7876a7bac3f9189b044bd74c09d01a5cc8643d4e3
-
SHA512
a4c4db0a1d31e307f138415f6c946e21909ea23c11ee1db60d128ee1d49df8340f9d9c0b40650a3a8bf92c7423e7c694ebe4da5526d4d86d1c72bc9eb36c511f
-
SSDEEP
24576:Iu6Jx3O0c+JY5UZ+XC0kGso/WaLkHBucQhUSSdUa71WY:iI0c++OCvkGsUWaJSdsY
Malware Config
Extracted
nanocore
1.2.2.0
mybackups.duckdns.org:4782
127.0.0.1:4782
846b578f-46a7-4eba-8502-1b7afab3c003
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-08-16T13:52:47.988123336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4782
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
846b578f-46a7-4eba-8502-1b7afab3c003
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mybackups.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exeRegsm001.exeRegsm001.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation Regsm001.exe Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation Regsm001.exe -
Executes dropped EXE 2 IoCs
Processes:
Regsm001.exeRegsm001.exepid process 1260 Regsm001.exe 2424 Regsm001.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\windows\Regsm001.exe autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exeRegsm001.exeRegsm001.exedescription pid process target process PID 4092 set thread context of 2612 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 1260 set thread context of 2788 1260 Regsm001.exe RegAsm.exe PID 2424 set thread context of 3880 2424 Regsm001.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 916 schtasks.exe 4176 schtasks.exe 2576 schtasks.exe 3776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 2612 RegAsm.exe 2612 RegAsm.exe 2612 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2612 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2612 RegAsm.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exeRegAsm.exeRegsm001.exeRegsm001.exedescription pid process target process PID 4092 wrote to memory of 916 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe schtasks.exe PID 4092 wrote to memory of 916 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe schtasks.exe PID 4092 wrote to memory of 916 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe schtasks.exe PID 4092 wrote to memory of 2612 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 4092 wrote to memory of 2612 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 4092 wrote to memory of 2612 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 4092 wrote to memory of 2612 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 4092 wrote to memory of 2612 4092 1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe RegAsm.exe PID 2612 wrote to memory of 4176 2612 RegAsm.exe schtasks.exe PID 2612 wrote to memory of 4176 2612 RegAsm.exe schtasks.exe PID 2612 wrote to memory of 4176 2612 RegAsm.exe schtasks.exe PID 1260 wrote to memory of 2576 1260 Regsm001.exe schtasks.exe PID 1260 wrote to memory of 2576 1260 Regsm001.exe schtasks.exe PID 1260 wrote to memory of 2576 1260 Regsm001.exe schtasks.exe PID 1260 wrote to memory of 2788 1260 Regsm001.exe RegAsm.exe PID 1260 wrote to memory of 2788 1260 Regsm001.exe RegAsm.exe PID 1260 wrote to memory of 2788 1260 Regsm001.exe RegAsm.exe PID 1260 wrote to memory of 2788 1260 Regsm001.exe RegAsm.exe PID 1260 wrote to memory of 2788 1260 Regsm001.exe RegAsm.exe PID 2424 wrote to memory of 3776 2424 Regsm001.exe schtasks.exe PID 2424 wrote to memory of 3776 2424 Regsm001.exe schtasks.exe PID 2424 wrote to memory of 3776 2424 Regsm001.exe schtasks.exe PID 2424 wrote to memory of 3880 2424 Regsm001.exe RegAsm.exe PID 2424 wrote to memory of 3880 2424 Regsm001.exe RegAsm.exe PID 2424 wrote to memory of 3880 2424 Regsm001.exe RegAsm.exe PID 2424 wrote to memory of 3880 2424 Regsm001.exe RegAsm.exe PID 2424 wrote to memory of 3880 2424 Regsm001.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ae326db57b33cc93e2b1b99b9e552ab_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn Regsm001 /tr "C:\Users\Admin\windows\Regsm001.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:916 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9A4C.tmp"3⤵
- Creates scheduled task(s)
PID:4176
-
C:\Users\Admin\windows\Regsm001.exeC:\Users\Admin\windows\Regsm001.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn Regsm001 /tr "C:\Users\Admin\windows\Regsm001.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2576 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:2788
-
C:\Users\Admin\windows\Regsm001.exeC:\Users\Admin\windows\Regsm001.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn Regsm001 /tr "C:\Users\Admin\windows\Regsm001.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3776 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:3880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
Filesize
1KB
MD5c6f0625bf4c1cdfb699980c9243d3b22
SHA143de1fe580576935516327f17b5da0c656c72851
SHA2568dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA5129ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969
-
Filesize
1.3MB
MD51ae326db57b33cc93e2b1b99b9e552ab
SHA1658f48da751b7e1f6e23b7b70ceee2b6a2f3c1aa
SHA256676fe2646ff710578e7597e7876a7bac3f9189b044bd74c09d01a5cc8643d4e3
SHA512a4c4db0a1d31e307f138415f6c946e21909ea23c11ee1db60d128ee1d49df8340f9d9c0b40650a3a8bf92c7423e7c694ebe4da5526d4d86d1c72bc9eb36c511f