Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe
-
Size
414KB
-
MD5
1dbab2dfd53fa6481e4f349d74ca6798
-
SHA1
96301fd3a1d6c4a4c79af509b1601061c7296f94
-
SHA256
3a903150a230d5a6f08058cddedf503aa25076b489690a092b3ee46298cfd531
-
SHA512
9aeb8ead2f4254d8f6e8d900cc5904f0950867d9c6aecb660c2c5fc75c80699b34921caaf991505a215bc798dba0b074de53b7509a44d4a15b2b1f3a98ae659d
-
SSDEEP
6144:bHnBfTXqlbSpwEiCbjKDVVH4q9D9izTG+mBoaXjauY4/2FE:bBqbgwb/DVVH4yD9i25BoarYzFE
Malware Config
Extracted
nanocore
1.2.2.0
smithhk.ddns.net:4782
963de217-df7f-4e6b-92bd-1e43f6c4f226
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-04-27T02:01:46.610026136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
4782
-
default_group
Frosh Benz
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
963de217-df7f-4e6b-92bd-1e43f6c4f226
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
smithhk.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\..url 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exedescription pid process target process PID 628 set thread context of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exeRegAsm.exepid process 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe 4492 RegAsm.exe 4492 RegAsm.exe 4492 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 4492 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe Token: SeDebugPrivilege 4492 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.execsc.exedescription pid process target process PID 628 wrote to memory of 3608 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe csc.exe PID 628 wrote to memory of 3608 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe csc.exe PID 628 wrote to memory of 3608 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe csc.exe PID 3608 wrote to memory of 1436 3608 csc.exe cvtres.exe PID 3608 wrote to memory of 1436 3608 csc.exe cvtres.exe PID 3608 wrote to memory of 1436 3608 csc.exe cvtres.exe PID 628 wrote to memory of 1972 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 628 wrote to memory of 1972 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 628 wrote to memory of 1972 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 628 wrote to memory of 332 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 628 wrote to memory of 332 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 628 wrote to memory of 332 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe schtasks.exe PID 628 wrote to memory of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 628 wrote to memory of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 628 wrote to memory of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 628 wrote to memory of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 628 wrote to memory of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 628 wrote to memory of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 628 wrote to memory of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe PID 628 wrote to memory of 4492 628 1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\54ixrtip\54ixrtip.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES290F.tmp" "c:\Users\Admin\AppData\Local\Temp\54ixrtip\CSCC25CA9D1F3F441AC9AD181B36290FD66.TMP"3⤵PID:1436
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query2⤵PID:1972
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /sc MINUTE /tn Intel /MO 1 /tr "C:\Users\Admin\AppData\Roaming\null\2⤵
- Creates scheduled task(s)
PID:332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:4752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD585229e27e4b3fab088930f108dee0a97
SHA1b8bd04715614076ae9881e403864e95a04c6a350
SHA2560fa75a10cb206bec76b7fbf6c5bb058d643086768c8808ed2ee2501809662d95
SHA5123fb23233f03d58e8f57a4e4e88dc902b3e6819daec29fd3129cf5166c3e09f12f05ae9ef0c9526e73d7deb8b8e25dc9459e6d296e0fce2d38b4d27f3036e8ba9
-
Filesize
25KB
MD5acb3320a18588650826bc64aa4d529fa
SHA1d56b49ebd99b2b020ce3845e668998bcc35353d5
SHA2560435f405dd9d300539610b90b46234cc9458e079ecdf16b159ed6b3a1aca5e36
SHA5122873d206c605f0a5339bd83da02b9b07dcf3526eae388f1eb6b890584f95c2e9550763da17da11e7f6aeca602c4697ea0a2fff972c9c19ff901714bd7b0be86a
-
Filesize
1KB
MD5c5288916b2564c30e65653d4b70a5d38
SHA192c3997c9979f9f85970c35d741565f7591d330c
SHA2569e03dc6749b8b3214b8426bb153d32db38a070f811d716ec9f24c7cf8acda2df
SHA512e4c0ccf3d99b9d141bbca3ca3e7de117f0f0017cbb0da601c5c528103c87f771532a51ff4ba92495a85aa9f858adfa33c1b73c29ca95a527dd3338f2d40fe377
-
Filesize
10KB
MD521cd1b3e77c3f770205babc7a862c6ef
SHA1ee71e8ef404a95d7f77e2421d5892f349d0fc2be
SHA256905250aa3670ddec5a3a4d3c2427190f973fe3c669b030884b5ef7da6339b075
SHA512806ce8d2162864331b29ebb1fe0bf814965db9077c537d5a0b9c13294c1edcba6e11c5f929824a3aef8680097e0322c09481f4aaa450cceee788591f6d2441b4
-
Filesize
312B
MD5240bcd6db79f7db6ac9891b70eb30026
SHA18403e423f081d191ca18046861c4ed7061293ade
SHA256e8846aee42600e74dd7c5b9c2bcaf043ab23f6c87cca26def3d0313d8a746b57
SHA5128fd8558863998457a95bcc9c1c8e37f387140767d01c60002b8beb3dcfe788090477581a1dc122191e1771355dd85877be8b3ad59525bfd94b80ce8383ab9372
-
Filesize
1KB
MD52492da72482474621a04af0a01f39e44
SHA1184df1e2d2b5560f4e5ac97d02ac6bf75511b063
SHA256ac69b4814ed40e12df850eb5365cf57bde36bee697e83d79d15b5e8e875eba8c
SHA512f060584e7ee2b7c804d7eda4a617cda17a9dcac9d802f750a975575da25eefdcc2379dd36f741859f8d3901906eace3d7b95731f6739d60cfc022f756667a192