Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 21:04
Static task
static1
Behavioral task
behavioral1
Sample
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe
-
Size
261KB
-
MD5
1e5bf711537ee7a229050e4a4ff7ade1
-
SHA1
772a5a81572b4bfb038b1102cc02dbd2f9e27a2f
-
SHA256
120893883361e2381a0c10fc432fb304e4943df88e23bcbaead4738944a6bf55
-
SHA512
15d4fbddb93a06aceda44fd3ad6cf7563b03d72cd3bb71b31e5db366a4efa44533647beca6f267307a624c8058067a9b48067445d2cd7a34f5d3bedb252c1cc7
-
SSDEEP
6144:khc6LoHiH78JFwLyWw3ZqqSWc7j2gXpc28txvK6TU02B:kq8oH+wXWwoqSW3gXp2t5XTUZ
Malware Config
Extracted
nanocore
1.2.2.0
192.227.90.76:54984
senatorojugo.ddns.net:54984
4fccb169-69b4-413d-a60e-3da781cad775
-
activate_away_mode
true
-
backup_connection_host
senatorojugo.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-09-11T17:48:43.516010936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4fccb169-69b4-413d-a60e-3da781cad775
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
192.227.90.76
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe.lnk 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 2568 tmp.exe -
Loads dropped DLL 4 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exepid process 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" tmp.exe -
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription pid process target process PID 2884 set thread context of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Program Files (x86)\DHCP Host\dhcphost.exe tmp.exe File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2468 schtasks.exe 2500 schtasks.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Windowsx64\Explorer.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exetmp.exepid process 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 2568 tmp.exe 2568 tmp.exe 2568 tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
tmp.exepid process 2568 tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exetmp.exedescription pid process Token: SeDebugPrivilege 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe Token: SeDebugPrivilege 2568 tmp.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.execmd.exetmp.exedescription pid process target process PID 2884 wrote to memory of 2852 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe cmd.exe PID 2884 wrote to memory of 2852 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe cmd.exe PID 2884 wrote to memory of 2852 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe cmd.exe PID 2884 wrote to memory of 2852 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe cmd.exe PID 2852 wrote to memory of 2736 2852 cmd.exe reg.exe PID 2852 wrote to memory of 2736 2852 cmd.exe reg.exe PID 2852 wrote to memory of 2736 2852 cmd.exe reg.exe PID 2852 wrote to memory of 2736 2852 cmd.exe reg.exe PID 2884 wrote to memory of 2568 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe tmp.exe PID 2884 wrote to memory of 2568 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe tmp.exe PID 2884 wrote to memory of 2568 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe tmp.exe PID 2884 wrote to memory of 2568 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe tmp.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2884 wrote to memory of 2792 2884 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2568 wrote to memory of 2468 2568 tmp.exe schtasks.exe PID 2568 wrote to memory of 2468 2568 tmp.exe schtasks.exe PID 2568 wrote to memory of 2468 2568 tmp.exe schtasks.exe PID 2568 wrote to memory of 2468 2568 tmp.exe schtasks.exe PID 2568 wrote to memory of 2500 2568 tmp.exe schtasks.exe PID 2568 wrote to memory of 2500 2568 tmp.exe schtasks.exe PID 2568 wrote to memory of 2500 2568 tmp.exe schtasks.exe PID 2568 wrote to memory of 2500 2568 tmp.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windowsx64\Explorer.exe.lnk" /f3⤵PID:2736
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp119D.tmp"3⤵
- Creates scheduled task(s)
PID:2468 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp124A.tmp"3⤵
- Creates scheduled task(s)
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe"2⤵PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58a9b76989a8413172cff53ca3e745a3e
SHA10ddb9676d5ccbf8e4daf1cb5416207610724aaf0
SHA256d5efff1ebc2bef62244c2d3b4301e68db613c18c1cbefdb31008672a55bb7515
SHA5122d1d276ef7d6f54b722b91b856b3974372bad7fb9058ce30afffb3820ddef466f9a2e63efc743a4391f053c2da7b216741fc534af9552d509dda99fc4d355eeb
-
Filesize
1KB
MD50479d5f304ef2d7e3c15fb24a99f88c1
SHA18edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15
-
Filesize
261KB
MD51e5bf711537ee7a229050e4a4ff7ade1
SHA1772a5a81572b4bfb038b1102cc02dbd2f9e27a2f
SHA256120893883361e2381a0c10fc432fb304e4943df88e23bcbaead4738944a6bf55
SHA51215d4fbddb93a06aceda44fd3ad6cf7563b03d72cd3bb71b31e5db366a4efa44533647beca6f267307a624c8058067a9b48067445d2cd7a34f5d3bedb252c1cc7
-
Filesize
203KB
MD5f957426141d1d300f6b2b20221a6aa4e
SHA1c815d6213a7e648c38501c85cf90dbea6dde34d2
SHA256c84be4223a716573794704753a0abf2d85a087ea395b21dc2fa9bee77fcb5bac
SHA512a93cd14785ee081a074944f27c36e35e297b68b2af48f52d47148a0fca7b8eb4b726a89b4668b9f792ca109cbfbf9df3dd2467afc6802e6226f48a64c142f911