Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 21:04
Static task
static1
Behavioral task
behavioral1
Sample
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe
-
Size
261KB
-
MD5
1e5bf711537ee7a229050e4a4ff7ade1
-
SHA1
772a5a81572b4bfb038b1102cc02dbd2f9e27a2f
-
SHA256
120893883361e2381a0c10fc432fb304e4943df88e23bcbaead4738944a6bf55
-
SHA512
15d4fbddb93a06aceda44fd3ad6cf7563b03d72cd3bb71b31e5db366a4efa44533647beca6f267307a624c8058067a9b48067445d2cd7a34f5d3bedb252c1cc7
-
SSDEEP
6144:khc6LoHiH78JFwLyWw3ZqqSWc7j2gXpc28txvK6TU02B:kq8oH+wXWwoqSW3gXp2t5XTUZ
Malware Config
Extracted
nanocore
1.2.2.0
192.227.90.76:54984
senatorojugo.ddns.net:54984
4fccb169-69b4-413d-a60e-3da781cad775
-
activate_away_mode
true
-
backup_connection_host
senatorojugo.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-09-11T17:48:43.516010936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4fccb169-69b4-413d-a60e-3da781cad775
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
192.227.90.76
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe.lnk 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 1424 tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription pid process target process PID 340 set thread context of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\DDP Service\ddpsv.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2084 schtasks.exe 740 schtasks.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Windowsx64\Explorer.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exepid process 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exepid process 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe Token: SeDebugPrivilege 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.execmd.exe1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exedescription pid process target process PID 340 wrote to memory of 4000 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe cmd.exe PID 340 wrote to memory of 4000 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe cmd.exe PID 340 wrote to memory of 4000 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe cmd.exe PID 4000 wrote to memory of 1136 4000 cmd.exe reg.exe PID 4000 wrote to memory of 1136 4000 cmd.exe reg.exe PID 4000 wrote to memory of 1136 4000 cmd.exe reg.exe PID 340 wrote to memory of 1424 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe tmp.exe PID 340 wrote to memory of 1424 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe tmp.exe PID 340 wrote to memory of 1424 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe tmp.exe PID 340 wrote to memory of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 340 wrote to memory of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 340 wrote to memory of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 340 wrote to memory of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 340 wrote to memory of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 340 wrote to memory of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 340 wrote to memory of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 340 wrote to memory of 2832 340 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe PID 2832 wrote to memory of 2084 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe schtasks.exe PID 2832 wrote to memory of 2084 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe schtasks.exe PID 2832 wrote to memory of 2084 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe schtasks.exe PID 2832 wrote to memory of 740 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe schtasks.exe PID 2832 wrote to memory of 740 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe schtasks.exe PID 2832 wrote to memory of 740 2832 1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windowsx64\Explorer.exe.lnk" /f3⤵PID:1136
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e5bf711537ee7a229050e4a4ff7ade1_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp46BD.tmp"3⤵
- Creates scheduled task(s)
PID:2084 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp46FD.tmp"3⤵
- Creates scheduled task(s)
PID:740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5302e84aaa764d16a7b7871a3fa45702b
SHA1c8ffd468093c8f87b2c8fe26401b8493778a0964
SHA25664558ba0636f1bc5cbdce995e2d8916638a306a1ae1480d7416cec11f2e307a5
SHA5125d9a6b4526057be238366117b2e1c0c85f077f9f500725e28d80b4233c3993fc6ec9713801bec5cf0b5b6777a5b6fde8d377a3ecf9fcebc8fd2eb1a768fe6075
-
Filesize
1KB
MD593d357e6194c8eb8d0616a9f592cc4bf
SHA15cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA5124df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f
-
Filesize
261KB
MD51e5bf711537ee7a229050e4a4ff7ade1
SHA1772a5a81572b4bfb038b1102cc02dbd2f9e27a2f
SHA256120893883361e2381a0c10fc432fb304e4943df88e23bcbaead4738944a6bf55
SHA51215d4fbddb93a06aceda44fd3ad6cf7563b03d72cd3bb71b31e5db366a4efa44533647beca6f267307a624c8058067a9b48067445d2cd7a34f5d3bedb252c1cc7
-
Filesize
203KB
MD5f957426141d1d300f6b2b20221a6aa4e
SHA1c815d6213a7e648c38501c85cf90dbea6dde34d2
SHA256c84be4223a716573794704753a0abf2d85a087ea395b21dc2fa9bee77fcb5bac
SHA512a93cd14785ee081a074944f27c36e35e297b68b2af48f52d47148a0fca7b8eb4b726a89b4668b9f792ca109cbfbf9df3dd2467afc6802e6226f48a64c142f911