Overview

overview

10

Static

static

3

33fca0a153...18.exe

windows7-x64

10

33fca0a153...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33fca0a153bd0201302cc6de94acaee5_JaffaCakes118.exe

  • Size

    782KB

  • MD5

    33fca0a153bd0201302cc6de94acaee5

  • SHA1

    2d37ec74bf416ccdd5ce0c7d4afdbbd62642e188

  • SHA256

    824821e1c3ec150289f73e5b86cf7c74e2eda961379a5cdb44e5263fb11fcdff

  • SHA512

    0ca4b62a8436720c6e73856fc81d6b3748bca80b549594773fef27d563ac7ff9b106bc78477ac58380887c5809fb43c4dc044df2940b42b720d3006ea4e6d63e

  • SSDEEP

    12288:PZoGfI9Pr0azt+xKaMjKlTzNkeAC3M5pZN7gfRix6r:Po9PPz04QlTzN

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33fca0a153bd0201302cc6de94acaee5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\33fca0a153bd0201302cc6de94acaee5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\33fca0a153bd0201302cc6de94acaee5_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"
        3⤵
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1336
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC91C.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:1408
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC97B.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\installutil.exe.log
    Filesize

    810B

    MD5

    7a4a84f4d2df1fe011638038702dad89

    SHA1

    64e9856d95b2064ff51e1c77819c818e6e5b3291

    SHA256

    cfd5734d90e6889355768ae5a723076000d88af2e5b6b435d55fa5bfa3e29590

    SHA512

    cbe9f7724806d161e70a161525c89199e10e6f38ad425533defaa1e02a12bf2cf28cba6788ed68e446cbd4286541e341b55c40133c134f9fcf94cae79b34092d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC91C.tmp
    Filesize

    1KB

    MD5

    776580d2028b74ed89bb21146482bdff

    SHA1

    d1a45290dedde63d8539a2fc8af866b430238bc7

    SHA256

    fbad359469fc6aefb5695d01974f4edf50528f51f80d57b9eb0d8f2f81033cc0

    SHA512

    de084f473db26ce159b639b02e7ffa263ae5b6c4c1da9f6932676dae4a6c65f082b1bcac673c45c2e2b84caa06d1860ea6f0545b81fd7b3e4f8fe5e802a160d3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC97B.tmp
    Filesize

    1KB

    MD5

    ecf141ec69adbb2a5c3dd5c85cd0ec39

    SHA1

    0ad224632fa58d103142c05c44a142f3d7208291

    SHA256

    64d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316

    SHA512

    4821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201

    Download Submit
  • memory/1336-21-0x0000000075340000-0x00000000753DB000-memory.dmp
    Filesize

    620KB

    Download
  • memory/1336-13-0x0000000075340000-0x00000000753DB000-memory.dmp
    Filesize

    620KB

    Download
  • memory/3028-4-0x0000000075340000-0x00000000758F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3028-0-0x0000000075342000-0x0000000075343000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3028-2-0x0000000075340000-0x00000000758F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3028-1-0x0000000075340000-0x00000000758F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4460-7-0x0000000075340000-0x00000000753DB000-memory.dmp
    Filesize

    620KB

    Download
  • memory/4460-8-0x0000000075340000-0x00000000753DB000-memory.dmp
    Filesize

    620KB

    Download
  • memory/4460-12-0x0000000075340000-0x00000000753DB000-memory.dmp
    Filesize

    620KB

    Download
  • memory/4460-5-0x0000000075340000-0x00000000753DB000-memory.dmp
    Filesize

    620KB

    Download
  • memory/4460-6-0x0000000075340000-0x00000000753DB000-memory.dmp
    Filesize

    620KB

    Download