Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 14:11
Static task
static1
Behavioral task
behavioral1
Sample
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe
-
Size
728KB
-
MD5
3a844cec6076901b623b1354dad68a7e
-
SHA1
47c79404bc4d4b1ae7be6bbdf8fcb1e9df27ff43
-
SHA256
772814528f5d70b28f79e3865317a8ded4ea597d59966a7ba6cd854bc69fe9f3
-
SHA512
33df66525df0df52788a0b596de6116a66a2845ca33a008172c9f3b8dbf15318ffa05ffab2aa3957c803001e34752c92deb6c40510b0acb624483aae7f594f38
-
SSDEEP
12288:mpww/Geu9yZV9fE3RebnlKViwA1Gn/Pe7x7PdKoE9jp2vmMjPgJEtW:PweL96tKIOsPIP
Malware Config
Extracted
nanocore
1.2.2.0
162.194.17.151:5540
88e68db8-f6fe-4a32-a87f-c4e07a150453
-
activate_away_mode
true
-
backup_connection_host
162.194.17.151
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-07-05T20:15:45.478507836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
3994
-
connection_port
5540
-
default_group
recent
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
88e68db8-f6fe-4a32-a87f-c4e07a150453
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
162.194.17.151
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fonrdvhost.exefonrdvhost.exepid process 2556 fonrdvhost.exe 2736 fonrdvhost.exe -
Loads dropped DLL 2 IoCs
Processes:
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exepid process 2388 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe 2388 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Application = "C:\\Users\\Admin\\Pictures\\fonrdvhost.exe" 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fonrdvhost.exedescription pid process target process PID 2556 set thread context of 2100 2556 fonrdvhost.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
RegAsm.exefonrdvhost.exepid process 2100 RegAsm.exe 2100 RegAsm.exe 2100 RegAsm.exe 2556 fonrdvhost.exe 2556 fonrdvhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2100 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exefonrdvhost.exefonrdvhost.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2388 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe Token: SeDebugPrivilege 2556 fonrdvhost.exe Token: SeDebugPrivilege 2736 fonrdvhost.exe Token: SeDebugPrivilege 2100 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exefonrdvhost.exedescription pid process target process PID 2388 wrote to memory of 2556 2388 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe fonrdvhost.exe PID 2388 wrote to memory of 2556 2388 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe fonrdvhost.exe PID 2388 wrote to memory of 2556 2388 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe fonrdvhost.exe PID 2388 wrote to memory of 2556 2388 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe fonrdvhost.exe PID 2556 wrote to memory of 2736 2556 fonrdvhost.exe fonrdvhost.exe PID 2556 wrote to memory of 2736 2556 fonrdvhost.exe fonrdvhost.exe PID 2556 wrote to memory of 2736 2556 fonrdvhost.exe fonrdvhost.exe PID 2556 wrote to memory of 2736 2556 fonrdvhost.exe fonrdvhost.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe PID 2556 wrote to memory of 2100 2556 fonrdvhost.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\fonrdvhost.exe"C:\Users\Admin\Pictures\fonrdvhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\fonrdvhost.exe"C:\Users\Admin\Pictures\fonrdvhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\Pictures\fonrdvhost.exeFilesize
728KB
MD53a844cec6076901b623b1354dad68a7e
SHA147c79404bc4d4b1ae7be6bbdf8fcb1e9df27ff43
SHA256772814528f5d70b28f79e3865317a8ded4ea597d59966a7ba6cd854bc69fe9f3
SHA51233df66525df0df52788a0b596de6116a66a2845ca33a008172c9f3b8dbf15318ffa05ffab2aa3957c803001e34752c92deb6c40510b0acb624483aae7f594f38
-
memory/2100-22-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-21-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2100-23-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2388-14-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2388-2-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2388-1-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2388-0-0x0000000074A51000-0x0000000074A52000-memory.dmpFilesize
4KB
-
memory/2388-3-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2556-17-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2556-16-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2556-18-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2556-15-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2556-25-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2736-20-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB
-
memory/2736-26-0x0000000074A50000-0x0000000074FFB000-memory.dmpFilesize
5.7MB