Analysis
-
max time kernel
156s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 14:11
Static task
static1
Behavioral task
behavioral1
Sample
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe
-
Size
728KB
-
MD5
3a844cec6076901b623b1354dad68a7e
-
SHA1
47c79404bc4d4b1ae7be6bbdf8fcb1e9df27ff43
-
SHA256
772814528f5d70b28f79e3865317a8ded4ea597d59966a7ba6cd854bc69fe9f3
-
SHA512
33df66525df0df52788a0b596de6116a66a2845ca33a008172c9f3b8dbf15318ffa05ffab2aa3957c803001e34752c92deb6c40510b0acb624483aae7f594f38
-
SSDEEP
12288:mpww/Geu9yZV9fE3RebnlKViwA1Gn/Pe7x7PdKoE9jp2vmMjPgJEtW:PweL96tKIOsPIP
Malware Config
Extracted
nanocore
1.2.2.0
162.194.17.151:5540
88e68db8-f6fe-4a32-a87f-c4e07a150453
-
activate_away_mode
true
-
backup_connection_host
162.194.17.151
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-07-05T20:15:45.478507836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
3994
-
connection_port
5540
-
default_group
recent
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
88e68db8-f6fe-4a32-a87f-c4e07a150453
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
162.194.17.151
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exefonrdvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation fonrdvhost.exe -
Executes dropped EXE 2 IoCs
Processes:
fonrdvhost.exefonrdvhost.exepid process 4932 fonrdvhost.exe 4568 fonrdvhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Application = "C:\\Users\\Admin\\Pictures\\fonrdvhost.exe" 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fonrdvhost.exedescription pid process target process PID 4932 set thread context of 2484 4932 fonrdvhost.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
fonrdvhost.exeRegAsm.exepid process 4932 fonrdvhost.exe 4932 fonrdvhost.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe 2484 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2484 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exefonrdvhost.exefonrdvhost.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4416 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe Token: SeDebugPrivilege 4932 fonrdvhost.exe Token: SeDebugPrivilege 4568 fonrdvhost.exe Token: SeDebugPrivilege 2484 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exefonrdvhost.exedescription pid process target process PID 4416 wrote to memory of 4932 4416 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe fonrdvhost.exe PID 4416 wrote to memory of 4932 4416 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe fonrdvhost.exe PID 4416 wrote to memory of 4932 4416 3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe fonrdvhost.exe PID 4932 wrote to memory of 4568 4932 fonrdvhost.exe fonrdvhost.exe PID 4932 wrote to memory of 4568 4932 fonrdvhost.exe fonrdvhost.exe PID 4932 wrote to memory of 4568 4932 fonrdvhost.exe fonrdvhost.exe PID 4932 wrote to memory of 2484 4932 fonrdvhost.exe RegAsm.exe PID 4932 wrote to memory of 2484 4932 fonrdvhost.exe RegAsm.exe PID 4932 wrote to memory of 2484 4932 fonrdvhost.exe RegAsm.exe PID 4932 wrote to memory of 2484 4932 fonrdvhost.exe RegAsm.exe PID 4932 wrote to memory of 2484 4932 fonrdvhost.exe RegAsm.exe PID 4932 wrote to memory of 2484 4932 fonrdvhost.exe RegAsm.exe PID 4932 wrote to memory of 2484 4932 fonrdvhost.exe RegAsm.exe PID 4932 wrote to memory of 2484 4932 fonrdvhost.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3a844cec6076901b623b1354dad68a7e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\fonrdvhost.exe"C:\Users\Admin\Pictures\fonrdvhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\fonrdvhost.exe"C:\Users\Admin\Pictures\fonrdvhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Pictures\fonrdvhost.exeFilesize
728KB
MD53a844cec6076901b623b1354dad68a7e
SHA147c79404bc4d4b1ae7be6bbdf8fcb1e9df27ff43
SHA256772814528f5d70b28f79e3865317a8ded4ea597d59966a7ba6cd854bc69fe9f3
SHA51233df66525df0df52788a0b596de6116a66a2845ca33a008172c9f3b8dbf15318ffa05ffab2aa3957c803001e34752c92deb6c40510b0acb624483aae7f594f38
-
memory/2484-25-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4416-19-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4416-2-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4416-3-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4416-1-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4416-0-0x0000000075032000-0x0000000075033000-memory.dmpFilesize
4KB
-
memory/4568-23-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4568-28-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4568-24-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4568-22-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4932-16-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4932-20-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4932-18-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4932-27-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/4932-15-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB