Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe
-
Size
465KB
-
MD5
3d63d1c5a34c44dbb9afda0989b55295
-
SHA1
1bcca2f8431c769d3a930430ebb2a41c20347f75
-
SHA256
ee2845452cc4f982738d1e47ae8b8fd2fd815c78bc846d5abe1a20308ad91866
-
SHA512
1225c2e58c6a4460382f1d5803b89943ac7a82039aa6d5dd924777c070594e8ec9d3e613eea4b74cb326e39145e00f9e9f71f5902329be64168addbf82d7299e
-
SSDEEP
6144:icAUcCVyuuU7TfGptV/w0gS3J2/7pMJwG6ZUa9klSrwHlruukABclcV3V+:ibUcWDvStNwbr/SJAKa6lSrwPucG
Malware Config
Extracted
nanocore
1.2.2.0
bornsinner.myq-see.com:3941
1276c0d6-7944-4dc2-bd80-b50fc12f063d
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65542
-
build_time
2020-02-03T06:34:44.711604836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3994
-
connection_port
3941
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
1276c0d6-7944-4dc2-bd80-b50fc12f063d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
bornsinner.myq-see.com
-
primary_dns_server
bornsinner.myq-see.com
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe -
Processes:
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exedescription pid process target process PID 1924 set thread context of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 496 schtasks.exe 320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exe3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exeMSBuild.exepid process 2408 powershell.exe 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe 280 MSBuild.exe 280 MSBuild.exe 280 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 280 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exe3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe Token: SeDebugPrivilege 280 MSBuild.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exeMSBuild.exedescription pid process target process PID 1924 wrote to memory of 2408 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe powershell.exe PID 1924 wrote to memory of 2408 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe powershell.exe PID 1924 wrote to memory of 2408 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe powershell.exe PID 1924 wrote to memory of 2408 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe powershell.exe PID 1924 wrote to memory of 496 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe schtasks.exe PID 1924 wrote to memory of 496 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe schtasks.exe PID 1924 wrote to memory of 496 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe schtasks.exe PID 1924 wrote to memory of 496 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe schtasks.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 1924 wrote to memory of 280 1924 3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe MSBuild.exe PID 280 wrote to memory of 320 280 MSBuild.exe schtasks.exe PID 280 wrote to memory of 320 280 MSBuild.exe schtasks.exe PID 280 wrote to memory of 320 280 MSBuild.exe schtasks.exe PID 280 wrote to memory of 320 280 MSBuild.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d63d1c5a34c44dbb9afda0989b55295_JaffaCakes118.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SXvGTDXt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC2A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFDB0.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Impair Defenses
2Disable or Modify Tools
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFC2A.tmpFilesize
1KB
MD59926fab591de79c0972377890821e910
SHA1e9d32e2870ccf2c9ab9a31661b00ba28279bfc8b
SHA256beb9592eff6e6ad2a803e1423621fa54b9b5c0e9cd4209c3616203527e584639
SHA512595b0af05344e7c70eae8411e75fa005a0c3feb1acf62940594e47515f0ae89d2b19b99b1089510b873f6c3188229d46ee93250050a9424c5210aced18d853f1
-
C:\Users\Admin\AppData\Local\Temp\tmpFDB0.tmpFilesize
1KB
MD5ae766004c0d8792953bafffe8f6a2e3b
SHA114b12f27543a401e2fe0af8052e116cab0032426
SHA2561abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540
SHA512e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567
-
memory/280-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/280-24-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/280-29-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/280-28-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/280-20-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/280-27-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/280-18-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/280-22-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1924-30-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/1924-1-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/1924-3-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/1924-2-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/1924-0-0x0000000074341000-0x0000000074342000-memory.dmpFilesize
4KB
-
memory/1924-4-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/2408-7-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/2408-12-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/2408-11-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/2408-10-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/2408-9-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB
-
memory/2408-8-0x0000000074340000-0x00000000748EB000-memory.dmpFilesize
5.7MB