Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 15:02
Static task
static1
Behavioral task
behavioral1
Sample
41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
-
Size
566KB
-
MD5
41ed9c48d22e555ed02bc93e51dac8e6
-
SHA1
ec762a6769490d2c80b7225355ff8a97e01f08f2
-
SHA256
6e7aa00edd15b0cab85deb4dbaad16398279e14ad6adc2d381dc267571872f07
-
SHA512
72c77f8d38309e776737f55963a79200ea2e698d46e8e5a08b442244151e221951e1e43ec295e00b0680225b41a98e88fee9c341df82a42fdbd84f76cb02c344
-
SSDEEP
6144:K1zdkQj1QZcb4GLW6G/Zis+XZeys0n4aqrx22VXmELVryNCETgi:C2QjyZcPq6Gxis+NDq92cWEhrypTgi
Malware Config
Extracted
nanocore
1.2.2.0
160.202.163.243:9588
053c92c8-05d8-440d-ac8b-77913651b7e7
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-05-01T02:27:05.117625036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9588
-
default_group
20th=
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
053c92c8-05d8-440d-ac8b-77913651b7e7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
160.202.163.243
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exedescription pid process target process PID 3080 set thread context of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exeRegAsm.exepid process 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe 1048 RegAsm.exe 1048 RegAsm.exe 1048 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 1048 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe Token: SeDebugPrivilege 1048 RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.execsc.exeRegAsm.exedescription pid process target process PID 3080 wrote to memory of 2744 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe csc.exe PID 3080 wrote to memory of 2744 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe csc.exe PID 3080 wrote to memory of 2744 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe csc.exe PID 2744 wrote to memory of 4876 2744 csc.exe cvtres.exe PID 2744 wrote to memory of 4876 2744 csc.exe cvtres.exe PID 2744 wrote to memory of 4876 2744 csc.exe cvtres.exe PID 3080 wrote to memory of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe PID 3080 wrote to memory of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe PID 3080 wrote to memory of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe PID 3080 wrote to memory of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe PID 3080 wrote to memory of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe PID 3080 wrote to memory of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe PID 3080 wrote to memory of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe PID 3080 wrote to memory of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe PID 1048 wrote to memory of 2756 1048 RegAsm.exe schtasks.exe PID 1048 wrote to memory of 2756 1048 RegAsm.exe schtasks.exe PID 1048 wrote to memory of 2756 1048 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36BF.tmp" "c:\Users\Admin\AppData\Local\Temp\xfn5yeqy\CSC611DD0E5B3648189C98B5B1D8E19630.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3A69.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES36BF.tmpFilesize
1KB
MD5ebc0630f72fe68b7c3d3e915c728ea76
SHA17c8941cb86b1f8fa5881b51e6e99382dea07978e
SHA256b23aba827ee2a5ff22cb5443773e649e47951fbad4818f8a5c89e51e73e496ba
SHA5120b89b30c31f3f92499e94c832694263d5f9b45a84a7b50708df58bf6f8492bb2fa5365c12b1b31bc598f2c4ce84e1fd648d0f36478549aed727216cfda444f7a
-
C:\Users\Admin\AppData\Local\Temp\tmp3A69.tmpFilesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
C:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.dllFilesize
10KB
MD5eba219c38f0999397db863a25a0c1b90
SHA1245d3ea6ca941a42ebff0d8a82574758d3896e0e
SHA25615c063290cd0d7f94b7337d0d11eebb48294363aa2716ece75f59a2afa5d979a
SHA512f3c94a40722154a22d771c948044aeff93818b0543ebd5c8dce890ae4390b08a46fc6eaabd57ccfeba04573f7b95f224ee658f508969e5d5a24ad171831fc8e7
-
C:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.pdbFilesize
29KB
MD585c135da68075f32b84b14c1c3b5a9b4
SHA1bc0b1a7bacec2a37e662480a0119e6a3301b1076
SHA2568159d6b4565668d22db0b2556a813057e6a022d913066fb2700a8ee2973a33ec
SHA51270145c0f809e0913219fbeae129fee44706ad65185abdc78349f4b2450050195e081d7e0f7ec77af5b8fea8b2d7a672e073ef86592e9638fb4854d8175fc887c
-
\??\c:\Users\Admin\AppData\Local\Temp\xfn5yeqy\CSC611DD0E5B3648189C98B5B1D8E19630.TMPFilesize
1KB
MD537d8db18f30a477469af450e13796ceb
SHA190356c5d1463369db3adc3d65a49e58e9d46527f
SHA256e7ab8ad37e3ff1d110f07f8a921b30d9d16295a4002e245107ef652e61084db2
SHA512a784c0ed5c01a009f6618845f3c84ea5a92f5a25078a7e7d1d747ffe7153d87b9c94bfb87d923fbee8d388b7ab93d985cb6ba468b8b4bcc5c06dd857c975af73
-
\??\c:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.0.csFilesize
11KB
MD57366bed61be86bb57e4850100733dc2f
SHA11426ced8b65c7a96b3a25ee6eb0f417a590af1b5
SHA256f33a4040638b27b83af1a1ba7d66467b019c504cc74b1a5020d8d56246df266b
SHA512b195126e1ae3e4fcec6b167cd7f53ce6d12a0ce38eabb44a9f37ed28de808216c6ae48a30f8acbd3f9cb91b37ae9c9d8ac759c578aa71e8dab88edf38badad1c
-
\??\c:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.cmdlineFilesize
312B
MD555572c97f777f82f7c4a174c3c606839
SHA178204bb41b1f855ed10892ee3dc4ccd38ce012e1
SHA256a4b386d5fe72ae9ce8efc63674822ff6de8e57eddf3e5cf548192cdf572b3821
SHA512b9e48424031dc30bf6af3a588802b88126cd61fcd87a478ec6ad0459f8cc3a4dc66ed161f60c2bd241bd621a870b1c7c68d7583106c9d737cb76d1c04a6074b7
-
memory/1048-29-0x0000000005520000-0x0000000005AC4000-memory.dmpFilesize
5.6MB
-
memory/1048-26-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1048-39-0x00000000748A0000-0x0000000075050000-memory.dmpFilesize
7.7MB
-
memory/1048-38-0x0000000005510000-0x000000000551A000-memory.dmpFilesize
40KB
-
memory/1048-37-0x0000000005280000-0x000000000529E000-memory.dmpFilesize
120KB
-
memory/1048-36-0x0000000005090000-0x000000000509A000-memory.dmpFilesize
40KB
-
memory/1048-31-0x0000000005010000-0x000000000501A000-memory.dmpFilesize
40KB
-
memory/1048-30-0x00000000748A0000-0x0000000075050000-memory.dmpFilesize
7.7MB
-
memory/3080-28-0x00000000748A0000-0x0000000075050000-memory.dmpFilesize
7.7MB
-
memory/3080-5-0x00000000748A0000-0x0000000075050000-memory.dmpFilesize
7.7MB
-
memory/3080-25-0x00000000051C0000-0x000000000525C000-memory.dmpFilesize
624KB
-
memory/3080-0-0x00000000748AE000-0x00000000748AF000-memory.dmpFilesize
4KB
-
memory/3080-24-0x0000000004E80000-0x0000000004EB8000-memory.dmpFilesize
224KB
-
memory/3080-1-0x00000000000D0000-0x000000000014C000-memory.dmpFilesize
496KB
-
memory/3080-21-0x0000000004AE0000-0x0000000004AEC000-memory.dmpFilesize
48KB
-
memory/3080-20-0x0000000004D10000-0x0000000004D54000-memory.dmpFilesize
272KB
-
memory/3080-19-0x0000000004AF0000-0x0000000004B82000-memory.dmpFilesize
584KB
-
memory/3080-17-0x0000000002480000-0x0000000002488000-memory.dmpFilesize
32KB