Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe
-
Size
260KB
-
MD5
450d8c68e01b7c086e5d195a594a5ad4
-
SHA1
06fffef49449302cba0f659ae6221150e3cfa163
-
SHA256
a84ea5c3902e7e6d2d4ace96b238e43d79054295b18426a73bfb9f5877f532ca
-
SHA512
f46bd8231342a6ee2ed0709f6d08d00f6dd92e130214b2f7fcbfcbe9d1acb92709d96a199284f634826e3d65b4c4b29b6d3290b42cfc20cd06d2f91c9e5ed509
-
SSDEEP
6144:QAeZHGAD/E/iG5UzMh2msfgB9mnkDO9L:zeYA4/icSRmagmn4O9
Malware Config
Extracted
nanocore
1.2.2.0
3495735yi.zapto.org:1604
127.0.0.1:1604
f2e2838b-8e37-4b10-9388-ba08fbe83deb
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-05-12T12:39:20.884264436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f2e2838b-8e37-4b10-9388-ba08fbe83deb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
3495735yi.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exemyttxns.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation myttxns.exe -
Executes dropped EXE 1 IoCs
Processes:
myttxns.exepid process 2072 myttxns.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
myttxns.exedescription pid process target process PID 2072 set thread context of 1920 2072 myttxns.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exemyttxns.exepid process 1920 RegAsm.exe 1920 RegAsm.exe 1920 RegAsm.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe 2072 myttxns.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 1920 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exemyttxns.exedescription pid process Token: SeDebugPrivilege 1920 RegAsm.exe Token: SeDebugPrivilege 2072 myttxns.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exemyttxns.execmd.exedescription pid process target process PID 3652 wrote to memory of 2072 3652 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe myttxns.exe PID 3652 wrote to memory of 2072 3652 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe myttxns.exe PID 3652 wrote to memory of 2072 3652 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe myttxns.exe PID 2072 wrote to memory of 716 2072 myttxns.exe cmd.exe PID 2072 wrote to memory of 716 2072 myttxns.exe cmd.exe PID 2072 wrote to memory of 716 2072 myttxns.exe cmd.exe PID 716 wrote to memory of 4084 716 cmd.exe reg.exe PID 716 wrote to memory of 4084 716 cmd.exe reg.exe PID 716 wrote to memory of 4084 716 cmd.exe reg.exe PID 2072 wrote to memory of 1920 2072 myttxns.exe RegAsm.exe PID 2072 wrote to memory of 1920 2072 myttxns.exe RegAsm.exe PID 2072 wrote to memory of 1920 2072 myttxns.exe RegAsm.exe PID 2072 wrote to memory of 1920 2072 myttxns.exe RegAsm.exe PID 2072 wrote to memory of 1920 2072 myttxns.exe RegAsm.exe PID 2072 wrote to memory of 1920 2072 myttxns.exe RegAsm.exe PID 2072 wrote to memory of 1920 2072 myttxns.exe RegAsm.exe PID 2072 wrote to memory of 1920 2072 myttxns.exe RegAsm.exe PID 2072 wrote to memory of 3728 2072 myttxns.exe msbuild.exe PID 2072 wrote to memory of 3728 2072 myttxns.exe msbuild.exe PID 2072 wrote to memory of 3728 2072 myttxns.exe msbuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exe" -n2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exe" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exe" /f4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\msbuild.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exeFilesize
260KB
MD5450d8c68e01b7c086e5d195a594a5ad4
SHA106fffef49449302cba0f659ae6221150e3cfa163
SHA256a84ea5c3902e7e6d2d4ace96b238e43d79054295b18426a73bfb9f5877f532ca
SHA512f46bd8231342a6ee2ed0709f6d08d00f6dd92e130214b2f7fcbfcbe9d1acb92709d96a199284f634826e3d65b4c4b29b6d3290b42cfc20cd06d2f91c9e5ed509
-
memory/1920-20-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2072-18-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/2072-19-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/2072-23-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/3652-0-0x0000000075582000-0x0000000075583000-memory.dmpFilesize
4KB
-
memory/3652-1-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/3652-2-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/3652-17-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB