Analysis Overview
SHA256
0a2e69cd10d7e9eda91c498e93c961216b327a159a509d447992e6dd91a99e79
Threat Level: Known bad
The file 5c2d7400b58b55608069873d3d5af238_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks computer location settings
Executes dropped EXE
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-20 00:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 00:04
Reported
2024-05-20 00:06
Platform
win7-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2624 set thread context of 1148 | N/A | C:\Users\Public\mwr.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
| N/A | N/A | C:\Users\Public\mwr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\5c2d7400b58b55608069873d3d5af238_JaffaCakes118.ps1
C:\Users\Public\mwr.exe
"C:\Users\Public\mwr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy "C:\Users\Public\mwr.exe" "C:\Users\Admin\AppData\Roaming\WebCache\AudioEng.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| KR | 160.202.163.245:482 | tcp | |
| KR | 160.202.163.245:482 | tcp | |
| KR | 160.202.163.245:482 | tcp | |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| KR | 160.202.163.245:482 | tcp | |
| KR | 160.202.163.245:482 | tcp | |
| KR | 160.202.163.245:482 | tcp | |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| KR | 160.202.163.245:482 | tcp |
Files
memory/2132-4-0x000007FEF592E000-0x000007FEF592F000-memory.dmp
memory/2132-6-0x00000000026E0000-0x00000000026E8000-memory.dmp
memory/2132-5-0x000000001B590000-0x000000001B872000-memory.dmp
memory/2132-7-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
memory/2132-9-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
memory/2132-8-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
memory/2132-10-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
memory/2132-11-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
C:\Users\Public\mwr.exe
| MD5 | cfe3e97746dd210830f57876ad71e566 |
| SHA1 | 8b3afdb5d5e75638d711274596f9c99e265dffec |
| SHA256 | 32ad676064d22ecf50d32820a7339f76d44cb34f136d748ee2c3d903a39bf054 |
| SHA512 | 57f74fb6f0bd476413b8328e16fd418e9a9978eb048a921fb12906599c82ee8d392659ca116c4063e01ed02e436f6d289be905468baf16259fa5b69fd235a6cd |
memory/2132-17-0x000007FEF5670000-0x000007FEF600D000-memory.dmp
C:\Users\Admin\AppData\Roaming\WebCache\AudioEng.exe
| MD5 | c87734546cd353214dd3c6d0761db2c3 |
| SHA1 | 0d35fe29767037ca732f903a539b2e133c04a013 |
| SHA256 | 5a8b4063ff67e4f30ad132212499558c9ecfe65e5c8daacb00759bef0a56bd4b |
| SHA512 | 4e62b148a7d84dfb23cc01e90ceebea64394dff5530cab5bf77546ca1eb6d6b28265cfac70073fa627cc492527fd7db22931f484f885d54c6f3f3cbf66fea48a |
memory/2624-21-0x0000000000AE0000-0x0000000000AE3000-memory.dmp
memory/1148-24-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-22-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-26-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 00:04
Reported
2024-05-20 00:06
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Public\bwfs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\bwfs.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4440 set thread context of 3620 | N/A | C:\Users\Public\bwfs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\bwfs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\bwfs.exe | N/A |
| N/A | N/A | C:\Users\Public\bwfs.exe | N/A |
| N/A | N/A | C:\Users\Public\bwfs.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\bwfs.exe | N/A |
| N/A | N/A | C:\Users\Public\bwfs.exe | N/A |
| N/A | N/A | C:\Users\Public\bwfs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\5c2d7400b58b55608069873d3d5af238_JaffaCakes118.ps1
C:\Users\Public\bwfs.exe
"C:\Users\Public\bwfs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy "C:\Users\Public\bwfs.exe" "C:\Users\Admin\AppData\Roaming\WebCache\AudioEng.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.147.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | 25.69.169.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| KR | 160.202.163.245:482 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| KR | 160.202.163.245:482 | tcp | |
| KR | 160.202.163.245:482 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| KR | 160.202.163.245:482 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 160.202.163.245:482 | tcp | |
| KR | 160.202.163.245:482 | tcp | |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
| US | 8.8.8.8:53 | tomcoyne.duckdns.org | udp |
| US | 192.169.69.25:482 | tomcoyne.duckdns.org | tcp |
Files
memory/1504-0-0x00007FFF04093000-0x00007FFF04095000-memory.dmp
memory/1504-2-0x000001807C9F0000-0x000001807CA12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05b5jum5.ah5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1504-11-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/1504-12-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
C:\Users\Public\bwfs.exe
| MD5 | cfe3e97746dd210830f57876ad71e566 |
| SHA1 | 8b3afdb5d5e75638d711274596f9c99e265dffec |
| SHA256 | 32ad676064d22ecf50d32820a7339f76d44cb34f136d748ee2c3d903a39bf054 |
| SHA512 | 57f74fb6f0bd476413b8328e16fd418e9a9978eb048a921fb12906599c82ee8d392659ca116c4063e01ed02e436f6d289be905468baf16259fa5b69fd235a6cd |
memory/1504-19-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/3620-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4440-24-0x00000000013C0000-0x00000000013C3000-memory.dmp
memory/3620-25-0x0000000001600000-0x0000000001610000-memory.dmp
memory/4440-27-0x00000000013C0000-0x00000000013C3000-memory.dmp
memory/3620-28-0x0000000001600000-0x0000000001610000-memory.dmp