Malware Analysis Report

2024-08-06 15:25

Sample ID 240520-ed98asad35
Target 5d095efad8e6923a85087133b4f2927c_JaffaCakes118
SHA256 cda90ebe4da14000717f1d9443613f6bce07cd4deb04ecb5d95222d1e5d0ef68
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cda90ebe4da14000717f1d9443613f6bce07cd4deb04ecb5d95222d1e5d0ef68

Threat Level: Known bad

The file 5d095efad8e6923a85087133b4f2927c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-20 03:50

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 03:50

Reported

2024-05-20 03:53

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8CA0.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8CEF.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp

Files

memory/2588-0-0x0000000074CF2000-0x0000000074CF3000-memory.dmp

memory/2588-1-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/2588-2-0x0000000074CF0000-0x00000000752A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8CA0.tmp

MD5 c1153900d39d480fd92db6fd11cc6b1a
SHA1 65f62cd69d09d210d126c0a3786d31b8ab23d318
SHA256 80c5c7f96ee46493f4e4427bb0bfe29be075a885bf3a7b2782f8621c5b638b26
SHA512 7cd09ddb2b23d51701949f425ab3c0d37b1e5ab9c1c003598a49e2da3d61096c179c943e6127767f93a56a353ba7b3741019a22b46808d8a0be5bea566d1c26f

C:\Users\Admin\AppData\Local\Temp\tmp8CEF.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/2588-10-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/2588-11-0x0000000074CF2000-0x0000000074CF3000-memory.dmp

memory/2588-12-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/2588-13-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 03:50

Reported

2024-05-20 03:53

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5d095efad8e6923a85087133b4f2927c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp391A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp39B7.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
N/A 127.0.0.1:5150 tcp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
US 8.8.8.8:53 cheatreet.ddns.net udp
US 8.8.4.4:53 cheatreet.ddns.net udp
N/A 127.0.0.1:5150 tcp

Files

memory/1224-0-0x0000000074961000-0x0000000074962000-memory.dmp

memory/1224-1-0x0000000074960000-0x0000000074F0B000-memory.dmp

memory/1224-2-0x0000000074960000-0x0000000074F0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp391A.tmp

MD5 c1153900d39d480fd92db6fd11cc6b1a
SHA1 65f62cd69d09d210d126c0a3786d31b8ab23d318
SHA256 80c5c7f96ee46493f4e4427bb0bfe29be075a885bf3a7b2782f8621c5b638b26
SHA512 7cd09ddb2b23d51701949f425ab3c0d37b1e5ab9c1c003598a49e2da3d61096c179c943e6127767f93a56a353ba7b3741019a22b46808d8a0be5bea566d1c26f

C:\Users\Admin\AppData\Local\Temp\tmp39B7.tmp

MD5 981e126601526eaa5b0ad45c496c4465
SHA1 d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA256 11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512 a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

memory/1224-10-0x0000000074960000-0x0000000074F0B000-memory.dmp