Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 14:49
Static task
static1
Behavioral task
behavioral1
Sample
5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe
-
Size
253KB
-
MD5
5fa949797f79334bc295b2283eeb8b49
-
SHA1
7d69f9b7592a7d2eaa2cdc401395c531584475a6
-
SHA256
e4d47d83fb4fbdff2fcbd92cb545e52b8ab90f0b7e3a97cc922484ff99151c2b
-
SHA512
b2c84ad267d4a79c89bcb964a536cfdaaa28a330e7081886b614fcb46435c6e0d80c375e642b99a6f109b996d2c5cd32ae0c883deb354ab01e6108416ba393c9
-
SSDEEP
6144:nRGbbX5mmy3ZaHW55AfXYxVchNwVjLlQYGTY/Fsly:nRoppE0HqCoUhNq3tG8
Malware Config
Extracted
nanocore
1.2.2.0
nanaaugust.ddns.net:8017
91.192.100.26:8017
12235a0e-0990-4e90-8b5e-9870996c239d
-
activate_away_mode
true
-
backup_connection_host
91.192.100.26
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-06-08T09:56:02.791261936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8017
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
12235a0e-0990-4e90-8b5e-9870996c239d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nanaaugust.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1968 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" svhost.exe -
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exedescription pid process target process PID 208 set thread context of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe svhost.exe File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3004 schtasks.exe 3084 schtasks.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exesvhost.exepid process 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe 1968 svhost.exe 1968 svhost.exe 1968 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 1968 svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exesvhost.exedescription pid process Token: SeDebugPrivilege 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe Token: SeDebugPrivilege 1968 svhost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.execmd.exesvhost.exedescription pid process target process PID 208 wrote to memory of 4768 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe cmd.exe PID 208 wrote to memory of 4768 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe cmd.exe PID 208 wrote to memory of 4768 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe cmd.exe PID 4768 wrote to memory of 2068 4768 cmd.exe reg.exe PID 4768 wrote to memory of 2068 4768 cmd.exe reg.exe PID 4768 wrote to memory of 2068 4768 cmd.exe reg.exe PID 208 wrote to memory of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe PID 208 wrote to memory of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe PID 208 wrote to memory of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe PID 208 wrote to memory of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe PID 208 wrote to memory of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe PID 208 wrote to memory of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe PID 208 wrote to memory of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe PID 208 wrote to memory of 1968 208 5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe svhost.exe PID 1968 wrote to memory of 3004 1968 svhost.exe schtasks.exe PID 1968 wrote to memory of 3004 1968 svhost.exe schtasks.exe PID 1968 wrote to memory of 3004 1968 svhost.exe schtasks.exe PID 1968 wrote to memory of 3084 1968 svhost.exe schtasks.exe PID 1968 wrote to memory of 3084 1968 svhost.exe schtasks.exe PID 1968 wrote to memory of 3084 1968 svhost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fa949797f79334bc295b2283eeb8b49_JaffaCakes118.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D07.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
253KB
MD55fa949797f79334bc295b2283eeb8b49
SHA17d69f9b7592a7d2eaa2cdc401395c531584475a6
SHA256e4d47d83fb4fbdff2fcbd92cb545e52b8ab90f0b7e3a97cc922484ff99151c2b
SHA512b2c84ad267d4a79c89bcb964a536cfdaaa28a330e7081886b614fcb46435c6e0d80c375e642b99a6f109b996d2c5cd32ae0c883deb354ab01e6108416ba393c9
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
C:\Users\Admin\AppData\Local\Temp\tmp4D07.tmpFilesize
1KB
MD524de2170a8dce23ab327cf07c00cd17e
SHA1c759a98d8447e9674d0707da64cd97204720c0ae
SHA256fa98fbb5ddd9fcbcdc76196d8dc524602815d90d244eb43f7f983a829b7d3b3d
SHA51283ea8711513efbd1a4045b27fcd916cab7c9b6ab3e519500db114287b8a42103f44142e1c350f1f7a0bb76d291bfc838834d423338a23a30ff2f15066ff87d2b
-
C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmpFilesize
1KB
MD55fea24e883e06e4df6d240dc72abf2c5
SHA1d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA51215afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924
-
memory/208-2-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/208-1-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/208-0-0x0000000075032000-0x0000000075033000-memory.dmpFilesize
4KB
-
memory/208-27-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/1968-12-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1968-15-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/1968-16-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/1968-17-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/1968-25-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/1968-28-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/1968-29-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB