Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe
-
Size
906KB
-
MD5
63b7c9c97cb399ef233ce10e83b65663
-
SHA1
85e539468312c87fc6daed7164f246e5fa638f20
-
SHA256
feac8bae828a3756389b379ae1bc0eda56bdcbec371c62bd3c980ffe11c1b0a0
-
SHA512
137d2579c257ee22e7416fad42dcbb2e24c20a6a2ea9079a58bf7f8d30ab6203837646e74b24142bf015f806f26de5522edb40255fd4b479f9ba6e8b9dcd7fa2
-
SSDEEP
24576:f2O/GlPO2+Bl8CXU+b+lwmxhKbH3w1GthA0E:Bz8t+alwmxUT3zg0E
Malware Config
Extracted
nanocore
1.2.2.0
leosmart.zapto.org:3365
212.7.218.52:3365
5eddd847-a776-47e0-824c-cf94d3e848d6
-
activate_away_mode
true
-
backup_connection_host
212.7.218.52
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-12-05T04:53:06.594023236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3365
-
default_group
cash out
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5eddd847-a776-47e0-824c-cf94d3e848d6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
leosmart.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
epr.exeepr.exepid process 4280 epr.exe 4584 epr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
epr.exeRegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\goals = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40633691\\epr.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\40633691\\CRI_BM~1" epr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
epr.exedescription pid process target process PID 4584 set thread context of 5116 4584 epr.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\DPI Service\dpisvc.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisvc.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
epr.exeRegSvcs.exepid process 4280 epr.exe 4280 epr.exe 5116 RegSvcs.exe 5116 RegSvcs.exe 5116 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 5116 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 5116 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exeepr.exeepr.exedescription pid process target process PID 1620 wrote to memory of 4280 1620 63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe epr.exe PID 1620 wrote to memory of 4280 1620 63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe epr.exe PID 1620 wrote to memory of 4280 1620 63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe epr.exe PID 4280 wrote to memory of 4584 4280 epr.exe epr.exe PID 4280 wrote to memory of 4584 4280 epr.exe epr.exe PID 4280 wrote to memory of 4584 4280 epr.exe epr.exe PID 4584 wrote to memory of 5116 4584 epr.exe RegSvcs.exe PID 4584 wrote to memory of 5116 4584 epr.exe RegSvcs.exe PID 4584 wrote to memory of 5116 4584 epr.exe RegSvcs.exe PID 4584 wrote to memory of 5116 4584 epr.exe RegSvcs.exe PID 4584 wrote to memory of 5116 4584 epr.exe RegSvcs.exe PID 4584 wrote to memory of 5116 4584 epr.exe RegSvcs.exe PID 4584 wrote to memory of 5116 4584 epr.exe RegSvcs.exe PID 4584 wrote to memory of 5116 4584 epr.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe"C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe" cri=bmv2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40633691\epr.exeC:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\ESTNQ3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\40633691\ESTNQFilesize
86KB
MD5458a1b6d11ccc54ff99f06fafbcc4f15
SHA1a52b6d318b797b3dbece1ba5c0fb87f212de81f7
SHA256433a04b587e62bd4baf7192d783bc4fdea4ce2ebb1a951332e03f32e46463f61
SHA512f7d73f100ee0b5f9e79f7fb119e1b0123b65a3d1d6ec8c7bec487f6b7027cb51a8a1262bf838dc97c0a0a39dfbef9a25dd1cdcb6d192cafe73d333e43cd3d879
-
C:\Users\Admin\AppData\Local\Temp\40633691\cri=bmvFilesize
183KB
MD5ca49d5e6c03a09032728e91d192b9905
SHA1ebbc137ac900d5e8fea261606024f35078ab2a21
SHA256f3d52b4c5fbcc79cdb3a249401cf5413df1e4d24656a5767e22380a0d1bbdc8d
SHA5124fbdef69b005276cb7e0129d6571d40a27dbcfd47c40c1d77c62a81c3694f341094188f94382087875a4032d11382aeb6b714e2bca9f3640d66c3ab52c84ac0c
-
C:\Users\Admin\AppData\Local\Temp\40633691\epr.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\40633691\ipg.icmFilesize
64B
MD57a80edf15dc0a33c0019c9b37d38bc1c
SHA1b27c1be7d270b7478a1d7781bf1bef2bb7dd3893
SHA256db50b5f644811c57f4591bffb64d6aad80e48547318dc6a0831872e9c28f26e9
SHA512e6f39ed9885e781ebffd67f9589add54747e632320aa6997256b3e7c827b8e41e37e27c6de697f082feb5a76d2cd972dc4f981cc886080d435af04edd89a77e6
-
C:\Users\Admin\AppData\Local\Temp\40633691\wcn.icoFilesize
399B
MD5c91231980cac0c054acb16d337e660f6
SHA1a26bd4f0b3ba8b212c59b77b38e0a1105875071c
SHA256262e13318a1fe6de6fcabc2240323a50680164f0b4d553210542744c6f46330d
SHA5122f9c65ee51e859580d9ba51c5d6d2c3fcd69004ff029a28858d2fc33049964308ea6f255e56d6329cfd5e6f15d3f76d5b12cec6c4c73463c947bcf0faa822071
-
C:\Users\Admin\AppData\Local\Temp\40633691\wdv.pptFilesize
635KB
MD5d271c6cc1e107d4812b14b6aca3e8af4
SHA14f829384cf691c8a257936ca1858a9607ce71fbf
SHA256f9c07a3bf95df9704c38fa941894fc3b0c5b79d862afb47a6b92ef0b3a5ad462
SHA5124925016c1c937a1a2e60fa5db9a976f91e099e4d65f1bc5dc3c8894474c0f0d7ef464016b403d4ecfeca506de4abff7a74de4ef29d3f32f89e134d178ef16753
-
memory/5116-121-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/5116-122-0x0000000005520000-0x0000000005AC4000-memory.dmpFilesize
5.6MB
-
memory/5116-123-0x0000000005090000-0x0000000005122000-memory.dmpFilesize
584KB
-
memory/5116-124-0x00000000051D0000-0x000000000526C000-memory.dmpFilesize
624KB
-
memory/5116-125-0x0000000005140000-0x000000000514A000-memory.dmpFilesize
40KB
-
memory/5116-128-0x0000000005360000-0x000000000536A000-memory.dmpFilesize
40KB
-
memory/5116-129-0x0000000005500000-0x000000000551E000-memory.dmpFilesize
120KB
-
memory/5116-130-0x0000000006060000-0x000000000606A000-memory.dmpFilesize
40KB