Malware Analysis Report

2024-08-06 15:21

Sample ID 240522-vmwz2ahh92
Target 67fac5f141a21e0f67be9e468301905c_JaffaCakes118
SHA256 12c08fb8068c6d4c0d31153ea39ff7afa4e1a5785ab427e5b24a9f8ae19438e3
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12c08fb8068c6d4c0d31153ea39ff7afa4e1a5785ab427e5b24a9f8ae19438e3

Threat Level: Known bad

The file 67fac5f141a21e0f67be9e468301905c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-22 17:06

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 17:06

Reported

2024-05-22 17:09

Platform

win7-20240215-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe" C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Subsystem\ddpss.exe C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\DDP Subsystem\ddpss.exe C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1A64.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B01.tmp"

Network

Country Destination Domain Proto
PL 79.175.228.187:54984 tcp
PL 79.175.228.187:54984 tcp
PL 79.175.228.187:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
PL 79.175.228.187:54984 tcp
PL 79.175.228.187:54984 tcp
PL 79.175.228.187:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
PL 79.175.228.187:54984 tcp
PL 79.175.228.187:54984 tcp

Files

memory/2836-0-0x0000000074C41000-0x0000000074C42000-memory.dmp

memory/2836-1-0x0000000074C40000-0x00000000751EB000-memory.dmp

memory/2836-2-0x0000000074C40000-0x00000000751EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1A64.tmp

MD5 122269ebd6e3e3a368d7b8cb32b30cbf
SHA1 b458e79d8e4b3a4b71f112ca33a5c79773d507a1
SHA256 f235eaaa22b4f1730f3896dcf57720634f5286347dd425e587b03504bb929311
SHA512 204799bd93330a3665da2ea9eeb78b8272c075f3e738cec42657f06562de3b86de207e833ba66e0cda017df2342570c21857429a23b7d236fb980972f249b9aa

C:\Users\Admin\AppData\Local\Temp\tmp1B01.tmp

MD5 8e2d5fba24ae8a54087d8e6cadc188c1
SHA1 548555025543b4773b8f36301f5fa5003e1c85dc
SHA256 f8a3739cca23897792b42a11a21adcce745201fa19f8d84ec66a6e0c5e519759
SHA512 9246583d7b08152cd73dc40254013e1ae4b8c93603dbb1f4e6b82624e14b134c59de6c8039b588f14075602768a388121e985f886322ae5fb9ec2eee94d4ea3d

memory/2836-10-0x0000000074C40000-0x00000000751EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 17:06

Reported

2024-05-22 17:09

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\67fac5f141a21e0f67be9e468301905c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4517.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4586.tmp"

Network

Country Destination Domain Proto
PL 79.175.228.187:54984 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
PL 79.175.228.187:54984 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
PL 79.175.228.187:54984 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
PL 79.175.228.187:54984 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
PL 79.175.228.187:54984 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
PL 79.175.228.187:54984 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
PL 79.175.228.187:54984 tcp

Files

memory/3044-0-0x0000000074862000-0x0000000074863000-memory.dmp

memory/3044-1-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/3044-2-0x0000000074860000-0x0000000074E11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4517.tmp

MD5 122269ebd6e3e3a368d7b8cb32b30cbf
SHA1 b458e79d8e4b3a4b71f112ca33a5c79773d507a1
SHA256 f235eaaa22b4f1730f3896dcf57720634f5286347dd425e587b03504bb929311
SHA512 204799bd93330a3665da2ea9eeb78b8272c075f3e738cec42657f06562de3b86de207e833ba66e0cda017df2342570c21857429a23b7d236fb980972f249b9aa

C:\Users\Admin\AppData\Local\Temp\tmp4586.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/3044-10-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/3044-11-0x0000000074862000-0x0000000074863000-memory.dmp

memory/3044-12-0x0000000074860000-0x0000000074E11000-memory.dmp

memory/3044-13-0x0000000074860000-0x0000000074E11000-memory.dmp