nanocore | a072e83a9303a4011ae8ec7db630c3523cf1bec5dfa89dffac3c7d035487e879

General

Target

698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
Size

2.5MB
MD5

698576b6a938a5520eae41be49540f41
SHA1

ce10a0371196269b9917b8c2fac19a5bbc84a919
SHA256

a072e83a9303a4011ae8ec7db630c3523cf1bec5dfa89dffac3c7d035487e879
SHA512

823170f85924818f99c25711e69e91cedbe2ec609df3221e6505efd1922e10d31ea61679836038466ffa9683acbe91f117eb984b18a4df80be30f945af718cca
SSDEEP

24576:lCdxte/80jYLT3U1jfsWav8Cdxte/80jYLT3U1jfsWaawXa+5mYk6sPcQ05VvOEU:sw80cTsjkWav9w80cTsjkWaa1fTF7

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.125.205.93:9003

Mutex

f8886077-ec1e-423d-8a56-8a7e0476eccf

Attributes

activate_away_mode
true
backup_connection_host
185.125.205.93
backup_dns_server
185.125.205.93
buffer_size
65535
build_time
2018-06-23T08:47:17.286273736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9003
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f8886077-ec1e-423d-8a56-8a7e0476eccf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
185.125.205.93
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

server_Protected.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server_Protected.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

server_Protected.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" server_Protected.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	server_Protected.exe

Executes dropped EXE 57 IoCs

Processes:

server_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exe

pid	process
2228	server_Protected.exe
2392	server_Protected.exe
3044	server_Protected.exe
2644	server_Protected.exe
2812	server_Protected.exe
2556	server_Protected.exe
2408	server_Protected.exe
2508	server_Protected.exe
2620	server_Protected.exe
2696	server_Protected.exe
2768	server_Protected.exe
612	server_Protected.exe
336	server_Protected.exe
1912	server_Protected.exe
1968	server_Protected.exe
1204	server_Protected.exe
1708	server_Protected.exe
688	server_Protected.exe
652	server_Protected.exe
1552	server_Protected.exe
1168	server_Protected.exe
2932	server_Protected.exe
1196	server_Protected.exe
2836	server_Protected.exe
2952	server_Protected.exe
2888	server_Protected.exe
1780	server_Protected.exe
912	server_Protected.exe
2216	server_Protected.exe
2344	server_Protected.exe
2576	server_Protected.exe
1580	server_Protected.exe
980	server_Protected.exe
1284	server_Protected.exe
1004	server_Protected.exe
988	server_Protected.exe
884	server_Protected.exe
1036	server_Protected.exe
1156	server_Protected.exe
2184	server_Protected.exe
1648	server_Protected.exe
1644	server_Protected.exe
2044	server_Protected.exe
1432	server_Protected.exe
1916	server_Protected.exe
2032	server_Protected.exe
1496	server_Protected.exe
1840	server_Protected.exe
3068	server_Protected.exe
2492	server_Protected.exe
2660	server_Protected.exe
2996	server_Protected.exe
2860	server_Protected.exe
2724	server_Protected.exe
2672	server_Protected.exe
2224	server_Protected.exe
3044	server_Protected.exe

Loads dropped DLL 60 IoCs

Processes:

698576b6a938a5520eae41be49540f41_JaffaCakes118.exeserver_Protected.exeserver_Protected.exe

pid	process
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2228	server_Protected.exe
2228	server_Protected.exe
2228	server_Protected.exe
2228	server_Protected.exe
2228	server_Protected.exe
2228	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

server_Protected.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" server_Protected.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	server_Protected.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

server_Protected.exeRegAsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server_Protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\server_Protected.exe	autoit_exe

Suspicious use of SetThreadContext 52 IoCs

Processes:

698576b6a938a5520eae41be49540f41_JaffaCakes118.exeserver_Protected.exeserver_Protected.exe

description	pid	process	target process
PID 2156 set thread context of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2228 set thread context of 2556	2228	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2696	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2768	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 612	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 336	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1912	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1968	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1204	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1708	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 688	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 652	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1552	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1168	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2932	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1196	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2836	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2952	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2888	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1780	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 912	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2216	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2344	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2576	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1580	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 980	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1284	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1004	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 988	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 884	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1036	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1156	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2184	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1648	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1644	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2044	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1432	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1916	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2032	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1496	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 1840	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 3068	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2492	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2660	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2996	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2860	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2724	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2672	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 2224	2556	server_Protected.exe	server_Protected.exe
PID 2556 set thread context of 3044	2556	server_Protected.exe	server_Protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3024 schtasks.exe

pid	process
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

server_Protected.exeRegAsm.exe

pid	process
2556	server_Protected.exe
2676	RegAsm.exe
2676	RegAsm.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

698576b6a938a5520eae41be49540f41_JaffaCakes118.exeserver_Protected.exeRegAsm.exe

pid process

2156 698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2228 server_Protected.exe
2676 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2676 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

server_Protected.exe

pid process

2556 server_Protected.exe

description	pid	process
Token: SeDebugPrivilege	2676	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

698576b6a938a5520eae41be49540f41_JaffaCakes118.exeserver_Protected.exeserver_Protected.exeRegAsm.exe

description	pid	process	target process
PID 2156 wrote to memory of 2228	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	server_Protected.exe
PID 2156 wrote to memory of 2228	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	server_Protected.exe
PID 2156 wrote to memory of 2228	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	server_Protected.exe
PID 2156 wrote to memory of 2228	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	server_Protected.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 2228 wrote to memory of 2392	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2392	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2392	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2392	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 3044	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 3044	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 3044	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 3044	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2644	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2644	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2644	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2644	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2812	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2812	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2812	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2812	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2408	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2408	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2408	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2408	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	server_Protected.exe
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	server_Protected.exe
PID 2676 wrote to memory of 3024	2676	RegAsm.exe	schtasks.exe
PID 2676 wrote to memory of 3024	2676	RegAsm.exe	schtasks.exe
PID 2676 wrote to memory of 3024	2676	RegAsm.exe	schtasks.exe
PID 2676 wrote to memory of 3024	2676	RegAsm.exe	schtasks.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2696	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2696	2556	server_Protected.exe	server_Protected.exe
PID 2556 wrote to memory of 2696	2556	server_Protected.exe	server_Protected.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

server_Protected.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server_Protected.exe

C:\Users\Admin\AppData\Local\Temp\698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\698576b6a938a5520eae41be49540f41_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
3⤵
- Executes dropped EXE
PID:2392

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
3⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
3⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
3⤵
- Executes dropped EXE
PID:2812

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
3⤵
- Executes dropped EXE
PID:2408

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2508

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2620

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:612

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:336

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1204

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:688

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:652

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2932

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1196

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2836

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2952

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:912

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2216

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2344

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:980

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1004

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:988

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:884

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1036

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2044

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1916

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:3068

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2860

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:2224

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3312.tmp"
3⤵
- Creates scheduled task(s)
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3312.tmp
Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
\Users\Admin\AppData\Local\Temp\server_Protected.exe
Filesize
1.2MB

MD5
b70299fccc7ec757022252ebbea4ab11

SHA1
7faf5605c714c171d57d8db47d4ca9e395e9e74b

SHA256
89e25df3ff39f74d6192a02bd1138fc5ba805f85d92cb81d93eff6f238b84e96

SHA512
9f410227c3086c484054ab36e04d0be8fbb98b03ed7aab928c1e367a9371f3d5689e1ca1ed8eba93399077cd678d4bdc4ff6ba13f7f60c0c331112ce64b03663

Download Submit
memory/2156-16-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2556-42-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2556-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2556-45-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads