Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 11:43
Static task
static1
Behavioral task
behavioral1
Sample
6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
-
Size
633KB
-
MD5
6ad45efb4c6a213a85fe847dc228fcbe
-
SHA1
a2b482b6a9a95efdf086fd6e7604c119a6ab8285
-
SHA256
1538c0ddb80e85c1d2fa97bedacddd09fe087c3e7e76fcd19051ed6e3e2028fd
-
SHA512
ead0663183c0f63cd575bf413543a875be942e1f6316c4216dd91f33ec87dd0627e2a9c31c148dfe7b618f963c64e793ad01803ae7fe7fa82b84eaec656a3791
-
SSDEEP
12288:SEcVL8O4jrAioZX+t4O8vjNUu5JxjV653TxaOW4YizV58+u3GGUqXUQwQ3IQPH:KLlgAiobvZUqJxRmDxDbYEo3DXUxQYyH
Malware Config
Extracted
nanocore
1.2.2.0
newipset.hopto.org:4444
127.0.0.1:4444
4ef41814-b3a0-4694-8a10-f8f3ea935772
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-07-09T07:25:16.502613836Z
-
bypass_user_account_control
true
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4444
-
default_group
Telescrapper
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4ef41814-b3a0-4694-8a10-f8f3ea935772
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
newipset.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
telescrap.exeteles.sfx.exeteles.exepid process 2620 telescrap.exe 2764 teles.sfx.exe 2724 teles.exe -
Loads dropped DLL 7 IoCs
Processes:
6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.execmd.exeteles.sfx.exepid process 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe 1280 2776 cmd.exe 2764 teles.sfx.exe 2764 teles.sfx.exe 2764 teles.sfx.exe 2764 teles.sfx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
teles.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" teles.exe -
Processes:
teles.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA teles.exe -
Drops file in Program Files directory 2 IoCs
Processes:
teles.exedescription ioc process File created C:\Program Files (x86)\ISS Host\isshost.exe teles.exe File opened for modification C:\Program Files (x86)\ISS Host\isshost.exe teles.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
teles.exepid process 2724 teles.exe 2724 teles.exe 2724 teles.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
teles.exepid process 2724 teles.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
teles.exedescription pid process Token: SeDebugPrivilege 2724 teles.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exetelescrap.execmd.execmd.exeteles.sfx.exedescription pid process target process PID 2228 wrote to memory of 2620 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe telescrap.exe PID 2228 wrote to memory of 2620 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe telescrap.exe PID 2228 wrote to memory of 2620 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe telescrap.exe PID 2228 wrote to memory of 2620 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe telescrap.exe PID 2620 wrote to memory of 2564 2620 telescrap.exe cmd.exe PID 2620 wrote to memory of 2564 2620 telescrap.exe cmd.exe PID 2620 wrote to memory of 2564 2620 telescrap.exe cmd.exe PID 2564 wrote to memory of 2624 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2624 2564 cmd.exe reg.exe PID 2564 wrote to memory of 2624 2564 cmd.exe reg.exe PID 2228 wrote to memory of 2776 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2776 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2776 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2776 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2776 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2776 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 2228 wrote to memory of 2776 2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe cmd.exe PID 2776 wrote to memory of 2764 2776 cmd.exe teles.sfx.exe PID 2776 wrote to memory of 2764 2776 cmd.exe teles.sfx.exe PID 2776 wrote to memory of 2764 2776 cmd.exe teles.sfx.exe PID 2776 wrote to memory of 2764 2776 cmd.exe teles.sfx.exe PID 2764 wrote to memory of 2724 2764 teles.sfx.exe teles.exe PID 2764 wrote to memory of 2724 2764 teles.sfx.exe teles.exe PID 2764 wrote to memory of 2724 2764 teles.sfx.exe teles.exe PID 2764 wrote to memory of 2724 2764 teles.sfx.exe teles.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\164E.tmp\164F.tmp\1650.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exeteles.sfx.exe -p9898 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\164E.tmp\164F.tmp\1650.batFilesize
130B
MD578cf128c2c0b024aa9075d038f32c0f9
SHA1ea941836117cb9f6d87a010806bbd5df58bd938a
SHA256bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e
SHA512d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.batFilesize
29B
MD57b3bcb606d504b0f4a6c1d94720aa979
SHA12e426175d2bc245d3946e2ba06092b8b969f13c1
SHA2563a957ef77d0f1530721fb6bc305e39d1d1dee2db46008e710eeac2f9a2697929
SHA5125d433ce3621b6039505186d47f29f8f27c5c53ee7eec9e5afaac6916b1d8d9a1af86d6cca3b2387cea012d211254516cabe9002e9ea17f1612890b2b5187af7e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exeFilesize
420KB
MD5cb80b60fe4975dbbbb97bfd2de56bb1e
SHA1b4c05c7999a3f3c12e6275b22a553401ac06caeb
SHA2563bc56bcce1ba72e27832f83f4ce713577e8108db41ffc2e27a33d2e7fb9e41df
SHA51280b811d5c05b07f3681883cd54a31dc18edf4abfc83a33c7fbf18a1cf3fc100e5d525b67f4c62de835de21791599c0e382b365a11badbfb383835cf814c07f24
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exeFilesize
203KB
MD5a2d1b1113d184205eed4835bf0cb06c6
SHA11b5775e187665f7c9131aee29c0daa4c3de43eb7
SHA256fa82a26a7fcd1cd76fb893725f93aeaf878f033cbeda11f9d887972a36741e01
SHA512182ba9d014e8434e5ea4154fd85239b768b7d126c8af4ed15c395bf40194e1df2eddba9ca9e4d753efdf7907d19388a2e974a5149838bae8112276c6632703e4
-
\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exeFilesize
121KB
MD5b4f5373a0c13a6b4598c8ed404a6bdae
SHA14a5cd535c4057acd1b7ed901d59ec6b2e76db6c9
SHA2565aefc2e98446c1204ae1d6dfa5136488e3a1ef96ec62f3df1d8d0db68e9ea061
SHA51229564e027aed141647660082ee12b56ecb43c9e3ac3785c7ff6f86a1a9f22aab2bc88a863f008b76856d5d17c0ebe89d6d34d332de96d7fba7ab13cf17df6d2d