Overview

overview

10

Static

static

3

6ad45efb4c...18.exe

windows7-x64

10

6ad45efb4c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe

  • Size

    633KB

  • MD5

    6ad45efb4c6a213a85fe847dc228fcbe

  • SHA1

    a2b482b6a9a95efdf086fd6e7604c119a6ab8285

  • SHA256

    1538c0ddb80e85c1d2fa97bedacddd09fe087c3e7e76fcd19051ed6e3e2028fd

  • SHA512

    ead0663183c0f63cd575bf413543a875be942e1f6316c4216dd91f33ec87dd0627e2a9c31c148dfe7b618f963c64e793ad01803ae7fe7fa82b84eaec656a3791

  • SSDEEP

    12288:SEcVL8O4jrAioZX+t4O8vjNUu5JxjV653TxaOW4YizV58+u3GGUqXUQwQ3IQPH:KLlgAiobvZUqJxRmDxDbYEo3DXUxQYyH

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6206.tmp\6207.tmp\6208.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
          4⤵
            PID:380
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3408
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
          teles.sfx.exe -p9898 -dC:\Users\Admin\AppData\Local\Temp
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1736

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6206.tmp\6207.tmp\6208.bat
      Filesize

      130B

      MD5

      78cf128c2c0b024aa9075d038f32c0f9

      SHA1

      ea941836117cb9f6d87a010806bbd5df58bd938a

      SHA256

      bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e

      SHA512

      d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat
      Filesize

      29B

      MD5

      7b3bcb606d504b0f4a6c1d94720aa979

      SHA1

      2e426175d2bc245d3946e2ba06092b8b969f13c1

      SHA256

      3a957ef77d0f1530721fb6bc305e39d1d1dee2db46008e710eeac2f9a2697929

      SHA512

      5d433ce3621b6039505186d47f29f8f27c5c53ee7eec9e5afaac6916b1d8d9a1af86d6cca3b2387cea012d211254516cabe9002e9ea17f1612890b2b5187af7e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
      Filesize

      420KB

      MD5

      cb80b60fe4975dbbbb97bfd2de56bb1e

      SHA1

      b4c05c7999a3f3c12e6275b22a553401ac06caeb

      SHA256

      3bc56bcce1ba72e27832f83f4ce713577e8108db41ffc2e27a33d2e7fb9e41df

      SHA512

      80b811d5c05b07f3681883cd54a31dc18edf4abfc83a33c7fbf18a1cf3fc100e5d525b67f4c62de835de21791599c0e382b365a11badbfb383835cf814c07f24

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
      Filesize

      121KB

      MD5

      b4f5373a0c13a6b4598c8ed404a6bdae

      SHA1

      4a5cd535c4057acd1b7ed901d59ec6b2e76db6c9

      SHA256

      5aefc2e98446c1204ae1d6dfa5136488e3a1ef96ec62f3df1d8d0db68e9ea061

      SHA512

      29564e027aed141647660082ee12b56ecb43c9e3ac3785c7ff6f86a1a9f22aab2bc88a863f008b76856d5d17c0ebe89d6d34d332de96d7fba7ab13cf17df6d2d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
      Filesize

      203KB

      MD5

      a2d1b1113d184205eed4835bf0cb06c6

      SHA1

      1b5775e187665f7c9131aee29c0daa4c3de43eb7

      SHA256

      fa82a26a7fcd1cd76fb893725f93aeaf878f033cbeda11f9d887972a36741e01

      SHA512

      182ba9d014e8434e5ea4154fd85239b768b7d126c8af4ed15c395bf40194e1df2eddba9ca9e4d753efdf7907d19388a2e974a5149838bae8112276c6632703e4

      Download Submit