Analysis
-
max time kernel
147s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe
-
Size
521KB
-
MD5
88e8376d99faf50c91286483a9f1b2e7
-
SHA1
f8d2458a28a1f140a67c3356364afe0e11ea4ec7
-
SHA256
5aa96db9610bf092123d6109c3b45576d2ac29f188c2fbce2c1182bc10aeb8f7
-
SHA512
56299a358bb1463cc5b76bcd9754c551802254a3a0a71c858437cc2f77256f5f539df3a790f14d5902b12452c9f6a8d4c0817a1d5d7934be2e5285e48c1e1bc8
-
SSDEEP
12288:lUomEFRu3xEPE2oR9hGVwB7kHfs3jRC6a+1shKcDB:jmOMSPE2oR9EVEEfs3g2pAB
Malware Config
Extracted
nanocore
1.2.2.0
193.37.214.68:5554
127.0.0.1:5554
4ef9cbf2-f0d5-470f-8590-beb08580a43c
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-09-01T05:35:18.086296436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5554
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4ef9cbf2-f0d5-470f-8590-beb08580a43c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
193.37.214.68
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Puyhrd.exePuyhrd.exepid process 2632 Puyhrd.exe 1192 Puyhrd.exe -
Loads dropped DLL 5 IoCs
Processes:
88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exePuyhrd.exepid process 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe 2632 Puyhrd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Puyhrd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" Puyhrd.exe -
Processes:
Puyhrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Puyhrd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Puyhrd.exedescription pid process target process PID 2632 set thread context of 1192 2632 Puyhrd.exe Puyhrd.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Puyhrd.exedescription ioc process File created C:\Program Files (x86)\TCP Service\tcpsv.exe Puyhrd.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe Puyhrd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Puyhrd.exepid process 1192 Puyhrd.exe 1192 Puyhrd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Puyhrd.exepid process 1192 Puyhrd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Puyhrd.exePuyhrd.exedescription pid process Token: SeDebugPrivilege 2632 Puyhrd.exe Token: SeDebugPrivilege 1192 Puyhrd.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exePuyhrd.exedescription pid process target process PID 3048 wrote to memory of 2632 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe Puyhrd.exe PID 3048 wrote to memory of 2632 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe Puyhrd.exe PID 3048 wrote to memory of 2632 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe Puyhrd.exe PID 3048 wrote to memory of 2632 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe Puyhrd.exe PID 3048 wrote to memory of 2632 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe Puyhrd.exe PID 3048 wrote to memory of 2632 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe Puyhrd.exe PID 3048 wrote to memory of 2632 3048 88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe PID 2632 wrote to memory of 1192 2632 Puyhrd.exe Puyhrd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88e8376d99faf50c91286483a9f1b2e7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Puyhrd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Puyhrd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Puyhrd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Puyhrd.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Flmigrmkwhrrxoeoa.pngFilesize
25KB
MD5a336ccdac2e13bc7a70ac5e78dc307a2
SHA18ef0c014c2a66df8a63c5892ace855e319e92d46
SHA25632408cc3ec9d6e7e1e35e24d50250873c8bbb935dbca6fbcc5ab6abc27ce34fe
SHA51229c30bedeb8e59a461da301393432b3969f84786d8779ee602999a6e4befa7a4c4616369eba6bd85f043f112ac7ce2b9601b89b54a8baf9c61eac67e3ae23a40
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M2Filesize
38B
MD551f7a79c17515b34128bbc32a8d9d3ba
SHA1782de841a02a53385851012252c3b4818c6788af
SHA256fdd6087d9e0d11c44c4a90e52a19ac2de60e99bf2d6cfc5df2e745dddf38c2e2
SHA51220b5eca2cc4b63a0679552e3668913f454d3a2d19ec03808a19680010ed785cfc74080f38f7ff73db58aa9d874d53af8eadcdcdc1e30682e37a9195f31c24e46
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Vamvenagxeh.xmlFilesize
202KB
MD5ae56c12f65fece0a9f01a01d94cce257
SHA1a43ad32e71d4fade9738fd3fbcb277654239579b
SHA25682fba9b26434effda42f537ef323969a77d201192c351c854713f713b9acb578
SHA5120dc3764a78e7c5fee82a4f00c68b9a23a43e6dc37fb23aed8cbe7c31a5596cd404254b43d17c1783e4e788695cfc00179dab3a7b189c396685ff5a0a0c71ae53
-
\Users\Admin\AppData\Local\Temp\RarSFX0\Puyhrd.exeFilesize
115KB
MD5a850751537b88c9144e226f7cbb7de14
SHA1b1999b22d42d5486fd0db1b5d3243fd328239cd4
SHA256e5ab5f6432457ca797e43ce2e1edc280520ef3fe45e2ae477fbe2a5c418bd018
SHA512d029da5f527109d19631790c025a618dbbfa9a3b9edddd4c018e6ea2b99c7206fee3552554d5991e2e2ad4bcf645d2895e20235d04666cff31d52c40052b95a0
-
memory/1192-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1192-44-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1192-42-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1192-39-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1192-36-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1192-34-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1192-33-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1192-31-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2632-22-0x0000000074951000-0x0000000074952000-memory.dmpFilesize
4KB
-
memory/2632-27-0x0000000074950000-0x0000000074EFB000-memory.dmpFilesize
5.7MB
-
memory/2632-28-0x0000000074950000-0x0000000074EFB000-memory.dmpFilesize
5.7MB
-
memory/2632-23-0x0000000074950000-0x0000000074EFB000-memory.dmpFilesize
5.7MB
-
memory/2632-24-0x0000000074950000-0x0000000074EFB000-memory.dmpFilesize
5.7MB