Overview

overview

10

Static

static

10

8b46dbe0dd...18.exe

windows7-x64

10

8b46dbe0dd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    8b46dbe0ddebd8aebd67fd1707cebf32

  • SHA1

    aa179b9584510b6484542fb5efd37d5256830b73

  • SHA256

    a97956dc4276f43c5648c1b5efd30fe2f12fc06ee2a384f53ef12f0fa574b999

  • SHA512

    d395e36771d94f7fcd6db7816b9ff5f67f87dbd0a86c2e38764850c34cb47f0549c1939305db43f5d4e74fd135af98db11da7c74d6957f9f9d72953ec17f35d9

  • SSDEEP

    6144:MLV6Bta6dtJmakIM5xPjoWNdOPgZpqS0F:MLV6BtpmkFEdOPQpm

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp22FB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp22FB.tmp
    Filesize

    1KB

    MD5

    e3cbf2189369486b4862d7c21001a20e

    SHA1

    a5f1f4706d844da8228bca741c105060b357f1ac

    SHA256

    d6b8c4719ee964917995e98984f9735b3c96edc7e12cbab6a78bc5374a6b7912

    SHA512

    272be4ef5b65c183d134c5970192922aaa805ccab0402a70a5a895a6e6aadd550fc40e64f16a6ad78d8b3985b4b084436f8a8641d58c9d3f9f131aed3c98df8a

    Download Submit
  • memory/2924-0-0x0000000074171000-0x0000000074172000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-1-0x0000000074170000-0x000000007471B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2924-2-0x0000000074170000-0x000000007471B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2924-7-0x0000000074170000-0x000000007471B000-memory.dmp
    Filesize

    5.7MB

    Download