Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 05:23
Static task
static1
Behavioral task
behavioral1
Sample
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
8d049a60a5d45859ef538f4ffd8f5a63
-
SHA1
24e38f415f188dbcd8565eb2f2ea04cd5543e3bb
-
SHA256
2a6440c783aea184f39f5a16a120d705f5f0f01067ae795e38d87028049edb2e
-
SHA512
3023dfba4e816bb3fa2707db8f588b7e92d08f70d750234d5c719c9046f027ada5c94fa490b84911e874fc4061b60616c61281d7f2907ed76e716ac6cb891900
-
SSDEEP
49152:zNfdKKoEuMIc/D8MTfVr68c9hGo6v1EMc:zNfdKsnI4dPYn6v1E
Malware Config
Extracted
nanocore
1.2.2.0
gamercore.exilionps.com:5604
127.0.0.1:5604
436cdb80-4f2d-4ccc-b631-8fd76c11acd4
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-12-30T20:18:56.661488536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3000
-
connection_port
5604
-
default_group
RektEm
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
436cdb80-4f2d-4ccc-b631-8fd76c11acd4
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
gamercore.exilionps.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
REG.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" REG.exe -
Disables Task Manager via registry modification
-
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
securenet.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe securenet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "svchost.exe" securenet.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
securenet.exesecurenet.exepid process 2328 securenet.exe 2128 securenet.exe -
Processes:
securenet.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA securenet.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exesecurenet.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum securenet.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 securenet.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
securenet.exedescription pid process target process PID 2328 set thread context of 2128 2328 securenet.exe securenet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exepid process 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
securenet.exepid process 2128 securenet.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
securenet.exepid process 2328 securenet.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exesecurenet.exesecurenet.exedescription pid process Token: SeDebugPrivilege 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe Token: SeDebugPrivilege 2328 securenet.exe Token: SeDebugPrivilege 2128 securenet.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.execmd.exesecurenet.exedescription pid process target process PID 2812 wrote to memory of 4820 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 4820 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 4820 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 5032 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 5032 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 5032 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe schtasks.exe PID 2812 wrote to memory of 184 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe cmd.exe PID 2812 wrote to memory of 184 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe cmd.exe PID 2812 wrote to memory of 184 2812 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe cmd.exe PID 184 wrote to memory of 2328 184 cmd.exe securenet.exe PID 184 wrote to memory of 2328 184 cmd.exe securenet.exe PID 184 wrote to memory of 2328 184 cmd.exe securenet.exe PID 2328 wrote to memory of 2128 2328 securenet.exe securenet.exe PID 2328 wrote to memory of 2128 2328 securenet.exe securenet.exe PID 2328 wrote to memory of 2128 2328 securenet.exe securenet.exe PID 2328 wrote to memory of 2128 2328 securenet.exe securenet.exe PID 2328 wrote to memory of 5076 2328 securenet.exe REG.exe PID 2328 wrote to memory of 5076 2328 securenet.exe REG.exe PID 2328 wrote to memory of 5076 2328 securenet.exe REG.exe PID 2328 wrote to memory of 396 2328 securenet.exe REG.exe PID 2328 wrote to memory of 396 2328 securenet.exe REG.exe PID 2328 wrote to memory of 396 2328 securenet.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\3d79fea3-2531-4dc3-9742-5f118ab61a73" /F2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\3d79fea3-2531-4dc3-9742-5f118ab61a73" /XML "C:\Users\Admin\AppData\Local\Temp\tmp956167654.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\securenet.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\securenet.exeC:\Users\Admin\AppData\Roaming\securenet.exe3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\securenet.exeC:\Users\Admin\AppData\Roaming\securenet.exe4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\REG.exeREG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\REG.exeREG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f4⤵
- Disables RegEdit via registry modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp956167654.tmpFilesize
1KB
MD507ec61b689f582e26ca8ef86dc163880
SHA10405ad32bda37ecca243aae6d93680cb15325a6f
SHA2561c2b7e918366bddb9379b9afdd2f5ac5ed91c007e5de1f86205cd80df63d3693
SHA512e8652a613075e1db6c1c68a98853d07c8e5d0e4ebd0f063f4123feff6cd60c6583cef36c0d76358ad5afdfd9bcc93bd849d7c33b84f4a408b3e36a40b84deeb9
-
C:\Users\Admin\AppData\Roaming\securenet.exeFilesize
2.2MB
MD5c8e549c5318134902fa7fa00bd756328
SHA1337fbc3c1567161534b7867ac106b372e7213155
SHA2567de9a099fb58bd2b2e796d0a70897ecfb76cfd034220e2b2f1269d6ce7db4506
SHA51251b5763d9238523f1e4996848160daf8e9e8729f4e84cc148a2f6d0da448a8b72a51433fade01024f97efb7aec52eddeaf8424bf3e2ccecf5cdf3b2897781108
-
memory/2128-24-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2328-21-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2328-23-0x0000000005290000-0x0000000005293000-memory.dmpFilesize
12KB
-
memory/2328-30-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2328-28-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2328-20-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2328-19-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2812-15-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2812-2-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2812-3-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2812-0-0x00000000749F2000-0x00000000749F3000-memory.dmpFilesize
4KB
-
memory/2812-4-0x00000000749F2000-0x00000000749F3000-memory.dmpFilesize
4KB
-
memory/2812-1-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2812-6-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB
-
memory/2812-5-0x00000000749F0000-0x0000000074FA1000-memory.dmpFilesize
5.7MB