Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 11:54
Static task
static1
Behavioral task
behavioral1
Sample
94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
94bdf1b1404a90c7563bee8143c37c40
-
SHA1
d00a543f39971f38f24b4fe6c92643cedeba2fa2
-
SHA256
39fdf7cb955de78bb4c9e55ff269fd4dbdf8d5d38d540e2245f87cefb21fb91b
-
SHA512
eaed717fae7552e8701f5d2e5289afe042863f2ed2eaf4f1d29de74185ea414cbea2f1d618f48a06fdb1abf1dec8f837c61ac305e299cbb956ae100ff8fbd164
-
SSDEEP
49152:rRTEexqIGEChCWAO8UK1I6neT4iGmrabygTp:rRTEeVVChCW2UK1IKdugT
Malware Config
Extracted
nanocore
1.2.2.0
dns.kingspy.info:54984
127.0.0.1:54984
c6b3af3c-732f-423f-ad11-734155201ae2
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-03-12T20:07:17.102579136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
hacce
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c6b3af3c-732f-423f-ad11-734155201ae2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dns.kingspy.info
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
hfehfMbZTQWMYLdDJUDMF.cmddescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\McWIOgXFKEieSHaZ.lnk hfehfMbZTQWMYLdDJUDMF.cmd -
Executes dropped EXE 2 IoCs
Processes:
clean.exehfehfMbZTQWMYLdDJUDMF.cmdpid process 2684 clean.exe 2988 hfehfMbZTQWMYLdDJUDMF.cmd -
Loads dropped DLL 1 IoCs
Processes:
clean.exepid process 2684 clean.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMN UPDATE FIRMWARE = "\"C:\\Users\\Admin\\AppData\\Roaming\\clean.exe\" .." 94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMN UPDATE FIRMWARE = "\"C:\\Users\\Admin\\AppData\\Roaming\\clean.exe\" .." 94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2180-2-0x000000001B330000-0x000000001B49E000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\clean.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hfehfMbZTQWMYLdDJUDMF.cmddescription pid process target process PID 2988 set thread context of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 2912 RegAsm.exe 2912 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2912 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2912 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
clean.exepid process 2684 clean.exe 2684 clean.exe 2684 clean.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
clean.exepid process 2684 clean.exe 2684 clean.exe 2684 clean.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.execlean.exehfehfMbZTQWMYLdDJUDMF.cmddescription pid process target process PID 2180 wrote to memory of 2684 2180 94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe clean.exe PID 2180 wrote to memory of 2684 2180 94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe clean.exe PID 2180 wrote to memory of 2684 2180 94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe clean.exe PID 2180 wrote to memory of 2684 2180 94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe clean.exe PID 2684 wrote to memory of 2988 2684 clean.exe hfehfMbZTQWMYLdDJUDMF.cmd PID 2684 wrote to memory of 2988 2684 clean.exe hfehfMbZTQWMYLdDJUDMF.cmd PID 2684 wrote to memory of 2988 2684 clean.exe hfehfMbZTQWMYLdDJUDMF.cmd PID 2684 wrote to memory of 2988 2684 clean.exe hfehfMbZTQWMYLdDJUDMF.cmd PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe PID 2988 wrote to memory of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\clean.exe"C:\Users\Admin\AppData\Roaming\clean.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hfehfMbZTQWMYLdDJUDMF.cmd"C:\Users\Admin\AppData\Roaming\hfehfMbZTQWMYLdDJUDMF.cmd" "C:\Users\Admin\AppData\Roaming\XKIbMLEbRJHLYiIDZOh" "C:\Users\Admin\AppData\Roaming\clean.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe- CmdLine Args4⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\McWIOgXFKEieFilesize
202KB
MD5c4b9f734a0aac44489b548c510116773
SHA10eabf30b5be6975cc546397f5d6b400dfb6a8ce0
SHA25663cea54653761b83f1daf5eb279239715917b99769f87cd13ebd2db1d708c57f
SHA51234a3e80637a92d3714275a10fcf8d18d937ae863dc9f15e8ec38ec4d0a80f3dc0285fbf66c90032f36b4fe4c46b3b34eba705e6bd3609c2a0de5a8fe2fd6510e
-
C:\Users\Admin\AppData\Roaming\XKIbMLEbRJHLYiIDZOhFilesize
57KB
MD5de9ac2bdc7c41dd5bc2c2e0621e4b8ec
SHA163fe787dac9b6f8535e9d2465638c8a94f45b149
SHA2561a4aa2d1c7e7376e94c8a86ad499970e45586a1cf0bebf2bf7d7fcece06a0d3d
SHA5124212fe1c85e8e61117a8913dfd0227c833b4001c2695120833b21687afffb51f27e548d54fddbf75f408a4dd6ae1c5c41f1104ec03fcecb87f8fad99fd1b186f
-
C:\Users\Admin\AppData\Roaming\clean.exeFilesize
1.4MB
MD5c8df1d0d1d43a265198776ed45cab6ef
SHA1d39ba7efb1f57dd315afcd0500a8f662e37d744d
SHA2567f8ad4c1c330344e137e5d48683b1f1e63bd76d96361fb88a2598161181486db
SHA512b14cfffee104a6faf3167bf5a1eb0d39f6a38e171bc59fc9b453ba2498fc80da0c0557104bc3e1b97aa7158a266eabd27b8924e4463b648f723ffc6cf2b360e0
-
\Users\Admin\AppData\Roaming\hfehfMbZTQWMYLdDJUDMF.cmdFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
memory/2180-5-0x000007FEF5C70000-0x000007FEF660D000-memory.dmpFilesize
9.6MB
-
memory/2180-0-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmpFilesize
4KB
-
memory/2180-10-0x000007FEF5C70000-0x000007FEF660D000-memory.dmpFilesize
9.6MB
-
memory/2180-11-0x000007FEF5C70000-0x000007FEF660D000-memory.dmpFilesize
9.6MB
-
memory/2180-3-0x000007FEF5C70000-0x000007FEF660D000-memory.dmpFilesize
9.6MB
-
memory/2180-2-0x000000001B330000-0x000000001B49E000-memory.dmpFilesize
1.4MB
-
memory/2180-1-0x000007FEF5C70000-0x000007FEF660D000-memory.dmpFilesize
9.6MB
-
memory/2912-38-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2912-45-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2912-36-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2912-44-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2912-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB