Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 10:00
Static task
static1
Behavioral task
behavioral1
Sample
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
-
Size
397KB
-
MD5
97cf08e91c6787be06aa7c2dcc36c9af
-
SHA1
2693040c6aad636f276de00a9695d7ab610b9a0e
-
SHA256
0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
-
SHA512
c8efee2366222683a87536c83b59ee0e4bbec63913b2c2ddb107de10cd573c7cb1a046d08dfcb971cb8e61d09a2c0cd6799911b7a003f85cd966ae4f10653b4e
-
SSDEEP
6144:mZCtBX0jFes6qpbXwmiWW22ZMEo0ZDoW+BkBAeBx3sHif/sTLIT2I:GCtk6mDWieoeBqaaLIa
Malware Config
Extracted
nanocore
1.2.2.0
hoanghuyen1527.ddns.net:15279
194.5.97.100:15279
f9d63243-7316-4460-bfb3-00887204a706
-
activate_away_mode
true
-
backup_connection_host
194.5.97.100
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-10T18:16:19.508345736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
15279
-
default_group
Host
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f9d63243-7316-4460-bfb3-00887204a706
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hoanghuyen1527.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2580 svhost.exe -
Loads dropped DLL 3 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exepid process 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" svhost.exe -
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exedescription pid process target process PID 2208 set thread context of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Program Files (x86)\DDP Service\ddpsv.exe svhost.exe File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1276 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exesvhost.exepid process 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe 2580 svhost.exe 2580 svhost.exe 2580 svhost.exe 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 2580 svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exesvhost.exedescription pid process Token: SeDebugPrivilege 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe Token: SeDebugPrivilege 2580 svhost.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.execmd.exedescription pid process target process PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 2208 wrote to memory of 2408 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2408 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2408 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2408 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2740 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2740 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2740 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2740 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 1804 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 1804 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 1804 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 1804 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2472 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2472 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2472 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2472 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 2472 wrote to memory of 1276 2472 cmd.exe timeout.exe PID 2472 wrote to memory of 1276 2472 cmd.exe timeout.exe PID 2472 wrote to memory of 1276 2472 cmd.exe timeout.exe PID 2472 wrote to memory of 1276 2472 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe" "%appdata%\FolderN\name.exe" /Y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "%appdata%\FolderN\name.exe.jpg" name.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FolderN\name.exeFilesize
397KB
MD597cf08e91c6787be06aa7c2dcc36c9af
SHA12693040c6aad636f276de00a9695d7ab610b9a0e
SHA2560e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
SHA512c8efee2366222683a87536c83b59ee0e4bbec63913b2c2ddb107de10cd573c7cb1a046d08dfcb971cb8e61d09a2c0cd6799911b7a003f85cd966ae4f10653b4e
-
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.batFilesize
201B
MD59d9b7b166f447b4f638f68f01373b335
SHA1a112a069f5f149d325a2e4dbf38f0e89db8247d8
SHA2567ccae4d2b1dabe635738495e89df4787e113dd99227360b4b10f57b068b6f42d
SHA5127267fd2257607c9133220c46aeb7c2b7ecfbd8b3bc5b599c2ec085e2e887447062a9a8184087254574bda448e118a92d09f7259518a51a3f039e8ea775864a48
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
memory/2208-1-0x0000000001310000-0x000000000137A000-memory.dmpFilesize
424KB
-
memory/2208-2-0x0000000000380000-0x00000000003BA000-memory.dmpFilesize
232KB
-
memory/2208-3-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2208-0-0x000000007433E000-0x000000007433F000-memory.dmpFilesize
4KB
-
memory/2208-50-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2580-9-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2580-10-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2580-26-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2580-28-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2580-23-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2580-19-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2580-16-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2580-18-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2580-12-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2580-47-0x0000000000450000-0x000000000045A000-memory.dmpFilesize
40KB
-
memory/2580-48-0x0000000000460000-0x000000000047E000-memory.dmpFilesize
120KB
-
memory/2580-49-0x0000000000580000-0x000000000058A000-memory.dmpFilesize
40KB
-
memory/2580-14-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2580-51-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB