Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 10:00
Static task
static1
Behavioral task
behavioral1
Sample
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
-
Size
397KB
-
MD5
97cf08e91c6787be06aa7c2dcc36c9af
-
SHA1
2693040c6aad636f276de00a9695d7ab610b9a0e
-
SHA256
0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
-
SHA512
c8efee2366222683a87536c83b59ee0e4bbec63913b2c2ddb107de10cd573c7cb1a046d08dfcb971cb8e61d09a2c0cd6799911b7a003f85cd966ae4f10653b4e
-
SSDEEP
6144:mZCtBX0jFes6qpbXwmiWW22ZMEo0ZDoW+BkBAeBx3sHif/sTLIT2I:GCtk6mDWieoeBqaaLIa
Malware Config
Extracted
nanocore
1.2.2.0
hoanghuyen1527.ddns.net:15279
194.5.97.100:15279
f9d63243-7316-4460-bfb3-00887204a706
-
activate_away_mode
true
-
backup_connection_host
194.5.97.100
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-10T18:16:19.508345736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
15279
-
default_group
Host
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f9d63243-7316-4460-bfb3-00887204a706
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hoanghuyen1527.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 400 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" svhost.exe -
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exedescription pid process target process PID 5000 set thread context of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe svhost.exe File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1936 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exesvhost.exepid process 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe 400 svhost.exe 400 svhost.exe 400 svhost.exe 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 400 svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exesvhost.exedescription pid process Token: SeDebugPrivilege 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe Token: SeDebugPrivilege 400 svhost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.execmd.exedescription pid process target process PID 5000 wrote to memory of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 5000 wrote to memory of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 5000 wrote to memory of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 5000 wrote to memory of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 5000 wrote to memory of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 5000 wrote to memory of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 5000 wrote to memory of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 5000 wrote to memory of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe PID 5000 wrote to memory of 3480 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 3480 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 3480 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 4064 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 4064 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 4064 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 4336 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 4336 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 4336 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 1032 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 1032 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 1032 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe cmd.exe PID 1032 wrote to memory of 1936 1032 cmd.exe timeout.exe PID 1032 wrote to memory of 1936 1032 cmd.exe timeout.exe PID 1032 wrote to memory of 1936 1032 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe" "%appdata%\FolderN\name.exe" /Y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "%appdata%\FolderN\name.exe.jpg" name.exe2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
C:\Users\Admin\AppData\Roaming\FolderN\name.exeFilesize
397KB
MD597cf08e91c6787be06aa7c2dcc36c9af
SHA12693040c6aad636f276de00a9695d7ab610b9a0e
SHA2560e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
SHA512c8efee2366222683a87536c83b59ee0e4bbec63913b2c2ddb107de10cd573c7cb1a046d08dfcb971cb8e61d09a2c0cd6799911b7a003f85cd966ae4f10653b4e
-
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.batFilesize
201B
MD59d9b7b166f447b4f638f68f01373b335
SHA1a112a069f5f149d325a2e4dbf38f0e89db8247d8
SHA2567ccae4d2b1dabe635738495e89df4787e113dd99227360b4b10f57b068b6f42d
SHA5127267fd2257607c9133220c46aeb7c2b7ecfbd8b3bc5b599c2ec085e2e887447062a9a8184087254574bda448e118a92d09f7259518a51a3f039e8ea775864a48
-
memory/400-13-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/400-19-0x0000000005700000-0x000000000570A000-memory.dmpFilesize
40KB
-
memory/400-32-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/400-7-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/400-10-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/400-11-0x0000000005C30000-0x00000000061D4000-memory.dmpFilesize
5.6MB
-
memory/400-12-0x00000000055B0000-0x0000000005642000-memory.dmpFilesize
584KB
-
memory/400-31-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/400-14-0x0000000005680000-0x000000000568A000-memory.dmpFilesize
40KB
-
memory/400-22-0x0000000005970000-0x000000000597A000-memory.dmpFilesize
40KB
-
memory/400-20-0x0000000005840000-0x000000000585E000-memory.dmpFilesize
120KB
-
memory/5000-2-0x0000000005340000-0x00000000053DC000-memory.dmpFilesize
624KB
-
memory/5000-4-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/5000-1-0x0000000000920000-0x000000000098A000-memory.dmpFilesize
424KB
-
memory/5000-30-0x00000000750E0000-0x0000000075890000-memory.dmpFilesize
7.7MB
-
memory/5000-0-0x00000000750EE000-0x00000000750EF000-memory.dmpFilesize
4KB
-
memory/5000-3-0x00000000052A0000-0x00000000052DA000-memory.dmpFilesize
232KB