Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe
-
Size
396KB
-
MD5
9d68fa1d0b7d856dae142bb02273a81b
-
SHA1
135d45482a3618487cbd5cde23904a70c2069ae1
-
SHA256
9802e45217b07b8950df10f3feb9f49fc20ea367ed1ab3c22f659eae1b90e475
-
SHA512
3171f678030cc869b48f8ba6516af9a8b705f4065293c5fbd37bb272aad8a2f78a48e50b04212cd5e2cb86585db8ced68ada5ccb4b61423bd978407a25651c67
-
SSDEEP
12288:SC/rh9yEmoQzcprsR0KzgHGTj5datGGMX6:F/rhvVQzJemTdn
Malware Config
Extracted
nanocore
1.2.2.0
181.215.247.6:5655
c7bb6209-5622-4e29-820a-dbb0cb99e820
-
activate_away_mode
true
-
backup_connection_host
181.215.247.6
- backup_dns_server
-
buffer_size
65535
-
build_time
2017-04-17T11:05:54.312394636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
5655
-
default_group
money team
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c7bb6209-5622-4e29-820a-dbb0cb99e820
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
181.215.247.6
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
app.exepid process 1112 app.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
app.exedescription pid process target process PID 1112 set thread context of 700 1112 app.exe RegAsm.exe PID 1112 set thread context of 3444 1112 app.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
app.exeRegAsm.exepid process 1112 app.exe 700 RegAsm.exe 700 RegAsm.exe 700 RegAsm.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe 1112 app.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 700 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exeapp.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1592 9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe Token: SeDebugPrivilege 1112 app.exe Token: SeDebugPrivilege 700 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exeapp.exedescription pid process target process PID 1592 wrote to memory of 1112 1592 9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe app.exe PID 1592 wrote to memory of 1112 1592 9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe app.exe PID 1592 wrote to memory of 1112 1592 9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe app.exe PID 1112 wrote to memory of 3444 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 3444 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 3444 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 700 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 700 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 700 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 700 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 3444 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 3444 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 700 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 3444 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 700 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 3444 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 700 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 3444 1112 app.exe RegAsm.exe PID 1112 wrote to memory of 700 1112 app.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9d68fa1d0b7d856dae142bb02273a81b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\app.exe"C:\Users\Admin\AppData\Roaming\app.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\app.exeFilesize
396KB
MD59d68fa1d0b7d856dae142bb02273a81b
SHA1135d45482a3618487cbd5cde23904a70c2069ae1
SHA2569802e45217b07b8950df10f3feb9f49fc20ea367ed1ab3c22f659eae1b90e475
SHA5123171f678030cc869b48f8ba6516af9a8b705f4065293c5fbd37bb272aad8a2f78a48e50b04212cd5e2cb86585db8ced68ada5ccb4b61423bd978407a25651c67
-
memory/1112-21-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1112-30-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1112-29-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1112-28-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1112-22-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1112-16-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1112-17-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1112-18-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1592-4-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1592-20-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1592-0-0x0000000074842000-0x0000000074843000-memory.dmpFilesize
4KB
-
memory/1592-3-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1592-2-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1592-1-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/3444-24-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB