Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 16:28
Static task
static1
Behavioral task
behavioral1
Sample
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
-
Size
435KB
-
MD5
9ece6610ad20b25f1c5a5999955cb6bb
-
SHA1
26e72d838429bf53cb2a243b530cbbdb9be8daeb
-
SHA256
7d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8
-
SHA512
c9428e7aba4c410b4068729b4a08bdb5462fbf465acab9a28abf5fbe0b8020a727a4d63646c060ee435270c42545166e1f443bcfb05339b619f2f99165572c52
-
SSDEEP
12288:84aHAKjIQU74u7mpZIVA8FOsFbPP/czodI75Dj:wctbmnUFO2bPP/E4
Malware Config
Extracted
nanocore
1.2.2.0
branderhostx.bid:8821
127.0.0.1:8821
23acac4f-e4b4-4039-89b3-6e6eea96dd29
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-08-06T18:36:45.745494436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8821
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
23acac4f-e4b4-4039-89b3-6e6eea96dd29
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
branderhostx.bid
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SvchostReader.dpceoihd.lnk 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
SvchostReader.exeSvchostReader.exepid process 2512 SvchostReader.exe 1928 SvchostReader.exe -
Loads dropped DLL 2 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exepid process 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SvchostReader.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" SvchostReader.exe -
Processes:
SvchostReader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SvchostReader.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SvchostReader.exedescription pid process target process PID 2512 set thread context of 1928 2512 SvchostReader.exe SvchostReader.exe -
Drops file in Program Files directory 2 IoCs
Processes:
SvchostReader.exedescription ioc process File created C:\Program Files (x86)\DHCP Host\dhcphost.exe SvchostReader.exe File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe SvchostReader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SvchostReader.exeSvchostReader.exepid process 2512 SvchostReader.exe 1928 SvchostReader.exe 1928 SvchostReader.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SvchostReader.exepid process 1928 SvchostReader.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exeSvchostReader.exeSvchostReader.exedescription pid process Token: SeDebugPrivilege 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe Token: SeDebugPrivilege 2512 SvchostReader.exe Token: SeDebugPrivilege 1928 SvchostReader.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exepid process 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exepid process 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exeSvchostReader.exedescription pid process target process PID 2932 wrote to memory of 2512 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe SvchostReader.exe PID 2932 wrote to memory of 2512 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe SvchostReader.exe PID 2932 wrote to memory of 2512 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe SvchostReader.exe PID 2932 wrote to memory of 2512 2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe PID 2512 wrote to memory of 1928 2512 SvchostReader.exe SvchostReader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SvchostReader.exe"C:\Users\Admin\AppData\Local\SvchostReader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SvchostReader.exe"C:\Users\Admin\AppData\Local\SvchostReader.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\SvchostReader.exeFilesize
435KB
MD59ece6610ad20b25f1c5a5999955cb6bb
SHA126e72d838429bf53cb2a243b530cbbdb9be8daeb
SHA2567d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8
SHA512c9428e7aba4c410b4068729b4a08bdb5462fbf465acab9a28abf5fbe0b8020a727a4d63646c060ee435270c42545166e1f443bcfb05339b619f2f99165572c52
-
memory/1928-24-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1928-22-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1928-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2512-18-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2512-27-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2512-12-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2512-13-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2512-14-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2932-3-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2932-17-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2932-4-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2932-0-0x0000000074B91000-0x0000000074B92000-memory.dmpFilesize
4KB
-
memory/2932-2-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2932-1-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB