Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
a45093c46a998137b18e4ec60a7341da_JaffaCakes118.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a45093c46a998137b18e4ec60a7341da_JaffaCakes118.ps1
Resource
win10v2004-20240611-en
General
-
Target
a45093c46a998137b18e4ec60a7341da_JaffaCakes118.ps1
-
Size
2.5MB
-
MD5
a45093c46a998137b18e4ec60a7341da
-
SHA1
970747f951a674c58a12fffea58d06e78958b0be
-
SHA256
a3b029d42bd7d807c09240ae9002750c41f0e7e840ac97e7c069d3123510f098
-
SHA512
bd7f5313e64065db40a464468a7d658193cbcc27147e90eec3f2d49f71937a91e43a09734ef7e6b6f0509ff3704aa5622345e666dbb694282c5f72515a3b0122
-
SSDEEP
24576:iw2O9/TgwrSUhVPHahmorI0hnvUwLS4VaVKrYlKgsvcRhyG+ryWkLNwm7MCH5mpK:z95cwOI0ZhHRwllR6idC1pqr88oBY
Malware Config
Extracted
nanocore
1.2.2.0
alexurch.ddns.net:7416
2e8144aa-eb59-4c72-89f2-7a135841085d
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-03-09T16:13:18.568639836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7416
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2e8144aa-eb59-4c72-89f2-7a135841085d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
alexurch.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-29-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-23-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-30-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-31-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-47-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-45-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-44-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-42-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-39-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-38-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-36-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-34-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-33-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla behavioral1/memory/2728-32-0x0000000000400000-0x0000000000490000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
iwfx.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diskraid.url iwfx.exe -
Executes dropped EXE 2 IoCs
Processes:
iwfx.exeNANO no startup.exepid process 2376 iwfx.exe 2532 NANO no startup.exe -
Loads dropped DLL 2 IoCs
Processes:
RegSvcs.exepid process 2728 RegSvcs.exe 2728 RegSvcs.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Processes:
NANO no startup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NANO no startup.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 checkip.amazonaws.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Public\iwfx.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
iwfx.exedescription pid process target process PID 2376 set thread context of 2728 2376 iwfx.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeRegSvcs.exeNANO no startup.exepid process 2352 powershell.exe 2728 RegSvcs.exe 2728 RegSvcs.exe 2532 NANO no startup.exe 2532 NANO no startup.exe 2532 NANO no startup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NANO no startup.exepid process 2532 NANO no startup.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegSvcs.exepid process 2728 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeRegSvcs.exeNANO no startup.exedescription pid process Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 2728 RegSvcs.exe Token: SeDebugPrivilege 2532 NANO no startup.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iwfx.exepid process 2376 iwfx.exe 2376 iwfx.exe 2376 iwfx.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
iwfx.exepid process 2376 iwfx.exe 2376 iwfx.exe 2376 iwfx.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2728 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
powershell.exeiwfx.exeRegSvcs.exedescription pid process target process PID 2352 wrote to memory of 2376 2352 powershell.exe iwfx.exe PID 2352 wrote to memory of 2376 2352 powershell.exe iwfx.exe PID 2352 wrote to memory of 2376 2352 powershell.exe iwfx.exe PID 2352 wrote to memory of 2376 2352 powershell.exe iwfx.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2376 wrote to memory of 2728 2376 iwfx.exe RegSvcs.exe PID 2728 wrote to memory of 2532 2728 RegSvcs.exe NANO no startup.exe PID 2728 wrote to memory of 2532 2728 RegSvcs.exe NANO no startup.exe PID 2728 wrote to memory of 2532 2728 RegSvcs.exe NANO no startup.exe PID 2728 wrote to memory of 2532 2728 RegSvcs.exe NANO no startup.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a45093c46a998137b18e4ec60a7341da_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Public\iwfx.exe"C:\Users\Public\iwfx.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2728 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NANO no startup.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NANO no startup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\iwfx.exeFilesize
1.8MB
MD5e0c0de2b3f8eda6c1f7a1ab3bd29ce87
SHA1555e20c0382390f3a2e66e8ff3f7561499fc133c
SHA2566a8ef26a45a7de1490578ee4ba07f1057129c56989e58651e5e01bfe62e4296f
SHA512a489cf3e37e15f7776f554998e8bef83ad0582e251d136a38c5786676f2233f08cdaababbf33865cdde7d51e5da5ae1febe7fd4c865bdc98fa7c3768aecd9bca
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NANO no startup.exeFilesize
202KB
MD5898055fa90ac8489dfe21df5002f4027
SHA1337b7d4c782d8bef058f4abc65936fe7199aa60b
SHA25682c18f8a811e1f42df938b60d9bd770fe691bd595b9f00275ae8c6a5070b31d7
SHA512fa9a07f720b9950ef00ad6f73426b63a1dd9c2ce020df2668c57d02faf00406849a855071becf078170fa49c1c97816eb93bbb8e393f675e3e78a196c1fbdbe9
-
memory/2352-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmpFilesize
4KB
-
memory/2352-5-0x000000001B600000-0x000000001B8E2000-memory.dmpFilesize
2.9MB
-
memory/2352-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2352-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2352-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2352-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2352-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2352-6-0x0000000001F70000-0x0000000001F78000-memory.dmpFilesize
32KB
-
memory/2352-17-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2376-21-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/2728-23-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-39-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-29-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-30-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-31-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-47-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-45-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-44-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-42-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2728-38-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-36-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-34-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-33-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-32-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-22-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2728-58-0x0000000000BC0000-0x0000000000BCA000-memory.dmpFilesize
40KB