Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe
-
Size
910KB
-
MD5
a47b05db3e42ee692d14c540166d3cb7
-
SHA1
6f93466b4cac813c139e3bda8c5f163950e6348a
-
SHA256
825e0fde3a52873f7b67f254951927aebb480a870aa07a775ac07dd642767ff2
-
SHA512
ca83aa589f79e0da8f620f1ad8a05132132b869dc5a76c4f97fa4964fecc8596dd2e71646073d9332a4a4e6940c2607543ec5ee5988352988d5898650c2e05d1
-
SSDEEP
6144:WHCbSPjwCy5BB75qLHsswKcQKec6AMgABUfElEaEl3Vn5T6JB03:FbqjA5lqLHssfcQKj16UfElG3V5TuBS
Malware Config
Extracted
nanocore
1.2.2.0
sealpage.servepics.com:8443
8b193074-55e7-422d-8e72-a7a8c491e038
-
activate_away_mode
true
-
backup_connection_host
sealpage.servepics.com
- backup_dns_server
-
buffer_size
65535
-
build_time
2018-07-22T17:24:02.091657736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8443
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8b193074-55e7-422d-8e72-a7a8c491e038
-
mutex_timeout
5000
-
prevent_system_sleep
true
- primary_connection_host
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe" a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription pid process target process PID 2220 set thread context of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\DOS Manager\dosmgr.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\DOS Manager\dosmgr.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2684 schtasks.exe 2576 schtasks.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\comm\iscsicli.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exepid process 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exea47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe Token: 33 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe Token: SeDebugPrivilege 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe Token: SeDebugPrivilege 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.execmd.exea47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription pid process target process PID 2220 wrote to memory of 1336 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe cmd.exe PID 2220 wrote to memory of 1336 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe cmd.exe PID 2220 wrote to memory of 1336 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe cmd.exe PID 2220 wrote to memory of 1336 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe cmd.exe PID 1336 wrote to memory of 2832 1336 cmd.exe reg.exe PID 1336 wrote to memory of 2832 1336 cmd.exe reg.exe PID 1336 wrote to memory of 2832 1336 cmd.exe reg.exe PID 1336 wrote to memory of 2832 1336 cmd.exe reg.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2220 wrote to memory of 2644 2220 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 2644 wrote to memory of 2684 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 2644 wrote to memory of 2684 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 2644 wrote to memory of 2684 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 2644 wrote to memory of 2684 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 2644 wrote to memory of 2576 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 2644 wrote to memory of 2576 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 2644 wrote to memory of 2576 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 2644 wrote to memory of 2576 2644 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\comm\iscsicli.exe.lnk" /f3⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp963.tmp"3⤵
- Creates scheduled task(s)
PID:2684 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpADB.tmp"3⤵
- Creates scheduled task(s)
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp963.tmpFilesize
1KB
MD5be66425c90f7d34f5a157a7f16b8f42d
SHA1fb1048d08c2fbb0322a852aabc99714bcd5dafef
SHA2566c6098541dbecfede4d5cce2ce7c6e99f99c8492e61e68917a0dcf4955a142ba
SHA5124bf19f930b1bae60e03543d8f9a5ff13c0e394fb2587eee5524536c934681378a848047649d03bda4d27dd20aa04124916b64e13c3d37268f2d96100c04ec0c0
-
C:\Users\Admin\AppData\Local\Temp\tmpADB.tmpFilesize
1KB
MD58f5713b14cee3089852f6c8d2a7a7d57
SHA18bffbea05715c6434ad593cce8a2c737f80ff788
SHA256ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c
SHA51282bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72
-
C:\Users\Admin\AppData\Roaming\comm\iscsicli.exeFilesize
910KB
MD5a47b05db3e42ee692d14c540166d3cb7
SHA16f93466b4cac813c139e3bda8c5f163950e6348a
SHA256825e0fde3a52873f7b67f254951927aebb480a870aa07a775ac07dd642767ff2
SHA512ca83aa589f79e0da8f620f1ad8a05132132b869dc5a76c4f97fa4964fecc8596dd2e71646073d9332a4a4e6940c2607543ec5ee5988352988d5898650c2e05d1
-
memory/2220-0-0x0000000074301000-0x0000000074302000-memory.dmpFilesize
4KB
-
memory/2220-2-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/2220-1-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/2220-34-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/2644-21-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2644-11-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2644-23-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2644-19-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2644-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2644-24-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/2644-26-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/2644-25-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/2644-13-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2644-15-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2644-9-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2644-35-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB