Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe
-
Size
910KB
-
MD5
a47b05db3e42ee692d14c540166d3cb7
-
SHA1
6f93466b4cac813c139e3bda8c5f163950e6348a
-
SHA256
825e0fde3a52873f7b67f254951927aebb480a870aa07a775ac07dd642767ff2
-
SHA512
ca83aa589f79e0da8f620f1ad8a05132132b869dc5a76c4f97fa4964fecc8596dd2e71646073d9332a4a4e6940c2607543ec5ee5988352988d5898650c2e05d1
-
SSDEEP
6144:WHCbSPjwCy5BB75qLHsswKcQKec6AMgABUfElEaEl3Vn5T6JB03:FbqjA5lqLHssfcQKj16UfElG3V5TuBS
Malware Config
Extracted
nanocore
1.2.2.0
sealpage.servepics.com:8443
8b193074-55e7-422d-8e72-a7a8c491e038
-
activate_away_mode
true
-
backup_connection_host
sealpage.servepics.com
- backup_dns_server
-
buffer_size
65535
-
build_time
2018-07-22T17:24:02.091657736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8443
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8b193074-55e7-422d-8e72-a7a8c491e038
-
mutex_timeout
5000
-
prevent_system_sleep
true
- primary_connection_host
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Host = "C:\\Program Files (x86)\\SCSI Host\\scsihost.exe" a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription ioc process File created C:\Windows\assembly\Desktop.ini a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription pid process target process PID 3120 set thread context of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\SCSI Host\scsihost.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SCSI Host\scsihost.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3116 schtasks.exe 1680 schtasks.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\comm\iscsicli.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exepid process 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exea47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe Token: 33 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe Token: SeDebugPrivilege 564 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe Token: SeDebugPrivilege 564 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.execmd.exea47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exedescription pid process target process PID 3120 wrote to memory of 4312 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe cmd.exe PID 3120 wrote to memory of 4312 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe cmd.exe PID 3120 wrote to memory of 4312 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe cmd.exe PID 4312 wrote to memory of 5060 4312 cmd.exe reg.exe PID 4312 wrote to memory of 5060 4312 cmd.exe reg.exe PID 4312 wrote to memory of 5060 4312 cmd.exe reg.exe PID 3120 wrote to memory of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 3120 wrote to memory of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 3120 wrote to memory of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 3120 wrote to memory of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 3120 wrote to memory of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 3120 wrote to memory of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 3120 wrote to memory of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 3120 wrote to memory of 564 3120 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe PID 564 wrote to memory of 1680 564 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 564 wrote to memory of 1680 564 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 564 wrote to memory of 1680 564 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 564 wrote to memory of 3116 564 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 564 wrote to memory of 3116 564 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe PID 564 wrote to memory of 3116 564 a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\comm\iscsicli.exe.lnk" /f3⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a47b05db3e42ee692d14c540166d3cb7_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3BFF.tmp"3⤵
- Creates scheduled task(s)
PID:1680 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3C3F.tmp"3⤵
- Creates scheduled task(s)
PID:3116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3BFF.tmpFilesize
1KB
MD5be66425c90f7d34f5a157a7f16b8f42d
SHA1fb1048d08c2fbb0322a852aabc99714bcd5dafef
SHA2566c6098541dbecfede4d5cce2ce7c6e99f99c8492e61e68917a0dcf4955a142ba
SHA5124bf19f930b1bae60e03543d8f9a5ff13c0e394fb2587eee5524536c934681378a848047649d03bda4d27dd20aa04124916b64e13c3d37268f2d96100c04ec0c0
-
C:\Users\Admin\AppData\Local\Temp\tmp3C3F.tmpFilesize
1KB
MD59a559f229be0944bc3dc813cde333f50
SHA10e97c97eea032b499ff060e799581e32beeceb09
SHA256a63d853679aa655cced3b62a10855c56f9efd9b50770738b408d728008f73330
SHA5124cbb2f77283500e86ecf79fd2cbd31d10c3af2fcf6c9a557ee0b1edead229dc07d63a5030b60df57458d52ef8c2a42ec199d2d4cdca387400d047df25b593c68
-
memory/564-13-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/564-10-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/564-11-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/564-12-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/564-21-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/564-24-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/564-25-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/3120-0-0x00000000746C2000-0x00000000746C3000-memory.dmpFilesize
4KB
-
memory/3120-2-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/3120-1-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/3120-23-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB