Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 06:05
Static task
static1
Behavioral task
behavioral1
Sample
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe
-
Size
462KB
-
MD5
a8418d4221d58024515d4db45edf49d7
-
SHA1
e0034b96cda0bf0d9f328ad74b63241b4d1c12e1
-
SHA256
69d910b0cbdaf102c18d47cdd3f3f21ffd288f62ea14ac9cce0572a7f90d629f
-
SHA512
19207567b84a03cf1cda182c6cb9784f4c8f80c3ecf121c6d2ee77336e5562a30c2de116cbb56320a71cdf98e3ec6c6c08cca5da41cc6f9a564754406ebf4d07
-
SSDEEP
12288:h2G4z1VuqdWNKA3ycZor2mSiS+LkC6ejvHP:MDzr7WrycZor2zihkC6ivH
Malware Config
Extracted
nanocore
1.2.2.0
eter202.ddns.net:2002
127.0.0.1:2002
53957676-27b2-45fc-90fa-942bf21dff75
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-12-07T19:51:32.143834936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2002
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
53957676-27b2-45fc-90fa-942bf21dff75
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
eter202.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk notepad.exe -
Executes dropped EXE 2 IoCs
Processes:
notepad.exenotepad.exepid process 2936 notepad.exe 1832 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exenotepad.exepid process 2532 cmd.exe 2936 notepad.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2936-18-0x0000000004820000-0x000000000482A000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
notepad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" notepad.exe -
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
notepad.exedescription pid process target process PID 2936 set thread context of 1832 2936 notepad.exe notepad.exe -
Drops file in Program Files directory 2 IoCs
Processes:
notepad.exedescription ioc process File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe notepad.exe File created C:\Program Files (x86)\DDP Service\ddpsv.exe notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
notepad.exepid process 1832 notepad.exe 1832 notepad.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
notepad.exepid process 1832 notepad.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exenotepad.exenotepad.exedescription pid process Token: SeDebugPrivilege 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe Token: 33 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe Token: SeDebugPrivilege 2936 notepad.exe Token: 33 2936 notepad.exe Token: SeIncBasePriorityPrivilege 2936 notepad.exe Token: SeDebugPrivilege 1832 notepad.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.execmd.exenotepad.exedescription pid process target process PID 2560 wrote to memory of 2480 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 2560 wrote to memory of 2480 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 2560 wrote to memory of 2480 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 2560 wrote to memory of 2480 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 2560 wrote to memory of 2532 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 2560 wrote to memory of 2532 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 2560 wrote to memory of 2532 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 2560 wrote to memory of 2532 2560 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 2532 wrote to memory of 2936 2532 cmd.exe notepad.exe PID 2532 wrote to memory of 2936 2532 cmd.exe notepad.exe PID 2532 wrote to memory of 2936 2532 cmd.exe notepad.exe PID 2532 wrote to memory of 2936 2532 cmd.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe PID 2936 wrote to memory of 1832 2936 notepad.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\notepad.exe"2⤵PID:2480
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\notepad.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\notepad.exe"C:\Users\Admin\AppData\Local\notepad.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\notepad.exe"C:\Users\Admin\AppData\Local\notepad.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\notepad.exeFilesize
462KB
MD5a8418d4221d58024515d4db45edf49d7
SHA1e0034b96cda0bf0d9f328ad74b63241b4d1c12e1
SHA25669d910b0cbdaf102c18d47cdd3f3f21ffd288f62ea14ac9cce0572a7f90d629f
SHA51219207567b84a03cf1cda182c6cb9784f4c8f80c3ecf121c6d2ee77336e5562a30c2de116cbb56320a71cdf98e3ec6c6c08cca5da41cc6f9a564754406ebf4d07
-
memory/1832-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1832-36-0x0000000000860000-0x000000000086A000-memory.dmpFilesize
40KB
-
memory/1832-35-0x0000000000BF0000-0x0000000000C0E000-memory.dmpFilesize
120KB
-
memory/1832-34-0x0000000000680000-0x000000000068A000-memory.dmpFilesize
40KB
-
memory/1832-30-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1832-31-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1832-28-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1832-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1832-26-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1832-23-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1832-21-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2560-6-0x0000000000520000-0x000000000052E000-memory.dmpFilesize
56KB
-
memory/2560-14-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2560-8-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2560-7-0x00000000749DE000-0x00000000749DF000-memory.dmpFilesize
4KB
-
memory/2560-0-0x00000000749DE000-0x00000000749DF000-memory.dmpFilesize
4KB
-
memory/2560-5-0x0000000000460000-0x000000000046A000-memory.dmpFilesize
40KB
-
memory/2560-4-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2560-3-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/2560-2-0x00000000004D0000-0x0000000000512000-memory.dmpFilesize
264KB
-
memory/2560-1-0x0000000000870000-0x00000000008EC000-memory.dmpFilesize
496KB
-
memory/2936-18-0x0000000004820000-0x000000000482A000-memory.dmpFilesize
40KB
-
memory/2936-15-0x0000000001040000-0x00000000010BC000-memory.dmpFilesize
496KB