Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 06:05
Static task
static1
Behavioral task
behavioral1
Sample
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe
-
Size
462KB
-
MD5
a8418d4221d58024515d4db45edf49d7
-
SHA1
e0034b96cda0bf0d9f328ad74b63241b4d1c12e1
-
SHA256
69d910b0cbdaf102c18d47cdd3f3f21ffd288f62ea14ac9cce0572a7f90d629f
-
SHA512
19207567b84a03cf1cda182c6cb9784f4c8f80c3ecf121c6d2ee77336e5562a30c2de116cbb56320a71cdf98e3ec6c6c08cca5da41cc6f9a564754406ebf4d07
-
SSDEEP
12288:h2G4z1VuqdWNKA3ycZor2mSiS+LkC6ejvHP:MDzr7WrycZor2zihkC6ivH
Malware Config
Extracted
nanocore
1.2.2.0
eter202.ddns.net:2002
127.0.0.1:2002
53957676-27b2-45fc-90fa-942bf21dff75
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-12-07T19:51:32.143834936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2002
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
53957676-27b2-45fc-90fa-942bf21dff75
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
eter202.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk notepad.exe -
Executes dropped EXE 2 IoCs
Processes:
notepad.exenotepad.exepid process 4768 notepad.exe 2440 notepad.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4768-22-0x0000000007910000-0x000000000791A000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
notepad.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisv.exe" notepad.exe -
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
notepad.exedescription pid process target process PID 4768 set thread context of 2440 4768 notepad.exe notepad.exe -
Drops file in Program Files directory 2 IoCs
Processes:
notepad.exedescription ioc process File created C:\Program Files (x86)\PCI Service\pcisv.exe notepad.exe File opened for modification C:\Program Files (x86)\PCI Service\pcisv.exe notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
notepad.exepid process 2440 notepad.exe 2440 notepad.exe 2440 notepad.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
notepad.exepid process 2440 notepad.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exenotepad.exenotepad.exedescription pid process Token: SeDebugPrivilege 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe Token: 33 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe Token: SeDebugPrivilege 4768 notepad.exe Token: 33 4768 notepad.exe Token: SeIncBasePriorityPrivilege 4768 notepad.exe Token: SeDebugPrivilege 2440 notepad.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a8418d4221d58024515d4db45edf49d7_JaffaCakes118.execmd.exenotepad.exedescription pid process target process PID 3040 wrote to memory of 452 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 452 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 452 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 3944 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 3944 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 3040 wrote to memory of 3944 3040 a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe cmd.exe PID 3944 wrote to memory of 4768 3944 cmd.exe notepad.exe PID 3944 wrote to memory of 4768 3944 cmd.exe notepad.exe PID 3944 wrote to memory of 4768 3944 cmd.exe notepad.exe PID 4768 wrote to memory of 2440 4768 notepad.exe notepad.exe PID 4768 wrote to memory of 2440 4768 notepad.exe notepad.exe PID 4768 wrote to memory of 2440 4768 notepad.exe notepad.exe PID 4768 wrote to memory of 2440 4768 notepad.exe notepad.exe PID 4768 wrote to memory of 2440 4768 notepad.exe notepad.exe PID 4768 wrote to memory of 2440 4768 notepad.exe notepad.exe PID 4768 wrote to memory of 2440 4768 notepad.exe notepad.exe PID 4768 wrote to memory of 2440 4768 notepad.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\a8418d4221d58024515d4db45edf49d7_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\notepad.exe"2⤵PID:452
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\notepad.exe"C:\Users\Admin\AppData\Local\notepad.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\notepad.exe"C:\Users\Admin\AppData\Local\notepad.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\notepad.exeFilesize
462KB
MD5a8418d4221d58024515d4db45edf49d7
SHA1e0034b96cda0bf0d9f328ad74b63241b4d1c12e1
SHA25669d910b0cbdaf102c18d47cdd3f3f21ffd288f62ea14ac9cce0572a7f90d629f
SHA51219207567b84a03cf1cda182c6cb9784f4c8f80c3ecf121c6d2ee77336e5562a30c2de116cbb56320a71cdf98e3ec6c6c08cca5da41cc6f9a564754406ebf4d07
-
memory/2440-24-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2440-33-0x00000000062C0000-0x00000000062CA000-memory.dmpFilesize
40KB
-
memory/2440-32-0x00000000059E0000-0x00000000059FE000-memory.dmpFilesize
120KB
-
memory/2440-31-0x00000000059D0000-0x00000000059DA000-memory.dmpFilesize
40KB
-
memory/2440-28-0x0000000005400000-0x000000000540A000-memory.dmpFilesize
40KB
-
memory/3040-7-0x0000000007BB0000-0x0000000007BBA000-memory.dmpFilesize
40KB
-
memory/3040-0-0x000000007507E000-0x000000007507F000-memory.dmpFilesize
4KB
-
memory/3040-8-0x0000000007BE0000-0x0000000007BEE000-memory.dmpFilesize
56KB
-
memory/3040-9-0x000000007507E000-0x000000007507F000-memory.dmpFilesize
4KB
-
memory/3040-1-0x0000000000C30000-0x0000000000CAC000-memory.dmpFilesize
496KB
-
memory/3040-3-0x0000000007B00000-0x0000000007B30000-memory.dmpFilesize
192KB
-
memory/3040-6-0x0000000007C30000-0x0000000007CC2000-memory.dmpFilesize
584KB
-
memory/3040-10-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB
-
memory/3040-14-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB
-
memory/3040-2-0x00000000056A0000-0x00000000056E2000-memory.dmpFilesize
264KB
-
memory/3040-4-0x00000000080E0000-0x0000000008684000-memory.dmpFilesize
5.6MB
-
memory/3040-5-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB
-
memory/4768-20-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB
-
memory/4768-27-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB
-
memory/4768-23-0x0000000008AA0000-0x0000000008B3C000-memory.dmpFilesize
624KB
-
memory/4768-22-0x0000000007910000-0x000000000791A000-memory.dmpFilesize
40KB
-
memory/4768-19-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB
-
memory/4768-18-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB