Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 08:53
Static task
static1
Behavioral task
behavioral1
Sample
a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe
-
Size
806KB
-
MD5
a8d385367ec6e7c892816e137900ff79
-
SHA1
8d6b34a726c8206d3c76c0b2e418ae064e5eaac0
-
SHA256
bcfbf1fd4641c8b686c9dabd458b4db3efdcf03157fa7b09515a00e980e889ce
-
SHA512
2f9f0f27fa3ff7db5f4afa46826ee0e85e30e918dbd58ae0162b3cbc7aeaafc647e88263758f2fb2e00d9d0bd5f4584b808ee0dbe1eaf15f6a05b123a48d4f43
-
SSDEEP
24576:rmoO8itEqfZm27QKJ44ZErvgjUn2wTF/2W:qvZpQKPErvWKF/9
Malware Config
Extracted
nanocore
1.2.2.0
zam.accesscam.org:6925
zam123.myftp.biz:6925
cb45715f-56e8-461e-9e9c-152b342a7f1c
-
activate_away_mode
false
-
backup_connection_host
zam123.myftp.biz
- backup_dns_server
-
buffer_size
65535
-
build_time
2018-11-17T00:35:29.075028036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6925
-
default_group
EURO
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cb45715f-56e8-461e-9e9c-152b342a7f1c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
zam.accesscam.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
outlook.sfx.exeoutlook.exepid process 2648 outlook.sfx.exe 684 outlook.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exeoutlook.sfx.exepid process 2720 cmd.exe 2648 outlook.sfx.exe 2648 outlook.sfx.exe 2648 outlook.sfx.exe 2648 outlook.sfx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
outlook.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files\\DDP Service\\ddpsv.exe" outlook.exe -
Processes:
outlook.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA outlook.exe -
Drops file in Program Files directory 2 IoCs
Processes:
outlook.exedescription ioc process File created C:\Program Files\DDP Service\ddpsv.exe outlook.exe File opened for modification C:\Program Files\DDP Service\ddpsv.exe outlook.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
outlook.exepid process 684 outlook.exe 684 outlook.exe 684 outlook.exe 684 outlook.exe 684 outlook.exe 684 outlook.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
outlook.exepid process 684 outlook.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
outlook.exedescription pid process Token: SeDebugPrivilege 684 outlook.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a8d385367ec6e7c892816e137900ff79_JaffaCakes118.execmd.exeoutlook.sfx.exedescription pid process target process PID 2852 wrote to memory of 2720 2852 a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe cmd.exe PID 2852 wrote to memory of 2720 2852 a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe cmd.exe PID 2852 wrote to memory of 2720 2852 a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe cmd.exe PID 2852 wrote to memory of 2720 2852 a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe cmd.exe PID 2720 wrote to memory of 2648 2720 cmd.exe outlook.sfx.exe PID 2720 wrote to memory of 2648 2720 cmd.exe outlook.sfx.exe PID 2720 wrote to memory of 2648 2720 cmd.exe outlook.sfx.exe PID 2720 wrote to memory of 2648 2720 cmd.exe outlook.sfx.exe PID 2648 wrote to memory of 684 2648 outlook.sfx.exe outlook.exe PID 2648 wrote to memory of 684 2648 outlook.sfx.exe outlook.exe PID 2648 wrote to memory of 684 2648 outlook.sfx.exe outlook.exe PID 2648 wrote to memory of 684 2648 outlook.sfx.exe outlook.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\frg.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exeoutlook.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\frg.batFilesize
30B
MD5ffa5e8316d6624bc4988a91fc24107f2
SHA1087399a1d78f1fee901ec77f7bfd011027003c37
SHA256858e2cd0a37f82e72708bc15d0ed615746335027431b25ad7e4d8019e7fdc0f6
SHA5127a0766d6c743ffff886adf9a680c774bb65cc99dd257f14016d6cd1240a0d7db1c0e4e4a65dacc00c2a1d97bb28d58af0b8ab790fe0b9ef1af3ba834b4634c38
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exeFilesize
679KB
MD5089936829e638abf2b4cf0287727ee51
SHA1985e4dea3285f69dbdb631975db8beb988f703ad
SHA2568152d18936f593cfddeeac2b9e5bfc5ffe2318b2a5f3a03f0436f4f5ee650da6
SHA51275d4e19582008947a88458de2503dcefe16719b524b4219f9f29c68737855ff8421b0e6f72f84504d0e80f5e7b3689cf22de401ca2495065f4dded17fc85dc79
-
\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exeFilesize
474KB
MD5d2493c220e2349658da794a9fc2b8218
SHA1f71d7f8943b5aea24df5a846e7c875c0baae6446
SHA2561a102d9004be63a3b0921dce05c5f18ffbf81d8dbc2c8584f9b19cc38f6dee35
SHA512eb878ca785198d682e685cc845c402d4038b6f786beecc726f1e72185755b8edb6ee794f48d221d57db57d122efa3dd6e1d336f141aab1f806f8a27453c1a2fd
-
memory/684-39-0x0000000000BB0000-0x0000000000BBA000-memory.dmpFilesize
40KB
-
memory/684-40-0x00000000004F0000-0x0000000000502000-memory.dmpFilesize
72KB
-
memory/684-41-0x0000000000DD0000-0x0000000000DEA000-memory.dmpFilesize
104KB
-
memory/684-42-0x0000000000BA0000-0x0000000000BB4000-memory.dmpFilesize
80KB
-
memory/684-43-0x0000000000BC0000-0x0000000000BCE000-memory.dmpFilesize
56KB
-
memory/684-44-0x0000000000F50000-0x0000000000F6E000-memory.dmpFilesize
120KB
-
memory/684-45-0x0000000000BD0000-0x0000000000BDA000-memory.dmpFilesize
40KB
-
memory/684-46-0x000000001AEC0000-0x000000001AEEE000-memory.dmpFilesize
184KB
-
memory/684-47-0x0000000000B90000-0x0000000000BA4000-memory.dmpFilesize
80KB