Malware Analysis Report

2024-08-06 14:48

Sample ID 240614-kthe4sxbpq
Target a8d385367ec6e7c892816e137900ff79_JaffaCakes118
SHA256 bcfbf1fd4641c8b686c9dabd458b4db3efdcf03157fa7b09515a00e980e889ce
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcfbf1fd4641c8b686c9dabd458b4db3efdcf03157fa7b09515a00e980e889ce

Threat Level: Known bad

The file a8d385367ec6e7c892816e137900ff79_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:53

Reported

2024-06-14 08:56

Platform

win7-20240611-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files\\DDP Service\\ddpsv.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
File opened for modification C:\Program Files\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
PID 2648 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe
PID 2648 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe
PID 2648 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe
PID 2648 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\frg.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe

outlook.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zam.accesscam.org udp
TR 185.84.181.101:6925 zam.accesscam.org tcp
TR 185.84.181.101:6925 zam.accesscam.org tcp
TR 185.84.181.101:6925 zam.accesscam.org tcp
US 8.8.8.8:53 zam123.myftp.biz udp
TR 185.84.181.101:6925 zam.accesscam.org tcp
TR 185.84.181.101:6925 zam.accesscam.org tcp
TR 185.84.181.101:6925 zam.accesscam.org tcp
US 8.8.8.8:53 zam.accesscam.org udp
TR 185.84.181.101:6925 zam.accesscam.org tcp
TR 185.84.181.101:6925 zam.accesscam.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\frg.bat

MD5 ffa5e8316d6624bc4988a91fc24107f2
SHA1 087399a1d78f1fee901ec77f7bfd011027003c37
SHA256 858e2cd0a37f82e72708bc15d0ed615746335027431b25ad7e4d8019e7fdc0f6
SHA512 7a0766d6c743ffff886adf9a680c774bb65cc99dd257f14016d6cd1240a0d7db1c0e4e4a65dacc00c2a1d97bb28d58af0b8ab790fe0b9ef1af3ba834b4634c38

C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe

MD5 089936829e638abf2b4cf0287727ee51
SHA1 985e4dea3285f69dbdb631975db8beb988f703ad
SHA256 8152d18936f593cfddeeac2b9e5bfc5ffe2318b2a5f3a03f0436f4f5ee650da6
SHA512 75d4e19582008947a88458de2503dcefe16719b524b4219f9f29c68737855ff8421b0e6f72f84504d0e80f5e7b3689cf22de401ca2495065f4dded17fc85dc79

\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe

MD5 d2493c220e2349658da794a9fc2b8218
SHA1 f71d7f8943b5aea24df5a846e7c875c0baae6446
SHA256 1a102d9004be63a3b0921dce05c5f18ffbf81d8dbc2c8584f9b19cc38f6dee35
SHA512 eb878ca785198d682e685cc845c402d4038b6f786beecc726f1e72185755b8edb6ee794f48d221d57db57d122efa3dd6e1d336f141aab1f806f8a27453c1a2fd

memory/684-39-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

memory/684-40-0x00000000004F0000-0x0000000000502000-memory.dmp

memory/684-41-0x0000000000DD0000-0x0000000000DEA000-memory.dmp

memory/684-42-0x0000000000BA0000-0x0000000000BB4000-memory.dmp

memory/684-43-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

memory/684-44-0x0000000000F50000-0x0000000000F6E000-memory.dmp

memory/684-45-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

memory/684-46-0x000000001AEC0000-0x000000001AEEE000-memory.dmp

memory/684-47-0x0000000000B90000-0x0000000000BA4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 08:53

Reported

2024-06-14 08:56

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files\\PCI Service\\pcisv.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\PCI Service\pcisv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
File opened for modification C:\Program Files\PCI Service\pcisv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
PID 732 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
PID 732 wrote to memory of 4780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
PID 4780 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe
PID 4780 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\frg.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe

outlook.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zam.accesscam.org udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.22.237:443 g.bing.com tcp
TR 185.84.181.101:6925 zam.accesscam.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.22.107.13.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
TR 185.84.181.101:6925 zam.accesscam.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
TR 185.84.181.101:6925 zam.accesscam.org tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 zam123.myftp.biz udp
US 8.8.8.8:53 zam123.myftp.biz udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
TR 185.84.181.101:6925 zam.accesscam.org tcp
TR 185.84.181.101:6925 zam.accesscam.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
TR 185.84.181.101:6925 zam.accesscam.org tcp
US 8.8.8.8:53 zam123.myftp.biz udp
US 8.8.8.8:53 zam123.myftp.biz udp
US 8.8.8.8:53 zam.accesscam.org udp
TR 185.84.181.101:6925 zam.accesscam.org tcp
TR 185.84.181.101:6925 zam.accesscam.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\frg.bat

MD5 ffa5e8316d6624bc4988a91fc24107f2
SHA1 087399a1d78f1fee901ec77f7bfd011027003c37
SHA256 858e2cd0a37f82e72708bc15d0ed615746335027431b25ad7e4d8019e7fdc0f6
SHA512 7a0766d6c743ffff886adf9a680c774bb65cc99dd257f14016d6cd1240a0d7db1c0e4e4a65dacc00c2a1d97bb28d58af0b8ab790fe0b9ef1af3ba834b4634c38

C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe

MD5 089936829e638abf2b4cf0287727ee51
SHA1 985e4dea3285f69dbdb631975db8beb988f703ad
SHA256 8152d18936f593cfddeeac2b9e5bfc5ffe2318b2a5f3a03f0436f4f5ee650da6
SHA512 75d4e19582008947a88458de2503dcefe16719b524b4219f9f29c68737855ff8421b0e6f72f84504d0e80f5e7b3689cf22de401ca2495065f4dded17fc85dc79

C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe

MD5 d2493c220e2349658da794a9fc2b8218
SHA1 f71d7f8943b5aea24df5a846e7c875c0baae6446
SHA256 1a102d9004be63a3b0921dce05c5f18ffbf81d8dbc2c8584f9b19cc38f6dee35
SHA512 eb878ca785198d682e685cc845c402d4038b6f786beecc726f1e72185755b8edb6ee794f48d221d57db57d122efa3dd6e1d336f141aab1f806f8a27453c1a2fd

memory/3692-19-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/3692-20-0x000000001B820000-0x000000001BCEE000-memory.dmp

memory/3692-21-0x000000001BCF0000-0x000000001BD8C000-memory.dmp

memory/3692-22-0x000000001BF40000-0x000000001BFE6000-memory.dmp

memory/3692-23-0x0000000000B50000-0x0000000000B58000-memory.dmp

memory/3692-26-0x000000001C4C0000-0x000000001C4CA000-memory.dmp

memory/3692-27-0x000000001C1F0000-0x000000001C202000-memory.dmp

memory/3692-28-0x000000001C6D0000-0x000000001C6EA000-memory.dmp

memory/3692-29-0x0000000000EC0000-0x0000000000ED4000-memory.dmp

memory/3692-31-0x000000001C6F0000-0x000000001C70E000-memory.dmp

memory/3692-30-0x000000001C020000-0x000000001C02E000-memory.dmp

memory/3692-32-0x0000000000B70000-0x0000000000B7A000-memory.dmp

memory/3692-33-0x000000001C980000-0x000000001C9AE000-memory.dmp

memory/3692-34-0x000000001C820000-0x000000001C834000-memory.dmp

memory/3692-35-0x0000000000BA0000-0x0000000000BB0000-memory.dmp