Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 10:19
Behavioral task
behavioral1
Sample
a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe
-
Size
234KB
-
MD5
a929acb4997a9366c61cb3edcc0b2498
-
SHA1
77bb8b60b1341f2c0d021b4baefb7e7f6694ccca
-
SHA256
20751156d821460ab4c7db367bf964831c51daac7bf4a4eecfa4c0cf23816490
-
SHA512
55e5ea17d289bfae1fbedbc7f5dba812c01f4802442a502c72af28dd5ebed9c7e5d2f2565e19f3e20159aa5a3a566e06ceba746e53d1192ccb0eaf1480e5f231
-
SSDEEP
6144:CLV6Bta6dtJmakIM5SP2ZCt/YSyHLDe1YO9o+l:CLV6BtpmkvkfvMo
Malware Config
Extracted
nanocore
1.2.2.0
googleupdater.duckdns.org:54984
cc8a7f9a-5670-4114-ad66-34c412bf2ffc
-
activate_away_mode
false
-
backup_connection_host
googleupdater.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-11-19T22:07:50.740901936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cc8a7f9a-5670-4114-ad66-34c412bf2ffc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
googleupdater.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Tempexplorer.exepid process 1744 Tempexplorer.exe -
Loads dropped DLL 2 IoCs
Processes:
a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exepid process 1736 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe 1736 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Tempexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" Tempexplorer.exe -
Processes:
Tempexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Tempexplorer.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Tempexplorer.exedescription ioc process File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe Tempexplorer.exe File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe Tempexplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2104 schtasks.exe 2776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Tempexplorer.exepid process 1744 Tempexplorer.exe 1744 Tempexplorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Tempexplorer.exepid process 1744 Tempexplorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Tempexplorer.exedescription pid process Token: SeDebugPrivilege 1744 Tempexplorer.exe Token: SeDebugPrivilege 1744 Tempexplorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exeTempexplorer.exedescription pid process target process PID 1736 wrote to memory of 1744 1736 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe Tempexplorer.exe PID 1736 wrote to memory of 1744 1736 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe Tempexplorer.exe PID 1736 wrote to memory of 1744 1736 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe Tempexplorer.exe PID 1736 wrote to memory of 1744 1736 a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe Tempexplorer.exe PID 1744 wrote to memory of 2104 1744 Tempexplorer.exe schtasks.exe PID 1744 wrote to memory of 2104 1744 Tempexplorer.exe schtasks.exe PID 1744 wrote to memory of 2104 1744 Tempexplorer.exe schtasks.exe PID 1744 wrote to memory of 2104 1744 Tempexplorer.exe schtasks.exe PID 1744 wrote to memory of 2776 1744 Tempexplorer.exe schtasks.exe PID 1744 wrote to memory of 2776 1744 Tempexplorer.exe schtasks.exe PID 1744 wrote to memory of 2776 1744 Tempexplorer.exe schtasks.exe PID 1744 wrote to memory of 2776 1744 Tempexplorer.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Tempexplorer.exe"C:\Users\Admin\AppData\Local\Tempexplorer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1F24.tmp"3⤵
- Creates scheduled task(s)
PID:2104 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1FC1.tmp"3⤵
- Creates scheduled task(s)
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1F24.tmpFilesize
1KB
MD5c32c74e937be74259424933c09985921
SHA1b0a7f3b2609bd66e695181e492a904c994c40553
SHA2561ae1a9bb3477f5dcb9c0be4a919e54eca05647e254725af8e9a552628b255cef
SHA51296e17111f01c88c2b8edaa2ec08b4cd5dd40f4e0b78dcf316d7c3ca3b69267fd63a4f91ddf01baa50ddcee7b4fa393d91e4ba80087010caf7accf47dac29889e
-
C:\Users\Admin\AppData\Local\Temp\tmp1FC1.tmpFilesize
1KB
MD5981e126601526eaa5b0ad45c496c4465
SHA1d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA25611ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb
-
\Users\Admin\AppData\Local\Tempexplorer.exeFilesize
203KB
MD52a10ebef275e2d24c8f3e3d8dd01e929
SHA15d82da79265984af7399c6d19766b9d3afb4fe59
SHA256226de25b7d0372d2f18c5f080d58a2766b50b70bb2f4f4505071acd45407abaa
SHA51206fe337e2444b15a3ac0a16645a9b114033f4c6ebc0465c660a739615a7d1e134dfebfc630565a8d5df11aa3e7d38a186a1a36e7746322492f7f65031ae2b32c
-
memory/1736-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmpFilesize
4KB
-
memory/1736-1-0x0000000000E80000-0x0000000000EC2000-memory.dmpFilesize
264KB
-
memory/1736-2-0x0000000074D70000-0x000000007545E000-memory.dmpFilesize
6.9MB
-
memory/1736-13-0x0000000074D70000-0x000000007545E000-memory.dmpFilesize
6.9MB
-
memory/1744-14-0x000000006FF31000-0x000000006FF32000-memory.dmpFilesize
4KB
-
memory/1744-15-0x000000006FF30000-0x00000000704DB000-memory.dmpFilesize
5.7MB
-
memory/1744-16-0x000000006FF30000-0x00000000704DB000-memory.dmpFilesize
5.7MB
-
memory/1744-24-0x000000006FF30000-0x00000000704DB000-memory.dmpFilesize
5.7MB