Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe
-
Size
719KB
-
MD5
b20de7039fc71d94e134125c77cd005f
-
SHA1
ef222f1e7e31db8ba0abf10ecf20279529dbf2d3
-
SHA256
2ffdff45aa288f6e09815e6072a24920ef00761c92680a8acb0e43d88fb39354
-
SHA512
5ee300f3a47dafb661e7819944557f10831c917e4e28d08dbbb940d48034a501cbe0e5bd6321bd90fb286351d767ad718c87058ba3d3cecb389592d01a7569f0
-
SSDEEP
12288:QaNuyLoOZWoOMOheqAfUVkkPQUQQq1AkEV6omI8Q:7OXlJeqAfUVD4UHqF
Malware Config
Extracted
nanocore
1.2.2.0
181.215.247.70:3031
0ba757fa-dcf9-424d-a085-97bac8c5d200
-
activate_away_mode
true
-
backup_connection_host
181.215.247.70
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-07-13T15:46:57.664059336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3031
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0ba757fa-dcf9-424d-a085-97bac8c5d200
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
installutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" installutil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
installutil.exedescription pid process target process PID 636 set thread context of 2584 636 installutil.exe installutil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
installutil.exedescription ioc process File created C:\Program Files (x86)\NAS Host\nashost.exe installutil.exe File opened for modification C:\Program Files (x86)\NAS Host\nashost.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2468 schtasks.exe 2876 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
installutil.exeinstallutil.exepid process 636 installutil.exe 2584 installutil.exe 2584 installutil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
installutil.exepid process 2584 installutil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
installutil.exeinstallutil.exedescription pid process Token: SeDebugPrivilege 636 installutil.exe Token: SeDebugPrivilege 2584 installutil.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exeinstallutil.exeinstallutil.exedescription pid process target process PID 2224 wrote to memory of 636 2224 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 2224 wrote to memory of 636 2224 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 2224 wrote to memory of 636 2224 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 2224 wrote to memory of 636 2224 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 2224 wrote to memory of 636 2224 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 2224 wrote to memory of 636 2224 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 2224 wrote to memory of 636 2224 b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 636 wrote to memory of 2584 636 installutil.exe installutil.exe PID 2584 wrote to memory of 2468 2584 installutil.exe schtasks.exe PID 2584 wrote to memory of 2468 2584 installutil.exe schtasks.exe PID 2584 wrote to memory of 2468 2584 installutil.exe schtasks.exe PID 2584 wrote to memory of 2468 2584 installutil.exe schtasks.exe PID 2584 wrote to memory of 2876 2584 installutil.exe schtasks.exe PID 2584 wrote to memory of 2876 2584 installutil.exe schtasks.exe PID 2584 wrote to memory of 2876 2584 installutil.exe schtasks.exe PID 2584 wrote to memory of 2876 2584 installutil.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA8CD.tmp"4⤵
- Creates scheduled task(s)
PID:2468 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA97A.tmp"4⤵
- Creates scheduled task(s)
PID:2876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA8CD.tmpFilesize
1KB
MD5776580d2028b74ed89bb21146482bdff
SHA1d1a45290dedde63d8539a2fc8af866b430238bc7
SHA256fbad359469fc6aefb5695d01974f4edf50528f51f80d57b9eb0d8f2f81033cc0
SHA512de084f473db26ce159b639b02e7ffa263ae5b6c4c1da9f6932676dae4a6c65f082b1bcac673c45c2e2b84caa06d1860ea6f0545b81fd7b3e4f8fe5e802a160d3
-
C:\Users\Admin\AppData\Local\Temp\tmpA97A.tmpFilesize
1KB
MD59f554f602c22cfc20079e966d177fadb
SHA1789baa3425849bf239e47c6bcf352e6693a8c337
SHA2564c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1
SHA512b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb
-
memory/636-26-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/636-4-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/636-5-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2224-1-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2224-2-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2224-3-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2224-0-0x0000000074711000-0x0000000074712000-memory.dmpFilesize
4KB
-
memory/2584-18-0x0000000000090000-0x00000000000C8000-memory.dmpFilesize
224KB
-
memory/2584-6-0x0000000000090000-0x00000000000C8000-memory.dmpFilesize
224KB
-
memory/2584-22-0x0000000000090000-0x00000000000C8000-memory.dmpFilesize
224KB
-
memory/2584-27-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2584-17-0x0000000000090000-0x00000000000C8000-memory.dmpFilesize
224KB
-
memory/2584-12-0x0000000000090000-0x00000000000C8000-memory.dmpFilesize
224KB
-
memory/2584-10-0x0000000000090000-0x00000000000C8000-memory.dmpFilesize
224KB
-
memory/2584-25-0x0000000000090000-0x00000000000C8000-memory.dmpFilesize
224KB
-
memory/2584-28-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2584-29-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2584-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2584-8-0x0000000000090000-0x00000000000C8000-memory.dmpFilesize
224KB
-
memory/2584-37-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2584-38-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB
-
memory/2584-39-0x0000000074710000-0x0000000074CBB000-memory.dmpFilesize
5.7MB