Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 08:53
Static task
static1
Behavioral task
behavioral1
Sample
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe
-
Size
484KB
-
MD5
b7bfbe5327957e4d9d3d6d8b224eab37
-
SHA1
49699c7aabb20f9a524a6e24a961cad666d74cb1
-
SHA256
13a09fcb282fa9b82b403819042280cb2b676260d0ea092899be06fe8fa69612
-
SHA512
73cbde5fa1bf2573fd49f378db352c45e509b38c67895a18bfd55ee695ed98dab5dee90b42ff1cdf502c57ba478cacebe4232d4898d5ec115666727b14bb594b
-
SSDEEP
6144:TlchQntF4DYvKj5NwFZ5UNmL/CD42coG4c2tS6DvxbU:TKin0Ev9a8TCwo58qvxI
Malware Config
Extracted
nanocore
1.2.2.0
anyi.ddns.net:1991
ef4f1edc-e607-491e-af8a-8e481f6d0505
-
activate_away_mode
true
-
backup_connection_host
anyi.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-07-29T10:10:37.812211236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1991
-
default_group
EXCEL
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ef4f1edc-e607-491e-af8a-8e481f6d0505
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
anyi.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
app.exeapp.exepid process 2524 app.exe 1864 app.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 3028 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
app.exeapp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\app.exe -boot" app.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" app.exe -
Processes:
app.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA app.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
app.exedescription pid process target process PID 2524 set thread context of 1864 2524 app.exe app.exe -
Drops file in Program Files directory 2 IoCs
Processes:
app.exedescription ioc process File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe app.exe File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 108 schtasks.exe 856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
app.exepid process 1864 app.exe 1864 app.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
app.exepid process 1864 app.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exeapp.exeapp.exedescription pid process Token: SeDebugPrivilege 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe Token: SeDebugPrivilege 2524 app.exe Token: SeDebugPrivilege 1864 app.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.execmd.exeapp.exeapp.exedescription pid process target process PID 3016 wrote to memory of 2608 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 2608 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 2608 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 2608 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 3028 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 3028 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 3028 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3016 wrote to memory of 3028 3016 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3028 wrote to memory of 2524 3028 cmd.exe app.exe PID 3028 wrote to memory of 2524 3028 cmd.exe app.exe PID 3028 wrote to memory of 2524 3028 cmd.exe app.exe PID 3028 wrote to memory of 2524 3028 cmd.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 2524 wrote to memory of 1864 2524 app.exe app.exe PID 1864 wrote to memory of 108 1864 app.exe schtasks.exe PID 1864 wrote to memory of 108 1864 app.exe schtasks.exe PID 1864 wrote to memory of 108 1864 app.exe schtasks.exe PID 1864 wrote to memory of 108 1864 app.exe schtasks.exe PID 1864 wrote to memory of 856 1864 app.exe schtasks.exe PID 1864 wrote to memory of 856 1864 app.exe schtasks.exe PID 1864 wrote to memory of 856 1864 app.exe schtasks.exe PID 1864 wrote to memory of 856 1864 app.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\app.exe"2⤵PID:2608
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\app.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\app.exe"C:\Users\Admin\AppData\Local\app.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\app.exe"C:\Users\Admin\AppData\Local\app.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp"5⤵
- Creates scheduled task(s)
PID:108 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp652A.tmp"5⤵
- Creates scheduled task(s)
PID:856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmpFilesize
1KB
MD5db38cdeb3601508a120b6723d0a376ad
SHA172eefd94955dc045fc48a38cdec6635330fa6f6e
SHA2563fcbc7c0f18bd41d5f3e82642c82b5418fd78567a65996bf9972ea055caaf5ad
SHA5122082a6175e081ac5f89ebd30d0e94350b5d6ad0732124606651f41a22ddb203a2ceb704537da96c14012c2545cafb1d8cbfd671802c6daac3dd95cff2292b9f8
-
C:\Users\Admin\AppData\Local\Temp\tmp652A.tmpFilesize
1KB
MD5981e126601526eaa5b0ad45c496c4465
SHA1d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA25611ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb
-
C:\Users\Admin\AppData\Local\app.exeFilesize
484KB
MD5b7bfbe5327957e4d9d3d6d8b224eab37
SHA149699c7aabb20f9a524a6e24a961cad666d74cb1
SHA25613a09fcb282fa9b82b403819042280cb2b676260d0ea092899be06fe8fa69612
SHA51273cbde5fa1bf2573fd49f378db352c45e509b38c67895a18bfd55ee695ed98dab5dee90b42ff1cdf502c57ba478cacebe4232d4898d5ec115666727b14bb594b
-
memory/1864-13-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1864-26-0x0000000000AE0000-0x0000000000AEA000-memory.dmpFilesize
40KB
-
memory/1864-25-0x0000000000B30000-0x0000000000B4E000-memory.dmpFilesize
120KB
-
memory/1864-24-0x0000000000AD0000-0x0000000000ADA000-memory.dmpFilesize
40KB
-
memory/1864-15-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1864-16-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2524-11-0x0000000001100000-0x0000000001182000-memory.dmpFilesize
520KB
-
memory/3016-0-0x00000000740FE000-0x00000000740FF000-memory.dmpFilesize
4KB
-
memory/3016-12-0x00000000740F0000-0x00000000747DE000-memory.dmpFilesize
6.9MB
-
memory/3016-7-0x00000000740F0000-0x00000000747DE000-memory.dmpFilesize
6.9MB
-
memory/3016-6-0x00000000740FE000-0x00000000740FF000-memory.dmpFilesize
4KB
-
memory/3016-3-0x0000000000350000-0x0000000000360000-memory.dmpFilesize
64KB
-
memory/3016-2-0x00000000740F0000-0x00000000747DE000-memory.dmpFilesize
6.9MB
-
memory/3016-1-0x0000000000DF0000-0x0000000000E72000-memory.dmpFilesize
520KB