Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 08:53
Static task
static1
Behavioral task
behavioral1
Sample
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe
-
Size
484KB
-
MD5
b7bfbe5327957e4d9d3d6d8b224eab37
-
SHA1
49699c7aabb20f9a524a6e24a961cad666d74cb1
-
SHA256
13a09fcb282fa9b82b403819042280cb2b676260d0ea092899be06fe8fa69612
-
SHA512
73cbde5fa1bf2573fd49f378db352c45e509b38c67895a18bfd55ee695ed98dab5dee90b42ff1cdf502c57ba478cacebe4232d4898d5ec115666727b14bb594b
-
SSDEEP
6144:TlchQntF4DYvKj5NwFZ5UNmL/CD42coG4c2tS6DvxbU:TKin0Ev9a8TCwo58qvxI
Malware Config
Extracted
nanocore
1.2.2.0
anyi.ddns.net:1991
ef4f1edc-e607-491e-af8a-8e481f6d0505
-
activate_away_mode
true
-
backup_connection_host
anyi.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-07-29T10:10:37.812211236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1991
-
default_group
EXCEL
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ef4f1edc-e607-491e-af8a-8e481f6d0505
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
anyi.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
app.exeapp.exepid process 2012 app.exe 4824 app.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
app.exeapp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\app.exe -boot" app.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Service = "C:\\Program Files (x86)\\AGP Service\\agpsv.exe" app.exe -
Processes:
app.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA app.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
app.exedescription pid process target process PID 2012 set thread context of 4824 2012 app.exe app.exe -
Drops file in Program Files directory 2 IoCs
Processes:
app.exedescription ioc process File created C:\Program Files (x86)\AGP Service\agpsv.exe app.exe File opened for modification C:\Program Files (x86)\AGP Service\agpsv.exe app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3984 schtasks.exe 1380 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
app.exepid process 4824 app.exe 4824 app.exe 4824 app.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
app.exepid process 4824 app.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exeapp.exeapp.exedescription pid process Token: SeDebugPrivilege 4480 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe Token: SeDebugPrivilege 2012 app.exe Token: SeDebugPrivilege 4824 app.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.execmd.exeapp.exeapp.exedescription pid process target process PID 4480 wrote to memory of 3624 4480 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 4480 wrote to memory of 3624 4480 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 4480 wrote to memory of 3624 4480 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 4480 wrote to memory of 3416 4480 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 4480 wrote to memory of 3416 4480 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 4480 wrote to memory of 3416 4480 b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe cmd.exe PID 3416 wrote to memory of 2012 3416 cmd.exe app.exe PID 3416 wrote to memory of 2012 3416 cmd.exe app.exe PID 3416 wrote to memory of 2012 3416 cmd.exe app.exe PID 2012 wrote to memory of 4824 2012 app.exe app.exe PID 2012 wrote to memory of 4824 2012 app.exe app.exe PID 2012 wrote to memory of 4824 2012 app.exe app.exe PID 2012 wrote to memory of 4824 2012 app.exe app.exe PID 2012 wrote to memory of 4824 2012 app.exe app.exe PID 2012 wrote to memory of 4824 2012 app.exe app.exe PID 2012 wrote to memory of 4824 2012 app.exe app.exe PID 2012 wrote to memory of 4824 2012 app.exe app.exe PID 4824 wrote to memory of 3984 4824 app.exe schtasks.exe PID 4824 wrote to memory of 3984 4824 app.exe schtasks.exe PID 4824 wrote to memory of 3984 4824 app.exe schtasks.exe PID 4824 wrote to memory of 1380 4824 app.exe schtasks.exe PID 4824 wrote to memory of 1380 4824 app.exe schtasks.exe PID 4824 wrote to memory of 1380 4824 app.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\app.exe"2⤵PID:3624
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\app.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\app.exe"C:\Users\Admin\AppData\Local\app.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\app.exe"C:\Users\Admin\AppData\Local\app.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8AB7.tmp"5⤵
- Creates scheduled task(s)
PID:3984 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8B35.tmp"5⤵
- Creates scheduled task(s)
PID:1380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8AB7.tmpFilesize
1KB
MD5db38cdeb3601508a120b6723d0a376ad
SHA172eefd94955dc045fc48a38cdec6635330fa6f6e
SHA2563fcbc7c0f18bd41d5f3e82642c82b5418fd78567a65996bf9972ea055caaf5ad
SHA5122082a6175e081ac5f89ebd30d0e94350b5d6ad0732124606651f41a22ddb203a2ceb704537da96c14012c2545cafb1d8cbfd671802c6daac3dd95cff2292b9f8
-
C:\Users\Admin\AppData\Local\Temp\tmp8B35.tmpFilesize
1KB
MD57a81ae69c04c8d95261eb5f490b7f869
SHA19f4f484d306fea15b2e7f9f16db660833bb1f8ce
SHA256ce3933e772f663a834335cc2071e5e7b2d49a065b51d84a259054b8ef663e785
SHA5128260ab83106752a488e164bbed63ef334d34399bc9a5c09a0cfceba6aef48eafe5c64e4dfbd353ac3edfff2523b16c2b0287d34833a293c4436e068fae656de8
-
C:\Users\Admin\AppData\Local\app.exeFilesize
484KB
MD5b7bfbe5327957e4d9d3d6d8b224eab37
SHA149699c7aabb20f9a524a6e24a961cad666d74cb1
SHA25613a09fcb282fa9b82b403819042280cb2b676260d0ea092899be06fe8fa69612
SHA51273cbde5fa1bf2573fd49f378db352c45e509b38c67895a18bfd55ee695ed98dab5dee90b42ff1cdf502c57ba478cacebe4232d4898d5ec115666727b14bb594b
-
memory/2012-23-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2012-19-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2012-17-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2012-18-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4480-5-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4480-4-0x0000000005360000-0x00000000053F2000-memory.dmpFilesize
584KB
-
memory/4480-11-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4480-7-0x0000000005590000-0x000000000559A000-memory.dmpFilesize
40KB
-
memory/4480-6-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/4480-0-0x000000007464E000-0x000000007464F000-memory.dmpFilesize
4KB
-
memory/4480-13-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/4480-10-0x000000007464E000-0x000000007464F000-memory.dmpFilesize
4KB
-
memory/4480-1-0x0000000000870000-0x00000000008F2000-memory.dmpFilesize
520KB
-
memory/4480-3-0x0000000005910000-0x0000000005EB4000-memory.dmpFilesize
5.6MB
-
memory/4480-2-0x00000000052C0000-0x000000000535C000-memory.dmpFilesize
624KB
-
memory/4824-20-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4824-31-0x0000000005130000-0x000000000513A000-memory.dmpFilesize
40KB
-
memory/4824-32-0x00000000054F0000-0x000000000550E000-memory.dmpFilesize
120KB
-
memory/4824-33-0x0000000006280000-0x000000000628A000-memory.dmpFilesize
40KB