Malware Analysis Report

2024-08-06 14:46

Sample ID 240618-p4av8sycnm
Target bc0872c6ade198032b1d8547d1366ab7_JaffaCakes118
SHA256 36f15aee254275fbabb7fa07f09bc17c17b91624f22844f687f816b689a66c22
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36f15aee254275fbabb7fa07f09bc17c17b91624f22844f687f816b689a66c22

Threat Level: Known bad

The file bc0872c6ade198032b1d8547d1366ab7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 12:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 12:52

Reported

2024-06-18 12:55

Platform

win7-20240611-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3044 set thread context of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Windows\SysWOW64\schtasks.exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe

Processes

C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe

"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "HWJIERY\HWJIERY" /XML "C:\Users\Admin\AppData\Roaming\HWJIERY\a00000.xml"

C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe

"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
CH 91.192.100.3:4354 tcp
CH 91.192.100.3:4354 tcp
CH 91.192.100.3:4354 tcp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
CH 91.192.100.3:4354 tcp
CH 91.192.100.3:4354 tcp
CH 91.192.100.3:4354 tcp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp

Files

memory/3044-0-0x0000000074AC1000-0x0000000074AC2000-memory.dmp

memory/3044-1-0x0000000074AC0000-0x000000007506B000-memory.dmp

memory/3044-2-0x0000000074AC0000-0x000000007506B000-memory.dmp

C:\Users\Admin\AppData\Roaming\HWJIERY\a00000.xml

MD5 ecee2f8ec824d89012411447223f1454
SHA1 46d030d3779cdf149cf389db5408a3113fef5c6f
SHA256 9a8bb653aa4afad05bf574ef21d489318a62a447a1982618bfc59d046c8b31db
SHA512 ce64505222d79ded48554ccbde640142f4e1f84124d5639585b5fde25deeb31a0374c75db88dd03a5715c5bd06197c5a55ce7421fcbd83086cc080a748c2e74a

memory/2636-7-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2636-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3044-21-0x0000000074AC0000-0x000000007506B000-memory.dmp

memory/2636-22-0x0000000074AC0000-0x000000007506B000-memory.dmp

memory/2636-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2636-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2636-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2636-12-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2636-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2636-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2636-24-0x0000000074AC0000-0x000000007506B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 12:52

Reported

2024-06-18 12:55

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4716 set thread context of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4716 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Windows\SysWOW64\schtasks.exe
PID 4716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe
PID 4716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe

Processes

C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe

"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "HWJIERY\HWJIERY" /XML "C:\Users\Admin\AppData\Roaming\HWJIERY\a44444.xml"

C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe

"C:\Users\Admin\AppData\Local\Temp\Urgent Arabian American Oil Company Tender..exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
US 8.8.4.4:53 rolex.ddns.net udp
US 8.8.8.8:53 rolex.ddns.net udp
CH 91.192.100.3:4354 tcp
CH 91.192.100.3:4354 tcp

Files

memory/4716-0-0x0000000074D22000-0x0000000074D23000-memory.dmp

memory/4716-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/4716-2-0x0000000074D20000-0x00000000752D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\HWJIERY\a44444.xml

MD5 5aabcb8211cd687e328665c30bc854d5
SHA1 5dd9a3f311d80da9fa0459ad911a71358d8e4667
SHA256 5f84277d7cb7962b0a18228002df12f5a1231d47c3c841d27af6bea3d93ecc89
SHA512 2f6af60ff8bea976c70cc339349ace823349bac33082436cd6edfbbfdd2e35b91100cecea194d9b9cd8c43641e638b1c554d5def1f342ed9c7218ec1917ae5fc

memory/2748-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2748-6-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Urgent Arabian American Oil Company Tender..exe.log

MD5 1cc4c5b51e50ec74a6880b50ecbee28b
SHA1 1ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba
SHA256 0556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b
SHA512 5d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706

memory/4716-12-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2748-13-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2748-14-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2748-7-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2748-16-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2748-17-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2748-18-0x0000000074D20000-0x00000000752D1000-memory.dmp