Analysis Overview
SHA256
da5ede598b0921ec83296df2b0e625d3fb88fa05dc94d7771f8c25c2fc52da68
Threat Level: Known bad
The file 0374895e71ef754c11bf2530d0a9e693_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Drops startup file
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Program Files directory
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-22 18:46
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 18:46
Reported
2024-06-22 18:49
Platform
win7-20240221-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdp.url | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2204 set thread context of 360 | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\NAS Host\nashost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Program Files (x86)\NAS Host\nashost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B8C.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1C39.tmp"
Network
| Country | Destination | Domain | Proto |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp |
Files
memory/360-0-0x0000000000400000-0x0000000000438000-memory.dmp
memory/360-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2204-9-0x0000000000170000-0x0000000000171000-memory.dmp
memory/360-8-0x0000000000400000-0x0000000000438000-memory.dmp
memory/360-7-0x0000000000400000-0x0000000000438000-memory.dmp
memory/360-1-0x0000000000400000-0x0000000000438000-memory.dmp
memory/360-10-0x0000000074192000-0x0000000074194000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1B8C.tmp
| MD5 | c6f0625bf4c1cdfb699980c9243d3b22 |
| SHA1 | 43de1fe580576935516327f17b5da0c656c72851 |
| SHA256 | 8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576 |
| SHA512 | 9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969 |
C:\Users\Admin\AppData\Local\Temp\tmp1C39.tmp
| MD5 | 9f554f602c22cfc20079e966d177fadb |
| SHA1 | 789baa3425849bf239e47c6bcf352e6693a8c337 |
| SHA256 | 4c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1 |
| SHA512 | b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb |
memory/360-22-0x0000000074192000-0x0000000074194000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 18:46
Reported
2024-06-22 18:49
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
142s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdp.url | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 660 set thread context of 2344 | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DPI Subsystem\dpiss.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DPI Subsystem\dpiss.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp491F.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp496E.tmp"
Network
| Country | Destination | Domain | Proto |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp | |
| RU | 95.213.251.165:54964 | tcp |
Files
memory/2344-1-0x0000000000500000-0x0000000000538000-memory.dmp
memory/660-5-0x0000000003C50000-0x0000000003C51000-memory.dmp
memory/2344-6-0x0000000073752000-0x0000000073753000-memory.dmp
memory/2344-7-0x0000000073750000-0x0000000073D01000-memory.dmp
memory/2344-8-0x0000000073750000-0x0000000073D01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp491F.tmp
| MD5 | c6f0625bf4c1cdfb699980c9243d3b22 |
| SHA1 | 43de1fe580576935516327f17b5da0c656c72851 |
| SHA256 | 8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576 |
| SHA512 | 9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969 |
C:\Users\Admin\AppData\Local\Temp\tmp496E.tmp
| MD5 | 5fea24e883e06e4df6d240dc72abf2c5 |
| SHA1 | d778bf0f436141e02df4b421e8188abdcc9a84a4 |
| SHA256 | e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66 |
| SHA512 | 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924 |
memory/2344-20-0x0000000073750000-0x0000000073D01000-memory.dmp
memory/2344-21-0x0000000073752000-0x0000000073753000-memory.dmp
memory/2344-22-0x0000000073750000-0x0000000073D01000-memory.dmp