Analysis Overview
SHA256
e9c3fc00ddb08ef196d05b56ce0c83c04381de42e8777e902e3e9c7afe4a9f11
Threat Level: Known bad
The file 10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-26 05:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 05:12
Reported
2024-06-26 05:14
Platform
win7-20240611-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsvc.exe" | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2060 set thread context of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DDP Service\ddpsvc.exe | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DDP Service\ddpsvc.exe | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8871.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8AD3.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
Files
memory/2060-0-0x00000000740E1000-0x00000000740E2000-memory.dmp
memory/2060-1-0x00000000740E0000-0x000000007468B000-memory.dmp
memory/2060-2-0x00000000740E0000-0x000000007468B000-memory.dmp
memory/2060-3-0x00000000740E0000-0x000000007468B000-memory.dmp
memory/2060-4-0x00000000740E0000-0x000000007468B000-memory.dmp
memory/3020-7-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3020-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3020-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3020-10-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3020-8-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3020-5-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3020-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3020-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2060-19-0x00000000740E0000-0x000000007468B000-memory.dmp
memory/3020-23-0x00000000740E0000-0x000000007468B000-memory.dmp
memory/3020-24-0x00000000740E0000-0x000000007468B000-memory.dmp
memory/3020-20-0x00000000740E0000-0x000000007468B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8871.tmp
| MD5 | 7b6649f876e46ee80a91f6923920b2b3 |
| SHA1 | 81c59779c47393491ff7dfd61afbebe49ede7140 |
| SHA256 | c699a7c469ce0112aaf81e9e0bc690cebaf1e6d1e208af66848770dc4c403262 |
| SHA512 | 509a400e910720261217ae82688b7961e03b93116caa1b61e4e21a631f7f176c4cf22d859da3f151c0fe19a0b315ac4817e44c822a36690a169db69d0eb7a4bc |
C:\Users\Admin\AppData\Local\Temp\tmp8AD3.tmp
| MD5 | 2a91b19749346c8f783945a00a5050d7 |
| SHA1 | 66c61f7802ac5b83aae26f6042575717209bae3e |
| SHA256 | 0b0a294877234b2406c573060ff13262da0414485c0954ef8961a9429d9f7fb1 |
| SHA512 | c5b044a2bda0ad0d38fb57ffb54611381f05ef6ef2f14481d00c278ecefda2d963ef41b2ef6e2bb16718fb8e5aa859bf2b9f870bf3ba8959c5a6b5b03aa53622 |
memory/3020-30-0x00000000740E0000-0x000000007468B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 05:12
Reported
2024-06-26 05:14
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5112 set thread context of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Service\dhcpsv.exe | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Service\dhcpsv.exe | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\10d4a5471e7e6d37cc86e3b430cfd3e1_JaffaCakes118.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC796.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC7D5.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | cloudhost.myfirewall.org | udp |
| CL | 191.115.151.181:5654 | cloudhost.myfirewall.org | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/5112-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp
memory/5112-1-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/5112-2-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/5112-3-0x0000000074DB2000-0x0000000074DB3000-memory.dmp
memory/5112-4-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/2468-5-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2468-7-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/5112-8-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/2468-9-0x0000000074DB0000-0x0000000075361000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC796.tmp
| MD5 | 7b6649f876e46ee80a91f6923920b2b3 |
| SHA1 | 81c59779c47393491ff7dfd61afbebe49ede7140 |
| SHA256 | c699a7c469ce0112aaf81e9e0bc690cebaf1e6d1e208af66848770dc4c403262 |
| SHA512 | 509a400e910720261217ae82688b7961e03b93116caa1b61e4e21a631f7f176c4cf22d859da3f151c0fe19a0b315ac4817e44c822a36690a169db69d0eb7a4bc |
memory/2468-16-0x0000000074DB0000-0x0000000075361000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC7D5.tmp
| MD5 | a77c223a0fc492dccd6fb9975f7a8766 |
| SHA1 | 5e813636ae9b8138d78919348a5da3a6e8bd74b5 |
| SHA256 | 589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e |
| SHA512 | 315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0 |
memory/2468-18-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/2468-19-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/2468-20-0x0000000074DB0000-0x0000000075361000-memory.dmp