Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
2261fa3658c9ff2e8c6a47728303afda
-
SHA1
e9d2ead2ad2f69fe7354121213e6bac2759b7ebf
-
SHA256
6e31d3c7f81d01c9c84a625addf6c20d8ceaeda797564021e8ffb0038a47bfda
-
SHA512
592758f325777ab3459783efbfab44c517665892ffad2ff6fe3b18d51155847222954d68b69c898e18c228172d7b1ac89f7152e533a6718b922f6bfa91271329
-
SSDEEP
24576:2AHnh+eWsN3skA4RV1Hom2KXFmIaF9ClJTEMW5HLAUUeSWK/pLQQvZsTY5:Rh+ZkldoPK1Xavyi3OWOpLxq6
Malware Config
Extracted
nanocore
1.2.2.0
ganif.ddns.net:9017
eaacbb4e-3e02-49b6-9c26-484c86fcb9d5
-
activate_away_mode
true
-
backup_connection_host
ganif.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-11-18T09:31:56.362203336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9017
-
default_group
Lifted
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
eaacbb4e-3e02-49b6-9c26-484c86fcb9d5
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ganif.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exedescription pid process target process PID 2884 set thread context of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\DHCP Host\dhcphost.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
RegSvcs.exe2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exepid process 2828 RegSvcs.exe 2828 RegSvcs.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 2828 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exepid process 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2828 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exepid process 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exepid process 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exedescription pid process target process PID 2884 wrote to memory of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe PID 2884 wrote to memory of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe PID 2884 wrote to memory of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe PID 2884 wrote to memory of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe PID 2884 wrote to memory of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe PID 2884 wrote to memory of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe PID 2884 wrote to memory of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe PID 2884 wrote to memory of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2828-2-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2828-6-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2828-4-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2828-7-0x00000000741C1000-0x00000000741C2000-memory.dmpFilesize
4KB
-
memory/2828-8-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/2828-9-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/2828-12-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/2828-13-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/2828-14-0x00000000741C0000-0x000000007476B000-memory.dmpFilesize
5.7MB
-
memory/2884-1-0x0000000000280000-0x0000000000283000-memory.dmpFilesize
12KB