Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 05:49
Static task
static1
Behavioral task
behavioral1
Sample
0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
-
Size
516KB
-
MD5
0b675aaaf9a7d9d36bc19786db21b61d
-
SHA1
bfd0699316dfd6358abfd70d642556b197927f93
-
SHA256
9d3ec7f8db9d701a1bd73a7363b1aed1dc87ee60c321e50c96d971b37f84ee25
-
SHA512
71689ed36985960a185e7905b86e59343d11c0a601083a2ab3b22a6340dce93a495705e36e96c04e0d3263ba752b7d122e1d04bbcb6d76d6a8c92ebbbb6d1c51
-
SSDEEP
12288:FQ58Gd2jEp9Sksk/zuwBU/rwT8l/KHXCIB:FO1p9SksE8r5/KHXL
Malware Config
Extracted
nanocore
1.2.2.0
skodrf.casacam.net:2018
malkisod.casacam.net:2018
6ccf001e-e66c-46e4-94a7-c5e28220d412
-
activate_away_mode
false
-
backup_connection_host
malkisod.casacam.net
- backup_dns_server
-
buffer_size
65535
-
build_time
2019-12-19T14:57:57.247146636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2018
-
default_group
france002
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6ccf001e-e66c-46e4-94a7-c5e28220d412
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
skodrf.casacam.net
- primary_dns_server
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Manager = "C:\\Program Files (x86)\\IMAP Manager\\imapmgr.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exedescription pid process target process PID 1064 set thread context of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Program Files (x86)\IMAP Manager\imapmgr.exe InstallUtil.exe File opened for modification C:\Program Files (x86)\IMAP Manager\imapmgr.exe InstallUtil.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exeInstallUtil.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1448 schtasks.exe 3256 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exeInstallUtil.exepid process 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe 1008 InstallUtil.exe 1008 InstallUtil.exe 1008 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 1008 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe Token: SeDebugPrivilege 1008 InstallUtil.exe Token: SeDebugPrivilege 1008 InstallUtil.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exeInstallUtil.exedescription pid process target process PID 1064 wrote to memory of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe PID 1064 wrote to memory of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe PID 1064 wrote to memory of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe PID 1064 wrote to memory of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe PID 1064 wrote to memory of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe PID 1064 wrote to memory of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe PID 1064 wrote to memory of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe PID 1064 wrote to memory of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe PID 1008 wrote to memory of 1448 1008 InstallUtil.exe schtasks.exe PID 1008 wrote to memory of 1448 1008 InstallUtil.exe schtasks.exe PID 1008 wrote to memory of 1448 1008 InstallUtil.exe schtasks.exe PID 1008 wrote to memory of 3256 1008 InstallUtil.exe schtasks.exe PID 1008 wrote to memory of 3256 1008 InstallUtil.exe schtasks.exe PID 1008 wrote to memory of 3256 1008 InstallUtil.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp850A.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8559.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp850A.tmpFilesize
1KB
MD5576bbaf398045c3843d452ec83208236
SHA18ed5b2500ae7a40cbfa6e9018a1d1f1e70cb1374
SHA25633c0c2d72fa383e5988ce640febc5ac6a2bd71d4ae660b99e52234952e17467b
SHA512e7cc0ea0b351c6a8618e14f03c00e88ef83e2f169e0b4d66513f580f0a9352fbfe429e57186362b69407150d566bbdadca2f7b574fc748cc140b3249be67f96a
-
C:\Users\Admin\AppData\Local\Temp\tmp8559.tmpFilesize
1KB
MD5dd2c3e7842e2c2566e7b4874d229db71
SHA1b9c57b0baa1ffea5baf957a7072a347bcddf6c6f
SHA256a9df5dc5b3462bdfeaedb8b1bb3733fab886d77805b004adaaa4a5fba7f2c404
SHA5129b30f36a75ed164696c0ca59617c0c4fb3c18e9c162ef4b50ea7f1c65d787740e18efa2b48ba7f8eae81fbc8e3f6e09de33760940e82cd8e3afc53966e0db91d
-
memory/1008-14-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1008-32-0x0000000074D10000-0x00000000754C0000-memory.dmpFilesize
7.7MB
-
memory/1008-31-0x0000000074D10000-0x00000000754C0000-memory.dmpFilesize
7.7MB
-
memory/1008-30-0x00000000065B0000-0x00000000065BA000-memory.dmpFilesize
40KB
-
memory/1008-29-0x0000000005AB0000-0x0000000005ACE000-memory.dmpFilesize
120KB
-
memory/1008-28-0x00000000055A0000-0x00000000055AA000-memory.dmpFilesize
40KB
-
memory/1008-19-0x00000000054D0000-0x00000000054DA000-memory.dmpFilesize
40KB
-
memory/1008-20-0x0000000074D10000-0x00000000754C0000-memory.dmpFilesize
7.7MB
-
memory/1008-18-0x00000000055C0000-0x000000000565C000-memory.dmpFilesize
624KB
-
memory/1008-16-0x0000000074D10000-0x00000000754C0000-memory.dmpFilesize
7.7MB
-
memory/1064-6-0x0000000004EA0000-0x0000000005062000-memory.dmpFilesize
1.8MB
-
memory/1064-8-0x0000000074D10000-0x00000000754C0000-memory.dmpFilesize
7.7MB
-
memory/1064-12-0x0000000074D1E000-0x0000000074D1F000-memory.dmpFilesize
4KB
-
memory/1064-11-0x00000000062A0000-0x00000000062E4000-memory.dmpFilesize
272KB
-
memory/1064-17-0x0000000074D10000-0x00000000754C0000-memory.dmpFilesize
7.7MB
-
memory/1064-10-0x0000000074D10000-0x00000000754C0000-memory.dmpFilesize
7.7MB
-
memory/1064-9-0x0000000005CA0000-0x0000000006244000-memory.dmpFilesize
5.6MB
-
memory/1064-13-0x0000000074D10000-0x00000000754C0000-memory.dmpFilesize
7.7MB
-
memory/1064-7-0x0000000004D40000-0x0000000004D62000-memory.dmpFilesize
136KB
-
memory/1064-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmpFilesize
4KB
-
memory/1064-5-0x0000000004B20000-0x0000000004B42000-memory.dmpFilesize
136KB
-
memory/1064-4-0x0000000004C60000-0x0000000004CC6000-memory.dmpFilesize
408KB
-
memory/1064-3-0x0000000004BC0000-0x0000000004C52000-memory.dmpFilesize
584KB
-
memory/1064-2-0x0000000000CA0000-0x0000000000CC4000-memory.dmpFilesize
144KB
-
memory/1064-1-0x0000000000160000-0x00000000001E6000-memory.dmpFilesize
536KB