Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
29-07-2024 00:43
General
-
Target
2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe
-
Size
416KB
-
MD5
2e8da64c68d2020b127637af76999eae
-
SHA1
576a0e6b2ad0d3683982f9ed380f50020f851fb2
-
SHA256
39609f52c5351fcce7e031a6c0c43bbb32899d3a23204cec330f97cc05c602bb
-
SHA512
c142f053d074a7a1f426779b6bdc4f6d249eb85d2dedc9a49114ebd4180369389ba66dde3bd93dc842e164131e862aa1c65db2824e26672337ed975caf7a0e59
-
SSDEEP
12288:xQe926EQ2q+MpWBbDu9SkDNhSt6GR0CoFbJ30rPdQuo:3ppW10NhSRRgb6rPd
Malware Config
Extracted
nanocore
1.2.2.0
owens.ddns.net:4040
e8fc5dec-c000-4a89-a1aa-ebb0418b2e71
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-09-02T02:48:13.513691336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4040
-
default_group
Nov 2017
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e8fc5dec-c000-4a89-a1aa-ebb0418b2e71
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
owens.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\winlogins.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winlogins.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogins.exe"C:\Users\Admin\AppData\Local\winlogins.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlogins.exe"C:\Users\Admin\AppData\Local\winlogins.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD52e8da64c68d2020b127637af76999eae
SHA1576a0e6b2ad0d3683982f9ed380f50020f851fb2
SHA25639609f52c5351fcce7e031a6c0c43bbb32899d3a23204cec330f97cc05c602bb
SHA512c142f053d074a7a1f426779b6bdc4f6d249eb85d2dedc9a49114ebd4180369389ba66dde3bd93dc842e164131e862aa1c65db2824e26672337ed975caf7a0e59
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
280KB
-
Filesize
128KB
-
Filesize
6.9MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
456KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
4KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
40KB