Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 00:43
Static task
static1
Behavioral task
behavioral1
Sample
2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe
-
Size
416KB
-
MD5
2e8da64c68d2020b127637af76999eae
-
SHA1
576a0e6b2ad0d3683982f9ed380f50020f851fb2
-
SHA256
39609f52c5351fcce7e031a6c0c43bbb32899d3a23204cec330f97cc05c602bb
-
SHA512
c142f053d074a7a1f426779b6bdc4f6d249eb85d2dedc9a49114ebd4180369389ba66dde3bd93dc842e164131e862aa1c65db2824e26672337ed975caf7a0e59
-
SSDEEP
12288:xQe926EQ2q+MpWBbDu9SkDNhSt6GR0CoFbJ30rPdQuo:3ppW10NhSRRgb6rPd
Malware Config
Extracted
nanocore
1.2.2.0
owens.ddns.net:4040
e8fc5dec-c000-4a89-a1aa-ebb0418b2e71
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-09-02T02:48:13.513691336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4040
-
default_group
Nov 2017
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e8fc5dec-c000-4a89-a1aa-ebb0418b2e71
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
owens.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e8da64c68d2020b127637af76999eae_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
winlogins.exewinlogins.exepid process 4500 winlogins.exe 4408 winlogins.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogins.exewinlogins.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogin = "C:\\Users\\Admin\\AppData\\Local\\winlogins.exe -boot" winlogins.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" winlogins.exe -
Processes:
winlogins.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogins.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogins.exedescription pid process target process PID 4500 set thread context of 4408 4500 winlogins.exe winlogins.exe -
Drops file in Program Files directory 2 IoCs
Processes:
winlogins.exedescription ioc process File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe winlogins.exe File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe winlogins.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winlogins.exewinlogins.exe2e8da64c68d2020b127637af76999eae_JaffaCakes118.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogins.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
winlogins.exepid process 4408 winlogins.exe 4408 winlogins.exe 4408 winlogins.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winlogins.exepid process 4408 winlogins.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2e8da64c68d2020b127637af76999eae_JaffaCakes118.exewinlogins.exewinlogins.exedescription pid process Token: SeDebugPrivilege 1584 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe Token: SeDebugPrivilege 4500 winlogins.exe Token: SeDebugPrivilege 4408 winlogins.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2e8da64c68d2020b127637af76999eae_JaffaCakes118.execmd.exewinlogins.exedescription pid process target process PID 1584 wrote to memory of 744 1584 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe cmd.exe PID 1584 wrote to memory of 744 1584 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe cmd.exe PID 1584 wrote to memory of 744 1584 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe cmd.exe PID 1584 wrote to memory of 1524 1584 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe cmd.exe PID 1584 wrote to memory of 1524 1584 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe cmd.exe PID 1584 wrote to memory of 1524 1584 2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe cmd.exe PID 1524 wrote to memory of 4500 1524 cmd.exe winlogins.exe PID 1524 wrote to memory of 4500 1524 cmd.exe winlogins.exe PID 1524 wrote to memory of 4500 1524 cmd.exe winlogins.exe PID 4500 wrote to memory of 4408 4500 winlogins.exe winlogins.exe PID 4500 wrote to memory of 4408 4500 winlogins.exe winlogins.exe PID 4500 wrote to memory of 4408 4500 winlogins.exe winlogins.exe PID 4500 wrote to memory of 4408 4500 winlogins.exe winlogins.exe PID 4500 wrote to memory of 4408 4500 winlogins.exe winlogins.exe PID 4500 wrote to memory of 4408 4500 winlogins.exe winlogins.exe PID 4500 wrote to memory of 4408 4500 winlogins.exe winlogins.exe PID 4500 wrote to memory of 4408 4500 winlogins.exe winlogins.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\2e8da64c68d2020b127637af76999eae_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\winlogins.exe"2⤵
- System Location Discovery: System Language Discovery
PID:744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winlogins.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\winlogins.exe"C:\Users\Admin\AppData\Local\winlogins.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\winlogins.exe"C:\Users\Admin\AppData\Local\winlogins.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD50110f3d722cddd9753644c78a308ff57
SHA1c461bb3812ae8a3c77d0ec99850b3a88eda2ccc7
SHA25603c3a90b4c2615ddd7bc4b663ba3cce4969223c0a21c53624c6f792ffde91de4
SHA5128a581416a1a9e355e6cda1d4f2a93df807421ec2706c717c5d5d2acd004af2c14ee77d94c48e6643320dd2cd2e1072b9cfd8ecf37c0e8fb38df7d9f0c40cdf63
-
Filesize
416KB
MD52e8da64c68d2020b127637af76999eae
SHA1576a0e6b2ad0d3683982f9ed380f50020f851fb2
SHA25639609f52c5351fcce7e031a6c0c43bbb32899d3a23204cec330f97cc05c602bb
SHA512c142f053d074a7a1f426779b6bdc4f6d249eb85d2dedc9a49114ebd4180369389ba66dde3bd93dc842e164131e862aa1c65db2824e26672337ed975caf7a0e59