Analysis Overview
SHA256
438d4eaf9ddb04cbb82caa727787dd08ca2fbb489deb6150df066f4ccc707f66
Threat Level: Known bad
The file 8a63072a3ab6c030b8cc549a02feb4de_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Checks computer location settings
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 12:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 12:38
Reported
2024-08-11 12:43
Platform
win7-20240708-en
Max time kernel
138s
Max time network
152s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansvc.exe" | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2272 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WAN Service\wansvc.exe | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WAN Service\wansvc.exe | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rdKjrEV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8594.tmp"
C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp893C.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp899B.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| IR | 185.165.153.33:1156 | tcp | |
| IR | 185.165.153.33:1156 | tcp | |
| IR | 185.165.153.33:1156 | tcp | |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| IR | 185.165.153.33:1156 | tcp | |
| IR | 185.165.153.33:1156 | tcp | |
| IR | 185.165.153.33:1156 | tcp | |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| IR | 185.165.153.33:1156 | tcp |
Files
memory/2272-0-0x0000000074611000-0x0000000074612000-memory.dmp
memory/2272-1-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/2272-2-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/2272-3-0x0000000074610000-0x0000000074BBB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8594.tmp
| MD5 | 572ef13ec172195efbe896e1b3730fa4 |
| SHA1 | 5e5ee715469ad7d21ae3f9859608bec4c70c5179 |
| SHA256 | bc4597103b0622d9173fe5c518b84e1bccd6c4b58983938a2835edac270fbad1 |
| SHA512 | bbf24161cf269d2433bc010dcfa7d34c6d388c67ebc1d0b6f4cd5886bdbe0fbc57a195a928fa3b45d6fe6bf997484fcafa2d5309cd81364e2f5d38cf1c0f4cb7 |
memory/2820-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2820-9-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2820-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2820-21-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2820-19-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2820-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2820-24-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/2820-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2820-13-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp893C.tmp
| MD5 | dbbdcd1f11a686f2348e32bb65982d50 |
| SHA1 | aaa60aec16b57cdcfcb8f2327995a5fa5db7a03f |
| SHA256 | 6565fd7395b3651cd44aebf42ec1ce46958004e0c68fad9876cb8284d3b5c99b |
| SHA512 | 4ba84bd5fed87dfa2d1e80d1d7668dc679a9e8b68c80bbb7629aaba4d7306a8fe8e946fdaf67519dd4604faec20ac05914167d96ca3bcbc15f1ac45ab14e85f4 |
C:\Users\Admin\AppData\Local\Temp\tmp899B.tmp
| MD5 | 9f0deb7cf87b4ae4efde9cc98ff481db |
| SHA1 | 760265641ce176e555c64bedb494f6f75fd0bd27 |
| SHA256 | a57110ccf892c8ca9c9b28b2608f4d37a8b5df1bfcf1411e7c62b500e82fabda |
| SHA512 | 6517829d9a09df437a340485bb87183c7a80135a76296308120e0ab385f5ffa7369a2ace9655ffaf1c594869cc6a20015520b6b0c681217b641b3c58127a29de |
memory/2272-32-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/2820-33-0x0000000074610000-0x0000000074BBB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 12:38
Reported
2024-08-11 12:44
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
NanoCore
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe" | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2496 set thread context of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WAN Subsystem\wanss.exe | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WAN Subsystem\wanss.exe | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rdKjrEV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD225.tmp"
C:\Users\Admin\AppData\Local\Temp\Quotation Request ~ RFQ#200420.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD774.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD831.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| IR | 185.165.153.33:1156 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| IR | 185.165.153.33:1156 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IR | 185.165.153.33:1156 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| IR | 185.165.153.33:1156 | tcp | |
| IR | 185.165.153.33:1156 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| IR | 185.165.153.33:1156 | tcp | |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| US | 8.8.8.8:53 | onyeotit.ddns.net | udp |
| IR | 185.165.153.33:1156 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/2496-0-0x0000000074D02000-0x0000000074D03000-memory.dmp
memory/2496-1-0x0000000074D00000-0x00000000752B1000-memory.dmp
memory/2496-2-0x0000000074D00000-0x00000000752B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD225.tmp
| MD5 | 43b2074c90704540a30adf6a2550fe20 |
| SHA1 | ef8df0cd9a949a3e03bdd484903b6ec2abd84c8a |
| SHA256 | 95b27d7f76052153ed10c95b03ace4f1f0571cfd4fc88a8e4b7c6b8a9af18dae |
| SHA512 | ea37aec6eb93544c6a13652e08d3a62676e0e99b999676a77a275d6b3c797486088a13b579493cf65d7d552bf73330ed0a92a8b4382626712571857b7b6268bf |
memory/2312-8-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Quotation Request ~ RFQ#200420.exe.log
| MD5 | 926dc4ed07c7e7cff626d6a27b21ee54 |
| SHA1 | ee8d10180910eb5ef79f39dac687466922f76a4f |
| SHA256 | 873859cc03fdf5c20cd6f1c634234e9e00cb87f6a0634efbb7c2e18dc108bd5e |
| SHA512 | 6a3b840ce1788b49c7454901cc2eefe2f0a2c8b091776a7314bdc4552ebd777078c7b20d6e7af0b4427f81b9974251d5ba5a2473ee79613e5df287e8356d4c8e |
memory/2496-11-0x0000000074D00000-0x00000000752B1000-memory.dmp
memory/2312-12-0x0000000074D00000-0x00000000752B1000-memory.dmp
memory/2312-13-0x0000000074D00000-0x00000000752B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD774.tmp
| MD5 | dbbdcd1f11a686f2348e32bb65982d50 |
| SHA1 | aaa60aec16b57cdcfcb8f2327995a5fa5db7a03f |
| SHA256 | 6565fd7395b3651cd44aebf42ec1ce46958004e0c68fad9876cb8284d3b5c99b |
| SHA512 | 4ba84bd5fed87dfa2d1e80d1d7668dc679a9e8b68c80bbb7629aaba4d7306a8fe8e946fdaf67519dd4604faec20ac05914167d96ca3bcbc15f1ac45ab14e85f4 |
C:\Users\Admin\AppData\Local\Temp\tmpD831.tmp
| MD5 | 02783aa0d9a1a2104300bdd910c9b6dc |
| SHA1 | 0c8409582f9e606183eca539cc493d82983a0fb0 |
| SHA256 | 59a13383f0495d96e868a7f41557d17f5afe15ce5548d7cc6c7501f6095f68fb |
| SHA512 | 11ef8bceddd6c0dc0ecec3e5bfbabba4595368b8b9be01a38ccbeaa509b7f99960fea6bbd83a37ea9807f79a5db08cdba1ec8ac85443ffdc3c0f204760153854 |
memory/2312-21-0x0000000074D00000-0x00000000752B1000-memory.dmp
memory/2312-22-0x0000000074D00000-0x00000000752B1000-memory.dmp
memory/2312-23-0x0000000074D00000-0x00000000752B1000-memory.dmp