Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 16:26

General

  • Target

    fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe

  • Size

    291KB

  • MD5

    fee9cf8ec3de16009f0ffecdb2a8a831

  • SHA1

    93af1af6f4d7ba623f03892032a805a099e2ab3c

  • SHA256

    155f0bd1a6d92bf811c5157707eec4780d4b17cf6fb1166200a9d1ab9b93da48

  • SHA512

    70e7e5b0810df304774d547d14546b13dfea0e4a69775589ec1d9727868e0dba9db76948749274ebfd11551465ec6a432edc77ead4111f713abc10fb713f6e66

  • SSDEEP

    6144:/FVFmmoBy8TCukZw8db2cETk0MmsN6798y89xih5Mp:9mhy8TCukZJ2cETkAs2jU

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

netserv.serveftp.com:55128

176.31.174.37:55128

Mutex

4b736bf9-5142-40fe-ab51-5c64053db0ff

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    176.31.174.37

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2015-04-03T18:30:02.293302936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    55128

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    4b736bf9-5142-40fe-ab51-5c64053db0ff

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    netserv.serveftp.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Users\Admin\AppData\Local\Temp\sql_support.exe
      "C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 2704 C:\Users\Admin\AppData\Local\Temp\ndmgr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5bc227dc5f868b8bbbae794cc618a699

    SHA1

    9b66d58542b202f8a8fa2dd0d6563df0281e2516

    SHA256

    1d31db5a44602b3e7306a6bd0aff258b738c230d41e4942d9cffc83682539a51

    SHA512

    2e9d4cc2a0b180290b521a21eca28a533adbbe9698b6ad39c9aba23b4718064bbc32dccb8d922c232c306a34dce441131d24df5a6aa71568137610700bb5c509

  • C:\Users\Admin\AppData\Local\Temp\Cab2730.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • \Users\Admin\AppData\Local\Temp\sql_support.exe

    Filesize

    291KB

    MD5

    fee9cf8ec3de16009f0ffecdb2a8a831

    SHA1

    93af1af6f4d7ba623f03892032a805a099e2ab3c

    SHA256

    155f0bd1a6d92bf811c5157707eec4780d4b17cf6fb1166200a9d1ab9b93da48

    SHA512

    70e7e5b0810df304774d547d14546b13dfea0e4a69775589ec1d9727868e0dba9db76948749274ebfd11551465ec6a432edc77ead4111f713abc10fb713f6e66

  • memory/2640-1-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-2-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-57-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-15-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-0-0x0000000074A91000-0x0000000074A92000-memory.dmp

    Filesize

    4KB

  • memory/2640-56-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-55-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

  • memory/2704-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2704-21-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2704-34-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

  • memory/2704-24-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2704-16-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2704-18-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2704-30-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2704-32-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2704-14-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2704-58-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB