Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 16:26
Static task
static1
Behavioral task
behavioral1
Sample
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe
-
Size
291KB
-
MD5
fee9cf8ec3de16009f0ffecdb2a8a831
-
SHA1
93af1af6f4d7ba623f03892032a805a099e2ab3c
-
SHA256
155f0bd1a6d92bf811c5157707eec4780d4b17cf6fb1166200a9d1ab9b93da48
-
SHA512
70e7e5b0810df304774d547d14546b13dfea0e4a69775589ec1d9727868e0dba9db76948749274ebfd11551465ec6a432edc77ead4111f713abc10fb713f6e66
-
SSDEEP
6144:/FVFmmoBy8TCukZw8db2cETk0MmsN6798y89xih5Mp:9mhy8TCukZJ2cETkAs2jU
Malware Config
Extracted
nanocore
1.2.2.0
netserv.serveftp.com:55128
176.31.174.37:55128
4b736bf9-5142-40fe-ab51-5c64053db0ff
-
activate_away_mode
true
-
backup_connection_host
176.31.174.37
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-03T18:30:02.293302936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
55128
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4b736bf9-5142-40fe-ab51-5c64053db0ff
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
netserv.serveftp.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sql_support.exepid Process 2812 sql_support.exe -
Loads dropped DLL 2 IoCs
Processes:
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exepid Process 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exeRegAsm.exesql_support.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Net Display = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bit57\\ndmgr.exe" fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe" RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Net Display = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bit57\\ndmgr.exe" sql_support.exe -
Processes:
RegAsm.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exedescription pid Process procid_target PID 2640 set thread context of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc Process File created C:\Program Files (x86)\PCI Manager\pcimgr.exe RegAsm.exe File opened for modification C:\Program Files (x86)\PCI Manager\pcimgr.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exesql_support.exefee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sql_support.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exeRegAsm.exesql_support.exepid Process 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2704 RegAsm.exe 2704 RegAsm.exe 2704 RegAsm.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2812 sql_support.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 2812 sql_support.exe 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid Process 2704 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exeRegAsm.exesql_support.exedescription pid Process Token: SeDebugPrivilege 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe Token: SeDebugPrivilege 2704 RegAsm.exe Token: SeDebugPrivilege 2812 sql_support.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exedescription pid Process procid_target PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2704 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2812 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 31 PID 2640 wrote to memory of 2812 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 31 PID 2640 wrote to memory of 2812 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 31 PID 2640 wrote to memory of 2812 2640 fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\sql_support.exe"C:\Users\Admin\AppData\Local\Temp\sql_support.exe" -woohoo 2704 C:\Users\Admin\AppData\Local\Temp\ndmgr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55bc227dc5f868b8bbbae794cc618a699
SHA19b66d58542b202f8a8fa2dd0d6563df0281e2516
SHA2561d31db5a44602b3e7306a6bd0aff258b738c230d41e4942d9cffc83682539a51
SHA5122e9d4cc2a0b180290b521a21eca28a533adbbe9698b6ad39c9aba23b4718064bbc32dccb8d922c232c306a34dce441131d24df5a6aa71568137610700bb5c509
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
291KB
MD5fee9cf8ec3de16009f0ffecdb2a8a831
SHA193af1af6f4d7ba623f03892032a805a099e2ab3c
SHA256155f0bd1a6d92bf811c5157707eec4780d4b17cf6fb1166200a9d1ab9b93da48
SHA51270e7e5b0810df304774d547d14546b13dfea0e4a69775589ec1d9727868e0dba9db76948749274ebfd11551465ec6a432edc77ead4111f713abc10fb713f6e66