Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 08:58
Behavioral task
behavioral1
Sample
09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe
-
Size
2.4MB
-
MD5
09e2e1a6fed75bce3684e7fb237e5818
-
SHA1
3d3456b92a86cf69ea5a691911d9d5a611c00db8
-
SHA256
f21cfffd24512c2d3d799d7ad57ada42770586dd7ece54d9314aa0a2175af856
-
SHA512
d32a319e55e1e3db4a8ca14a17385403b2b05d5e49a2f6b576e4e66bd07f7025304f2794dc5de0943b57c338051a8671fa51046f72db9403486ca458d548e805
-
SSDEEP
49152:JCdW+NIRVRT111findksB10gI5h0kRKZg19awdDWNMQr5VmY2NQn8G7mKWteskA:JWtIxT11cGsBYFKm10wZWNKtVcmKikA
Malware Config
Extracted
nanocore
1.2.2.0
185.244.29.216:4050
176627fc-9b6d-4f0a-ab26-654a31d03cfd
-
activate_away_mode
true
-
backup_connection_host
185.244.29.216
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-15T10:38:24.409596736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4050
-
default_group
baby new
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
176627fc-9b6d-4f0a-ab26-654a31d03cfd
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
test.exetest.exepid Process 2420 test.exe 3068 test.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exetest.exepid Process 2556 cmd.exe 2556 cmd.exe 2420 test.exe -
Processes:
test.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA test.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
test.exedescription pid Process procid_target PID 2420 set thread context of 3068 2420 test.exe 33 -
Processes:
resource yara_rule behavioral1/memory/2712-1-0x0000000000400000-0x0000000000942000-memory.dmp upx behavioral1/memory/2712-22-0x0000000000400000-0x0000000000942000-memory.dmp upx behavioral1/memory/3068-21-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/3068-17-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/3068-16-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/3068-15-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/3068-13-0x0000000000400000-0x000000000047F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.execmd.exetest.exetest.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
test.exetest.exepid Process 2420 test.exe 3068 test.exe 3068 test.exe 3068 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
test.exepid Process 3068 test.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
test.exepid Process 2420 test.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
test.exedescription pid Process Token: SeDebugPrivilege 3068 test.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.execmd.exetest.exedescription pid Process procid_target PID 2712 wrote to memory of 2556 2712 09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe 31 PID 2712 wrote to memory of 2556 2712 09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe 31 PID 2712 wrote to memory of 2556 2712 09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe 31 PID 2712 wrote to memory of 2556 2712 09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe 31 PID 2556 wrote to memory of 2420 2556 cmd.exe 32 PID 2556 wrote to memory of 2420 2556 cmd.exe 32 PID 2556 wrote to memory of 2420 2556 cmd.exe 32 PID 2556 wrote to memory of 2420 2556 cmd.exe 32 PID 2420 wrote to memory of 3068 2420 test.exe 33 PID 2420 wrote to memory of 3068 2420 test.exe 33 PID 2420 wrote to memory of 3068 2420 test.exe 33 PID 2420 wrote to memory of 3068 2420 test.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
628KB
MD5e28a0e468b4d4ea54cc62afc34c6897c
SHA14840f9085bb4371303e3afb37c4a67bde0350005
SHA256e2f4430cb0c04004e768adf6b47509db5ff20728ff21d691c87b132e8c374eb1
SHA512308df8b94bd6f3daa317db03c05572a10813f196f661a03850855c3cafa73821ba5a1ec61e4796bb0269bd0c9a0c23c931fb079338088b4b024f9023e18a8fb8