Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 08:58

General

  • Target

    09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe

  • Size

    2.4MB

  • MD5

    09e2e1a6fed75bce3684e7fb237e5818

  • SHA1

    3d3456b92a86cf69ea5a691911d9d5a611c00db8

  • SHA256

    f21cfffd24512c2d3d799d7ad57ada42770586dd7ece54d9314aa0a2175af856

  • SHA512

    d32a319e55e1e3db4a8ca14a17385403b2b05d5e49a2f6b576e4e66bd07f7025304f2794dc5de0943b57c338051a8671fa51046f72db9403486ca458d548e805

  • SSDEEP

    49152:JCdW+NIRVRT111findksB10gI5h0kRKZg19awdDWNMQr5VmY2NQn8G7mKWteskA:JWtIxT11cGsBYFKm10wZWNKtVcmKikA

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.29.216:4050

Mutex

176627fc-9b6d-4f0a-ab26-654a31d03cfd

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    185.244.29.216

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-02-15T10:38:24.409596736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    4050

  • default_group

    baby new

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    176627fc-9b6d-4f0a-ab26-654a31d03cfd

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c test.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Users\Admin\AppData\Local\Temp\test.exe
          test.exe
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\test.exe

    Filesize

    628KB

    MD5

    e28a0e468b4d4ea54cc62afc34c6897c

    SHA1

    4840f9085bb4371303e3afb37c4a67bde0350005

    SHA256

    e2f4430cb0c04004e768adf6b47509db5ff20728ff21d691c87b132e8c374eb1

    SHA512

    308df8b94bd6f3daa317db03c05572a10813f196f661a03850855c3cafa73821ba5a1ec61e4796bb0269bd0c9a0c23c931fb079338088b4b024f9023e18a8fb8

  • memory/2420-6-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2420-7-0x00000000001E0000-0x00000000001E9000-memory.dmp

    Filesize

    36KB

  • memory/2420-12-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2420-9-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

  • memory/2712-22-0x0000000000400000-0x0000000000942000-memory.dmp

    Filesize

    5.3MB

  • memory/2712-1-0x0000000000400000-0x0000000000942000-memory.dmp

    Filesize

    5.3MB

  • memory/3068-21-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3068-18-0x0000000001CD0000-0x0000000001D08000-memory.dmp

    Filesize

    224KB

  • memory/3068-19-0x0000000001CD0000-0x0000000001D08000-memory.dmp

    Filesize

    224KB

  • memory/3068-17-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3068-16-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3068-15-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3068-13-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3068-33-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3068-34-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3068-35-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB