Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 01:19

General

  • Target

    28558cb675285ad2605c85b344360953_JaffaCakes118.exe

  • Size

    345KB

  • MD5

    28558cb675285ad2605c85b344360953

  • SHA1

    e178fcdaa47e95f5b947bb5f33a711c61b8aeb57

  • SHA256

    5252ad74024ea42646b742d764850ed3e95e16b74c02019315b6c6bd33e6bea4

  • SHA512

    3c136f3e814039e43174006464ccea1dcbe7a793136cbe401e0d5f0a1668847df3005ebb0a7131a01055a65bc47060b6e508794943f5744315aa93707cfeb240

  • SSDEEP

    6144:xbMZkl9RKKy/pFj2ORB/qW3zfSzxgSgrREtd:vlKhVvRF3zfSXt

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28558cb675285ad2605c85b344360953_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\28558cb675285ad2605c85b344360953_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3352
    • C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4636
    • C:\Users\Admin\AppData\Local\Temp\28558cb675285ad2605c85b344360953_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\28558cb675285ad2605c85b344360953_JaffaCakes118.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8CCF.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4992
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8D6C.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2496
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 300
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:4844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8CCF.tmp

    Filesize

    1KB

    MD5

    81e4e2bc47a0e4ade3c2a2d18593cf77

    SHA1

    c156b8688d7450ec4aa8bf5a4cc61879e794f008

    SHA256

    821db79c0a9c9d88e54622203989f12e55f283dfd6ae69a4a038bcbb95942d4f

    SHA512

    470ad5bc12aaab00760fb8efba427b6d1fd8d9a39f2bf866d3f325a4b0f72546ca9570cfeea93ecb60bfb456d35f88d65bfd94a149335d22cbb41328ef17f825

  • C:\Users\Admin\AppData\Local\Temp\tmp8D6C.tmp

    Filesize

    1KB

    MD5

    2862e61d09852ea2886c036af0465051

    SHA1

    45e30b14543868213f7f1cba0a1e0cc840fb2cd2

    SHA256

    d4ba6219d0aff5a36d129a8475cf35b00043d205f751f63ddd56a5c7d4a03ff3

    SHA512

    33dfd9d12adaa19dd3d4dd7013930e233dd3ff1d114e1e86e50d20ffa848a27582eebdffc09ab974b8de86316c01da6f6254f349992ad507d0f8b13cf0e36579

  • C:\Users\Admin\AppData\Roaming\FolderN\name.exe

    Filesize

    345KB

    MD5

    28558cb675285ad2605c85b344360953

    SHA1

    e178fcdaa47e95f5b947bb5f33a711c61b8aeb57

    SHA256

    5252ad74024ea42646b742d764850ed3e95e16b74c02019315b6c6bd33e6bea4

    SHA512

    3c136f3e814039e43174006464ccea1dcbe7a793136cbe401e0d5f0a1668847df3005ebb0a7131a01055a65bc47060b6e508794943f5744315aa93707cfeb240

  • C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat

    Filesize

    189B

    MD5

    dca86f6bec779bba1b58d992319e88db

    SHA1

    844e656d3603d15ae56f36298f8031ad52935829

    SHA256

    413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

    SHA512

    4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

  • C:\Users\Admin\AppData\Roaming\tmp.exe

    Filesize

    203KB

    MD5

    8468c7f0f541de6a339f3d158526f6fa

    SHA1

    d99f45035367fbde27b2b86a7662b897f2c8c1e5

    SHA256

    66ff36afc07c20d972de51a37c431fc48e6712ec45b8fb3188e1d848c227c81e

    SHA512

    c1c504b0a8ef7a02ba43faefb8f8686d683c7e423dd9e912a2be33040bfcdafc09f8715eb199c0f27a74166c6c0310bd7409524f7366d7a480a4a8cf581a36aa

  • memory/1408-37-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/1408-0-0x0000000074932000-0x0000000074933000-memory.dmp

    Filesize

    4KB

  • memory/1408-42-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/1408-36-0x0000000074932000-0x0000000074933000-memory.dmp

    Filesize

    4KB

  • memory/1408-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/1408-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/2220-31-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/2220-29-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/2220-40-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/2220-27-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/2220-43-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/4636-20-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/4636-21-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/4636-22-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB

  • memory/4636-39-0x0000000074930000-0x0000000074EE1000-memory.dmp

    Filesize

    5.7MB