Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 09:01
Static task
static1
Behavioral task
behavioral1
Sample
828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe
-
Size
391KB
-
MD5
828e9fa440667700be0305848ec7c6fb
-
SHA1
9fe92bb6b7b6986690f840078b080c56b5aa4a0e
-
SHA256
6b59ef9e80eed04fb2d45569f27dada7b901fc47e726e0c48ea75107d2ea2870
-
SHA512
b8ce90cc662ed7384e5ecfe20e7b6b7436c940e5d44816aff21c17f52cdba72233b5790d3202249f86a61aa07862f38c4996a28a273e9e5c05e18583b8a1d725
-
SSDEEP
12288:IudCZLjBTMXU3wL4vXBMzHNGALXEss/gc:Ix2U3wMvxW1LXElb
Malware Config
Extracted
nanocore
1.2.2.0
jured123.ddns.net:9033
127.0.0.1:9033
f2166d44-4025-4972-8286-3ae1f2df8b6f
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-01-30T18:03:09.422891336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9033
-
default_group
RATTED
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f2166d44-4025-4972-8286-3ae1f2df8b6f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
jured123.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Nanocore family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2324 z.cmd 3280 z.cmd -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA z.cmd -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2324 set thread context of 3280 2324 z.cmd 90 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z.cmd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z.cmd -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2324 z.cmd 2324 z.cmd -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2324 z.cmd 2324 z.cmd -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4224 wrote to memory of 2324 4224 828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe 84 PID 4224 wrote to memory of 2324 4224 828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe 84 PID 4224 wrote to memory of 2324 4224 828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe 84 PID 2324 wrote to memory of 1036 2324 z.cmd 88 PID 2324 wrote to memory of 1036 2324 z.cmd 88 PID 2324 wrote to memory of 1036 2324 z.cmd 88 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 2324 wrote to memory of 3280 2324 z.cmd 90 PID 3280 wrote to memory of 3012 3280 z.cmd 93 PID 3280 wrote to memory of 3012 3280 z.cmd 93 PID 3280 wrote to memory of 3012 3280 z.cmd 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"3⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA0F3.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3012
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD55f1ac56c39eb680f3b21f120313c16f8
SHA130eb78f8fb55afca842fc75f974a5d301f57cdf6
SHA2567218840273cfeb2cf6f507d3c238eb1f376fd997e60d52006f6a4876cc01f3a3
SHA512fdcf2f060d9131ad6b41251d707e1d388a560e063ae97188b109dedb35a18c458917c4655de7a67b8611072d2b68ccd1bd3299a9c66f2609ca6eec206db3a0cb
-
Filesize
104KB
MD57bae06cbe364bb42b8c34fcfb90e3ebd
SHA179129af7efa46244da0676607242f0a6b7e12e78
SHA2566ceaebd55b4a542ef64be1d6971fcfe802e67e2027366c52faacc8a8d325ec7a
SHA512c599b72500a5c17cd5c4a81fcf220a95925aa0e5ad72aa92dd1a469fe6e3c23590c548a0be7ec2c4dbd737511a0a79c1c46436867cf7f0c4df21f8dcea9686cf
-
Filesize
372KB
MD5e7de4028e07068ee6c54ca14081ecc40
SHA1a83f5a9754b4dd98a28a6e717bb392383a4c3a1e
SHA25618f9f8f7a81f58d61de969cb933a6170788339be7f3995af8c1e919e8e2c0763
SHA5121eb53d5db1ba5a632f3fac669be8ec812eaf7d2f43f9be1f1b0388761aafb0411647582a3e924248b66ec17fd8f144706b82577b0ac2f74092630d610f0ed709
-
Filesize
1KB
MD5a1d0f75599c16902d28bb7b756a4f35c
SHA1c752e4155b8445152c97805387a1719da4fcf4f3
SHA256dfc004a96670a057f9d4ce4b2c70ea12aa196edb0d5e99e68e53b5366236a617
SHA5128a3858b519fe899259b9b58a2343421d5ab7fdfec1ba65c834ef6009a8767007f64c648f96948418782ee33c31523517294f37a7d5eca75eaa6b021f31183842