Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 19:32
Static task
static1
Behavioral task
behavioral1
Sample
96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
-
Size
804KB
-
MD5
96c46f1028dfd68dcafc774a331b7887
-
SHA1
a3f23dec1b19baeb71e75a9891a7a13a021c93bd
-
SHA256
b1d04d78ca542907bf8e87ac423cce20039b745b9500d292dcc1764feb660931
-
SHA512
ab318cb3228f0dd9087c64d4ea0e5021ec372a44c65d55a4d4209fba3b83e3b31cccb5f85c250fc31b650118a3e9891fa8dff45d142e41c576607739f51b3470
-
SSDEEP
12288:JGpk59Z3PCPoflr7RTd1To2k6qYa84nCsVcN9L4+xEWLIqD1fvIlwvCeP0/5KWRT:zdVPqY/4EIqD1Ylwvtz5C
Malware Config
Signatures
-
Nanocore family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1560 audiotunes.exe 3632 audiotunes.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiotunes.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum audiotunes.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 audiotunes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1560 set thread context of 3632 1560 audiotunes.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiotunes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiotunes.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4116 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3632 audiotunes.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1560 audiotunes.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe Token: SeDebugPrivilege 1560 audiotunes.exe Token: SeDebugPrivilege 3632 audiotunes.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2552 wrote to memory of 3752 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 91 PID 2552 wrote to memory of 3752 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 91 PID 2552 wrote to memory of 3752 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 91 PID 2552 wrote to memory of 4116 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 93 PID 2552 wrote to memory of 4116 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 93 PID 2552 wrote to memory of 4116 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 93 PID 2552 wrote to memory of 2388 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 95 PID 2552 wrote to memory of 2388 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 95 PID 2552 wrote to memory of 2388 2552 96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe 95 PID 2388 wrote to memory of 1560 2388 cmd.exe 97 PID 2388 wrote to memory of 1560 2388 cmd.exe 97 PID 2388 wrote to memory of 1560 2388 cmd.exe 97 PID 1560 wrote to memory of 3632 1560 audiotunes.exe 98 PID 1560 wrote to memory of 3632 1560 audiotunes.exe 98 PID 1560 wrote to memory of 3632 1560 audiotunes.exe 98 PID 1560 wrote to memory of 3632 1560 audiotunes.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\37a9f99f-41f8-4c98-ad5a-89e2379234cf" /F2⤵
- System Location Discovery: System Language Discovery
PID:3752
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\37a9f99f-41f8-4c98-ad5a-89e2379234cf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp544102550.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /K "C:\ProgramData\audiotunes.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\ProgramData\audiotunes.exeC:\ProgramData\audiotunes.exe3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\ProgramData\audiotunes.exeC:\ProgramData\audiotunes.exe4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
804KB
MD5f854de20ca4d24763fe1d741332ff3a7
SHA1852210622a0b3f31a953682abfc1c4279ec14d72
SHA256dc5fc101053307551b8d213823d5080b959e132755ec7321181491a2c8285ee4
SHA512bcaa6c80475698c4990549325815530788e3ab8e0c5512dda0495e8af365f8360cbb23911c83bcffdbec353399eae82f4c764abe515218f3cfe3c3e3b2e83579
-
Filesize
1KB
MD53257a303a118b5848959139d86867c5e
SHA16e3493381aabb4d32e1ce4aea1a1f004557fa2b3
SHA25614b348fc8716842929a43a5099a93372b75bacf8cd04a40af8965fc11490d071
SHA51225da4cde73c9b8f8d2e7a6ae0f9548afdaa770761944e6be433b0537727342641ac19f7f88c91d514217afedf0d802bcf6ce344eb4b803672a3395e67f558dd8