Overview

overview

10

Static

static

3

b20de7039f...18.exe

windows7-x64

10

b20de7039f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 06:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe

  • Size

    719KB

  • MD5

    b20de7039fc71d94e134125c77cd005f

  • SHA1

    ef222f1e7e31db8ba0abf10ecf20279529dbf2d3

  • SHA256

    2ffdff45aa288f6e09815e6072a24920ef00761c92680a8acb0e43d88fb39354

  • SHA512

    5ee300f3a47dafb661e7819944557f10831c917e4e28d08dbbb940d48034a501cbe0e5bd6321bd90fb286351d767ad718c87058ba3d3cecb389592d01a7569f0

  • SSDEEP

    12288:QaNuyLoOZWoOMOheqAfUVkkPQUQQq1AkEV6omI8Q:7OXlJeqAfUVD4UHqF

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\b20de7039fc71d94e134125c77cd005f_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"
        3⤵
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC1C9.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:2008
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC238.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\installutil.exe.log
    Filesize

    810B

    MD5

    7a4a84f4d2df1fe011638038702dad89

    SHA1

    64e9856d95b2064ff51e1c77819c818e6e5b3291

    SHA256

    cfd5734d90e6889355768ae5a723076000d88af2e5b6b435d55fa5bfa3e29590

    SHA512

    cbe9f7724806d161e70a161525c89199e10e6f38ad425533defaa1e02a12bf2cf28cba6788ed68e446cbd4286541e341b55c40133c134f9fcf94cae79b34092d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC1C9.tmp
    Filesize

    1KB

    MD5

    776580d2028b74ed89bb21146482bdff

    SHA1

    d1a45290dedde63d8539a2fc8af866b430238bc7

    SHA256

    fbad359469fc6aefb5695d01974f4edf50528f51f80d57b9eb0d8f2f81033cc0

    SHA512

    de084f473db26ce159b639b02e7ffa263ae5b6c4c1da9f6932676dae4a6c65f082b1bcac673c45c2e2b84caa06d1860ea6f0545b81fd7b3e4f8fe5e802a160d3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC238.tmp
    Filesize

    1KB

    MD5

    a77c223a0fc492dccd6fb9975f7a8766

    SHA1

    5e813636ae9b8138d78919348a5da3a6e8bd74b5

    SHA256

    589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e

    SHA512

    315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0

    Download Submit
  • memory/1456-21-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1456-13-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4180-7-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4180-8-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4180-9-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4180-6-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4180-12-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4180-5-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4328-0-0x0000000075412000-0x0000000075413000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4328-4-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4328-2-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4328-1-0x0000000075410000-0x00000000759C1000-memory.dmp
    Filesize

    5.7MB

    Download