General
-
Target
fb688fdbeba764d57070a6ea468a56b3_JaffaCakes118
-
Size
3.7MB
-
Sample
240419-3gtlqaac83
-
MD5
fb688fdbeba764d57070a6ea468a56b3
-
SHA1
264e2deda6c80b3c1b4ec962d88e4435000bbd99
-
SHA256
ccaf62b1b0261bedb0013b360606d4c846f58a904ea9b9d8bc610186e44b574a
-
SHA512
f889eda04720d954562fa866b404c848f85bd0dee7dee83548be8f8fb44fdded5758f951d6bd57f559d541dff24a0d536275c7f88e957099510d0397244d2dc2
-
SSDEEP
768:ofJzCncAwCM38M3n1LZ2NouyYC00yIJboDBGvCQtparQdF71ugHuUPopu82Sf4XK:ofJ2ph
Static task
static1
Behavioral task
behavioral1
Sample
fb688fdbeba764d57070a6ea468a56b3_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
nanocore
1.2.2.0
backupjuly.duckdns.org:9090
0a7e289c-1b29-4584-8e36-a27a2b9592bf
-
activate_away_mode
true
-
backup_connection_host
backupjuly.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-06-05T18:42:41.306973936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9090
-
default_group
backup july
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0a7e289c-1b29-4584-8e36-a27a2b9592bf
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
backupjuly.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
fb688fdbeba764d57070a6ea468a56b3_JaffaCakes118
-
Size
3.7MB
-
MD5
fb688fdbeba764d57070a6ea468a56b3
-
SHA1
264e2deda6c80b3c1b4ec962d88e4435000bbd99
-
SHA256
ccaf62b1b0261bedb0013b360606d4c846f58a904ea9b9d8bc610186e44b574a
-
SHA512
f889eda04720d954562fa866b404c848f85bd0dee7dee83548be8f8fb44fdded5758f951d6bd57f559d541dff24a0d536275c7f88e957099510d0397244d2dc2
-
SSDEEP
768:ofJzCncAwCM38M3n1LZ2NouyYC00yIJboDBGvCQtparQdF71ugHuUPopu82Sf4XK:ofJ2ph
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-