General
-
Target
fb6aca6ece036febbbec836dd55d1126_JaffaCakes118
-
Size
1.5MB
-
Sample
240419-3k1t7sbc7z
-
MD5
fb6aca6ece036febbbec836dd55d1126
-
SHA1
d9b521b67eae457b24cdb8f31665f7f276e4a14a
-
SHA256
44a6344f92cd1c3b44c1a6ffa47b1c9bef04261f06f2c523e674ec8eeafe73a8
-
SHA512
388eec18ef7727f1d1e54d4a8ae268ae7530fa315e01a9a1bce947d77369574fe05632e37b3809574793f96f3b129d567ecb6dea01d8b79afd35f240f38f4a39
-
SSDEEP
24576:Or4MUjzwp6YZcyXFt7J7UMx7F0l3ad42GdIUtBa71AakYeZyXFW7ROUMx4M6A:OkQ6m5t7dlUAUq7eKW7APp
Static task
static1
Behavioral task
behavioral1
Sample
fb6aca6ece036febbbec836dd55d1126_JaffaCakes118.vbs
Resource
win7-20240215-en
Malware Config
Extracted
nanocore
1.2.2.0
sys2021.linkpc.net:11940
191.96.25.26:11940
c687c38e-2b2d-4d96-b5eb-9a31ccba603d
-
activate_away_mode
true
-
backup_connection_host
191.96.25.26
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-01-31T11:35:52.654855036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
11940
-
default_group
Sys
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c687c38e-2b2d-4d96-b5eb-9a31ccba603d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sys2021.linkpc.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
asyncrat
0.5.2
sys2021.linkpc.net:6606
cd6-c2e0e3fbeef6
-
delay
0
-
install
false
-
install_file
notepad.exe
-
install_folder
%AppData%
Targets
-
-
Target
fb6aca6ece036febbbec836dd55d1126_JaffaCakes118
-
Size
1.5MB
-
MD5
fb6aca6ece036febbbec836dd55d1126
-
SHA1
d9b521b67eae457b24cdb8f31665f7f276e4a14a
-
SHA256
44a6344f92cd1c3b44c1a6ffa47b1c9bef04261f06f2c523e674ec8eeafe73a8
-
SHA512
388eec18ef7727f1d1e54d4a8ae268ae7530fa315e01a9a1bce947d77369574fe05632e37b3809574793f96f3b129d567ecb6dea01d8b79afd35f240f38f4a39
-
SSDEEP
24576:Or4MUjzwp6YZcyXFt7J7UMx7F0l3ad42GdIUtBa71AakYeZyXFW7ROUMx4M6A:OkQ6m5t7dlUAUq7eKW7APp
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect ZGRat V1
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-