General
-
Target
fdb84298836a2682cf6ed805bc8852de_JaffaCakes118
-
Size
706KB
-
Sample
240420-1nkahsbd4z
-
MD5
fdb84298836a2682cf6ed805bc8852de
-
SHA1
c0024979815687a93ff689f7df62a0bcbb06aa4a
-
SHA256
1504763b84e950b66d6cad0d999137471b87f4a1cbedb28b9e0107ffd247d4dd
-
SHA512
3fa5cb84ee453a2f54357818f7f7a9c0aaa2749531e5f1f0b2cc4ac7a91406e8c1d177d6778045dd6f935888d4285d6633c74d97a893f7c109cfd1885d9a7643
-
SSDEEP
12288:a8t5vy4E/psIgdXAl6stPWF236ISuNeGJifJiQgK5nmhc8Vi:a8t5q4E/pDgdm6stPWSp3NSBiQ6nVi
Static task
static1
Behavioral task
behavioral1
Sample
fdb84298836a2682cf6ed805bc8852de_JaffaCakes118.exe
Resource
win7-20240220-en
Malware Config
Extracted
nanocore
1.2.2.0
discoveryvipshinjiru2law.ooguy.com:56648
3fe77eab-32ab-4bb1-8b02-0ebd7c384dad
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-06-05T12:45:57.022320836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
56648
-
default_group
Shinjiru RDP 5
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3fe77eab-32ab-4bb1-8b02-0ebd7c384dad
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
discoveryvipshinjiru2law.ooguy.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
fdb84298836a2682cf6ed805bc8852de_JaffaCakes118
-
Size
706KB
-
MD5
fdb84298836a2682cf6ed805bc8852de
-
SHA1
c0024979815687a93ff689f7df62a0bcbb06aa4a
-
SHA256
1504763b84e950b66d6cad0d999137471b87f4a1cbedb28b9e0107ffd247d4dd
-
SHA512
3fa5cb84ee453a2f54357818f7f7a9c0aaa2749531e5f1f0b2cc4ac7a91406e8c1d177d6778045dd6f935888d4285d6633c74d97a893f7c109cfd1885d9a7643
-
SSDEEP
12288:a8t5vy4E/psIgdXAl6stPWF236ISuNeGJifJiQgK5nmhc8Vi:a8t5q4E/pDgdm6stPWSp3NSBiQ6nVi
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-