General
-
Target
117040912827abaa6a8917bb9266271a_JaffaCakes118
-
Size
1.4MB
-
Sample
240504-enf27scg2v
-
MD5
117040912827abaa6a8917bb9266271a
-
SHA1
23b6f3c05a215016804874c24b5c081b026940cc
-
SHA256
d0cc20f9c3ecadedd4bdf5689c12cffb741fad1a0377d3feba5f8b1161a75e00
-
SHA512
1351bdd4aca1eaecacde338c44fe795b785e34aabd36a2f133a095c5c1790ca5c1c26d33c6c8c47c904c5274f683d6c2c230b2270733219bfbde315641bd4d7b
-
SSDEEP
24576:GALR6WXrkQwGbvRjF6BCL7ueKg8uuB13Kk5ARbh9WkIvAuMJF53GCLixGVr92:G83XrkXivhECKeuTtqJUAuQ53GRk2
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
order list.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
order list.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
nanocore
1.2.2.0
blackhills.ddns.net:54984
213.183.58.34:54984
9fd2d890-5f33-430f-9a78-84171c54b2be
-
activate_away_mode
true
-
backup_connection_host
213.183.58.34
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-05-07T18:41:54.173511636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Lord
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9fd2d890-5f33-430f-9a78-84171c54b2be
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
blackhills.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
darkcomet
God Bless me
blackhills.ddns.net:1040
213.183.58.34:1040
DC_MUTEX-1L423YQ
-
InstallPath
MSDCSC\svchost.exe
-
gencode
hxfmXvFjpU5G
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
netwire
213.183.58.34:1030
blackhills.ddns.net:1030
blackhills.ddns.net:1031
213.183.58.34:1031
-
activex_autorun
true
-
activex_key
{P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
HxAduTti
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
svchost
-
use_mutex
true
Targets
-
-
Target
New Order.exe
-
Size
964KB
-
MD5
ac117adca6eb38e0063d02f6ac8d021f
-
SHA1
1dc3841438485efadf7604ae3215e2800526868d
-
SHA256
02f1f6593d82e544a37a26d89e6b882be7722033acf1d95b298b8a44da792f24
-
SHA512
457ab69e3f894833cb07ea849f3cc461b13bc82bbf3df63ca03181a41335edea77e2a74a8d349e94c4944286f6be09dc9b1b7f49e3180b94bdd030d15f49482b
-
SSDEEP
24576:xljYTN54L+QagyUW4O058i2He5JUCRiYHk97g:xljYfMOfmxJHp07g
-
Modifies WinLogon for persistence
-
Modifies security service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
order list.exe
-
Size
644KB
-
MD5
d2bdfbfa39edbb7b3823e241290a567b
-
SHA1
2a36ff5df72bbcc71ae4a47c6db12d3f36e47eec
-
SHA256
94b7faaa8caa0ffc8b44bce17629f8f758d79db26276a2b2844d6ac1fde122d3
-
SHA512
02be573dfe4e12505404973d55f196e088e2663940317e849eefad49c0a22a5f6b5d34230e2285bbe500716774f19851cb608edd614789c03574eec0cb602a70
-
SSDEEP
12288:QNHoLQeRh4W8ZJ76qXIvhMPmMXCiQ3dGfAWipVzCqo1r9zu4V:2HoLQeRh4P/6qXIv6+MXT+cizdgr9zuQ
-
NetWire RAT payload
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1