General

  • Target

    117040912827abaa6a8917bb9266271a_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240504-enf27scg2v

  • MD5

    117040912827abaa6a8917bb9266271a

  • SHA1

    23b6f3c05a215016804874c24b5c081b026940cc

  • SHA256

    d0cc20f9c3ecadedd4bdf5689c12cffb741fad1a0377d3feba5f8b1161a75e00

  • SHA512

    1351bdd4aca1eaecacde338c44fe795b785e34aabd36a2f133a095c5c1790ca5c1c26d33c6c8c47c904c5274f683d6c2c230b2270733219bfbde315641bd4d7b

  • SSDEEP

    24576:GALR6WXrkQwGbvRjF6BCL7ueKg8uuB13Kk5ARbh9WkIvAuMJF53GCLixGVr92:G83XrkXivhECKeuTtqJUAuQ53GRk2

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

blackhills.ddns.net:54984

213.183.58.34:54984

Mutex

9fd2d890-5f33-430f-9a78-84171c54b2be

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    213.183.58.34

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2017-05-07T18:41:54.173511636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    54984

  • default_group

    Lord

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    9fd2d890-5f33-430f-9a78-84171c54b2be

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    blackhills.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

darkcomet

Botnet

God Bless me

C2

blackhills.ddns.net:1040

213.183.58.34:1040

Mutex

DC_MUTEX-1L423YQ

Attributes
  • InstallPath

    MSDCSC\svchost.exe

  • gencode

    hxfmXvFjpU5G

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

netwire

C2

213.183.58.34:1030

blackhills.ddns.net:1030

blackhills.ddns.net:1031

213.183.58.34:1031

Attributes
  • activex_autorun

    true

  • activex_key

    {P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    HxAduTti

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    svchost

  • use_mutex

    true

Targets

    • Target

      New Order.exe

    • Size

      964KB

    • MD5

      ac117adca6eb38e0063d02f6ac8d021f

    • SHA1

      1dc3841438485efadf7604ae3215e2800526868d

    • SHA256

      02f1f6593d82e544a37a26d89e6b882be7722033acf1d95b298b8a44da792f24

    • SHA512

      457ab69e3f894833cb07ea849f3cc461b13bc82bbf3df63ca03181a41335edea77e2a74a8d349e94c4944286f6be09dc9b1b7f49e3180b94bdd030d15f49482b

    • SSDEEP

      24576:xljYTN54L+QagyUW4O058i2He5JUCRiYHk97g:xljYfMOfmxJHp07g

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies security service

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • Target

      order list.exe

    • Size

      644KB

    • MD5

      d2bdfbfa39edbb7b3823e241290a567b

    • SHA1

      2a36ff5df72bbcc71ae4a47c6db12d3f36e47eec

    • SHA256

      94b7faaa8caa0ffc8b44bce17629f8f758d79db26276a2b2844d6ac1fde122d3

    • SHA512

      02be573dfe4e12505404973d55f196e088e2663940317e849eefad49c0a22a5f6b5d34230e2285bbe500716774f19851cb608edd614789c03574eec0cb602a70

    • SSDEEP

      12288:QNHoLQeRh4W8ZJ76qXIvhMPmMXCiQ3dGfAWipVzCqo1r9zu4V:2HoLQeRh4P/6qXIv6+MXT+cizdgr9zuQ

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks