General
-
Target
129e409e4b18cbbee4241ee461bcad25_JaffaCakes118
-
Size
576KB
-
Sample
240504-n2lz2sdc4s
-
MD5
129e409e4b18cbbee4241ee461bcad25
-
SHA1
c932cd873bb37f3f1d2959b848c67fc344a9d092
-
SHA256
619242f828d1c90595587ddab9ad3890f93b96b0723e419960d58d90091826d1
-
SHA512
9130bf13682fe0a60dfb4a6f2b8a2d8835af789815daa41d81756c9582e97e1c85b2d50abd8e7053e9d9289aa7a816d5e12c3b5a03678ff6baac402171c3e65a
-
SSDEEP
12288:0VXR/bkJ2u36I9t0mwShEqIQH063+U8XKERkjXr8qWYNGpe/sNL7ZfB:aXR/bw2u36g0vave6KKjXwqWYNGI8tB
Behavioral task
behavioral1
Sample
Microsoft_Upgrade.exe
Resource
win7-20240221-en
Malware Config
Extracted
nanocore
1.2.2.0
54111.duckdns.org:54111
127.0.0.1:54111
cfac1586-e1cf-4d97-b493-5e7e1dd40a32
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-02-12T06:39:37.387793036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54111
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cfac1586-e1cf-4d97-b493-5e7e1dd40a32
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
54111.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Microsoft_Upgrade.exe
-
Size
637KB
-
MD5
c966dbcfcfd2b34349b69a64ca2d84b2
-
SHA1
a38239f0c1b582eb703a8a51c67894559cbddc17
-
SHA256
f7f198c7576f5b5445c13bc91959541534f1412cbadca9a33c929731f594514c
-
SHA512
e7e4ffa5c49f83b1b93f2ccf65d5a2d762c25368babaac73317121873a5ce95e342a842dbe60a00a2005b920acdc8f3ed5b570b478a0dfd23b3743757a04ff3c
-
SSDEEP
12288:FYV6MorX7qzuC3QHO9FQVHPF51jgcaI8j9r66W6NYRC/wvL71fic:6BXu9HGaVHaI8j9m6W6NYA8pB
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-