General

  • Target

    157da6effe1931be4dc4a6bd35020fa6_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240505-ch85paee28

  • MD5

    157da6effe1931be4dc4a6bd35020fa6

  • SHA1

    43e80cb41f7864b9c713a51a31732f76d744b7fd

  • SHA256

    b0c4a7e65bfc48a683c26dcbe952937e10bca231df8a17d16fab0312afb13345

  • SHA512

    b7f9fd846433fe20690466d1d730e30ff21a1bc5300b7b217c3e7ea5e86563977869d6508ee9902ffe26acfd581e368ca6e7ba35c9059cad27fa2c980a647c21

  • SSDEEP

    24576:0HLGSf0H0AZ/RBrmUwQgx1e2AnGEdiLAIi:usUCqQiepdi0Ii

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

baby.ausluggage.com:5656

mama.rnatrixgn.com:5656

Mutex

06c90934-ef35-4223-aa27-fcdec34238e3

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    mama.rnatrixgn.com

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-12-23T09:42:15.812707836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    5656

  • default_group

    2020

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    06c90934-ef35-4223-aa27-fcdec34238e3

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    baby.ausluggage.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      Inquiry List.pdf.exe

    • Size

      1.7MB

    • MD5

      89a2e99f3a510475dfbb36e7492967e9

    • SHA1

      d51a45a4041951b84df7bb9bc08bd9dacb469015

    • SHA256

      17f9b526e5aa96416862611bfa6ab84396209a3df8bb5b723240e8a57dc6d0e9

    • SHA512

      171fe1bdfce0515372fffafde37e3906a5fb7325dfe24861c71d0f1c8cc6556b6e81194bfe175a7595ca73ac169b9038460500706c53982ff87a7b047041c40d

    • SSDEEP

      24576:7ENXVpmPIXFp2Q3tnL0qb1szI4xIIrBB+XVpmPIXFp0iz:2VgPIXFU69uzI4xIY2VgPIXFh

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks