General
-
Target
157da6effe1931be4dc4a6bd35020fa6_JaffaCakes118
-
Size
1.1MB
-
Sample
240505-ch85paee28
-
MD5
157da6effe1931be4dc4a6bd35020fa6
-
SHA1
43e80cb41f7864b9c713a51a31732f76d744b7fd
-
SHA256
b0c4a7e65bfc48a683c26dcbe952937e10bca231df8a17d16fab0312afb13345
-
SHA512
b7f9fd846433fe20690466d1d730e30ff21a1bc5300b7b217c3e7ea5e86563977869d6508ee9902ffe26acfd581e368ca6e7ba35c9059cad27fa2c980a647c21
-
SSDEEP
24576:0HLGSf0H0AZ/RBrmUwQgx1e2AnGEdiLAIi:usUCqQiepdi0Ii
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry List.pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Inquiry List.pdf.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
nanocore
1.2.2.0
baby.ausluggage.com:5656
mama.rnatrixgn.com:5656
06c90934-ef35-4223-aa27-fcdec34238e3
-
activate_away_mode
true
-
backup_connection_host
mama.rnatrixgn.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-12-23T09:42:15.812707836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
5656
-
default_group
2020
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
06c90934-ef35-4223-aa27-fcdec34238e3
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
baby.ausluggage.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Inquiry List.pdf.exe
-
Size
1.7MB
-
MD5
89a2e99f3a510475dfbb36e7492967e9
-
SHA1
d51a45a4041951b84df7bb9bc08bd9dacb469015
-
SHA256
17f9b526e5aa96416862611bfa6ab84396209a3df8bb5b723240e8a57dc6d0e9
-
SHA512
171fe1bdfce0515372fffafde37e3906a5fb7325dfe24861c71d0f1c8cc6556b6e81194bfe175a7595ca73ac169b9038460500706c53982ff87a7b047041c40d
-
SSDEEP
24576:7ENXVpmPIXFp2Q3tnL0qb1szI4xIIrBB+XVpmPIXFp0iz:2VgPIXFU69uzI4xIY2VgPIXFh
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-