General
-
Target
258c60b279a8debef184b5c01766604f_JaffaCakes118
-
Size
280KB
-
Sample
240508-s4smtsea68
-
MD5
258c60b279a8debef184b5c01766604f
-
SHA1
011f5dda5f08ac9f3ec5723ce3d54ad738f8a367
-
SHA256
20a58ef0190c09058cef8c973a92a39a1aa125a350cd47e381d44937983274a9
-
SHA512
50d90c2eedbf941d6e38ab8274b11654bcf8b613c8aa03ba10fcc9a4ef29551ed88f47d21bb12c11648e7524a8d1fe73c11e0c8864d01b8c9fe0773952e5c313
-
SSDEEP
6144:72j756oaGYq2ygcOCJPExIn52TO18L63E4xK:yj09ygcOQZ5iO1u38K
Static task
static1
Behavioral task
behavioral1
Sample
258c60b279a8debef184b5c01766604f_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
lokibot
http://arenamedia.co.ke/include/dbes/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
nanocore
1.2.2.0
dbesth1.ddns.net:3455
154.16.220.30:3455
3cea4056-063b-4394-b13d-4dc863235987
-
activate_away_mode
true
-
backup_connection_host
154.16.220.30
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-04-10T23:16:59.261349436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3455
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3cea4056-063b-4394-b13d-4dc863235987
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dbesth1.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
258c60b279a8debef184b5c01766604f_JaffaCakes118
-
Size
280KB
-
MD5
258c60b279a8debef184b5c01766604f
-
SHA1
011f5dda5f08ac9f3ec5723ce3d54ad738f8a367
-
SHA256
20a58ef0190c09058cef8c973a92a39a1aa125a350cd47e381d44937983274a9
-
SHA512
50d90c2eedbf941d6e38ab8274b11654bcf8b613c8aa03ba10fcc9a4ef29551ed88f47d21bb12c11648e7524a8d1fe73c11e0c8864d01b8c9fe0773952e5c313
-
SSDEEP
6144:72j756oaGYq2ygcOCJPExIn52TO18L63E4xK:yj09ygcOQZ5iO1u38K
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-