General

  • Target

    26779d43b844689870d1925432a965a6_JaffaCakes118

  • Size

    785KB

  • Sample

    240508-ynmdrsfb33

  • MD5

    26779d43b844689870d1925432a965a6

  • SHA1

    c5c767b3df29c86056896aba4f6f14f75d6e1727

  • SHA256

    c8887e8f143a4d2048529291815d8d04f0d5e9a5f6f77605c7ee5d0b28067836

  • SHA512

    328ddb3ebc72b87d136f7b0189d4b20aa8205d7a0f6d3e74a6363424ca9dfab997c343f2d388a81c6ad8c1d10f1e37d464b8904a33e7617130b07e2b58506af8

  • SSDEEP

    24576:aUQ/rqA+6KF+e9CYfz4eOTzm82gckRmMslJVLUwB:aU4q7qe9OzTzm82sRQJ9B

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

nanocore511.ddns.net:1129

194.5.98.84:1129

Mutex

7b902218-069b-4546-af78-0d2d86c9fc07

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    194.5.98.84

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2019-03-30T01:07:13.727975136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1129

  • default_group

    511

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    7b902218-069b-4546-af78-0d2d86c9fc07

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    nanocore511.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      IN-STORE GUIDELINES.doc

    • Size

      218KB

    • MD5

      fa924774ba1bcd23d9b4bb5b5d097567

    • SHA1

      f427a2fa21eea0d9b910a9b62c1bf88eac15e2b8

    • SHA256

      ac14d1eb7ed9adadebd1230833041ea82af6ff34b2ad5dd4566f742e7c0bdf53

    • SHA512

      eb895b949e4b968053b97aa357d451c34cbdb82d2ba3b9e4f8f9b5c72f7c74ea8708653bb37fea78db0ce9d25c01c9920a32d83d8ce1c1be2912dec4c931604e

    • SSDEEP

      1536:mtjkBe1ehegeqfDYfpoG+g5ZcFRIxPILSQWns3R:mtjChmxgLSQWno

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Target

      LASTING MATTE FOUNDATION.exe

    • Size

      1.2MB

    • MD5

      158f1348b224fc1b917d0c8254bad7ce

    • SHA1

      628637d2de6ed2eb4ce513cdbc271aadbedd3eaf

    • SHA256

      7c0e96e3eb52d60099ad6b60f5629c82cd0c7ea90831799cfd5f06535a3d43e4

    • SHA512

      f08362e80e3ac04bef9ec7f46a083c416cb30e0bf8f552ea746e7bdf8d932b65b69a0561411859243a3af3ff52b3495bd869a7b88844db1e8040e3c7a3458a65

    • SSDEEP

      24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaS0bsdAfoOpAYgd1iwaQ5:eh+ZkldoPK8YaSBupAYi1iwp

    • Target

      RIMMEL POSM ROADMAP.doc

    • Size

      218KB

    • MD5

      fa924774ba1bcd23d9b4bb5b5d097567

    • SHA1

      f427a2fa21eea0d9b910a9b62c1bf88eac15e2b8

    • SHA256

      ac14d1eb7ed9adadebd1230833041ea82af6ff34b2ad5dd4566f742e7c0bdf53

    • SHA512

      eb895b949e4b968053b97aa357d451c34cbdb82d2ba3b9e4f8f9b5c72f7c74ea8708653bb37fea78db0ce9d25c01c9920a32d83d8ce1c1be2912dec4c931604e

    • SSDEEP

      1536:mtjkBe1ehegeqfDYfpoG+g5ZcFRIxPILSQWns3R:mtjChmxgLSQWno

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks