General
-
Target
26779d43b844689870d1925432a965a6_JaffaCakes118
-
Size
785KB
-
Sample
240508-ynmdrsfb33
-
MD5
26779d43b844689870d1925432a965a6
-
SHA1
c5c767b3df29c86056896aba4f6f14f75d6e1727
-
SHA256
c8887e8f143a4d2048529291815d8d04f0d5e9a5f6f77605c7ee5d0b28067836
-
SHA512
328ddb3ebc72b87d136f7b0189d4b20aa8205d7a0f6d3e74a6363424ca9dfab997c343f2d388a81c6ad8c1d10f1e37d464b8904a33e7617130b07e2b58506af8
-
SSDEEP
24576:aUQ/rqA+6KF+e9CYfz4eOTzm82gckRmMslJVLUwB:aU4q7qe9OzTzm82sRQJ9B
Static task
static1
Behavioral task
behavioral1
Sample
IN-STORE GUIDELINES.rtf
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
IN-STORE GUIDELINES.rtf
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
LASTING MATTE FOUNDATION.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
LASTING MATTE FOUNDATION.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
RIMMEL POSM ROADMAP.rtf
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
RIMMEL POSM ROADMAP.rtf
Resource
win10v2004-20240508-en
Malware Config
Extracted
nanocore
1.2.2.0
nanocore511.ddns.net:1129
194.5.98.84:1129
7b902218-069b-4546-af78-0d2d86c9fc07
-
activate_away_mode
true
-
backup_connection_host
194.5.98.84
- backup_dns_server
-
buffer_size
65535
-
build_time
2019-03-30T01:07:13.727975136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1129
-
default_group
511
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7b902218-069b-4546-af78-0d2d86c9fc07
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nanocore511.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
IN-STORE GUIDELINES.doc
-
Size
218KB
-
MD5
fa924774ba1bcd23d9b4bb5b5d097567
-
SHA1
f427a2fa21eea0d9b910a9b62c1bf88eac15e2b8
-
SHA256
ac14d1eb7ed9adadebd1230833041ea82af6ff34b2ad5dd4566f742e7c0bdf53
-
SHA512
eb895b949e4b968053b97aa357d451c34cbdb82d2ba3b9e4f8f9b5c72f7c74ea8708653bb37fea78db0ce9d25c01c9920a32d83d8ce1c1be2912dec4c931604e
-
SSDEEP
1536:mtjkBe1ehegeqfDYfpoG+g5ZcFRIxPILSQWns3R:mtjChmxgLSQWno
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
-
-
Target
LASTING MATTE FOUNDATION.exe
-
Size
1.2MB
-
MD5
158f1348b224fc1b917d0c8254bad7ce
-
SHA1
628637d2de6ed2eb4ce513cdbc271aadbedd3eaf
-
SHA256
7c0e96e3eb52d60099ad6b60f5629c82cd0c7ea90831799cfd5f06535a3d43e4
-
SHA512
f08362e80e3ac04bef9ec7f46a083c416cb30e0bf8f552ea746e7bdf8d932b65b69a0561411859243a3af3ff52b3495bd869a7b88844db1e8040e3c7a3458a65
-
SSDEEP
24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaS0bsdAfoOpAYgd1iwaQ5:eh+ZkldoPK8YaSBupAYi1iwp
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
RIMMEL POSM ROADMAP.doc
-
Size
218KB
-
MD5
fa924774ba1bcd23d9b4bb5b5d097567
-
SHA1
f427a2fa21eea0d9b910a9b62c1bf88eac15e2b8
-
SHA256
ac14d1eb7ed9adadebd1230833041ea82af6ff34b2ad5dd4566f742e7c0bdf53
-
SHA512
eb895b949e4b968053b97aa357d451c34cbdb82d2ba3b9e4f8f9b5c72f7c74ea8708653bb37fea78db0ce9d25c01c9920a32d83d8ce1c1be2912dec4c931604e
-
SSDEEP
1536:mtjkBe1ehegeqfDYfpoG+g5ZcFRIxPILSQWns3R:mtjChmxgLSQWno
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-