General
-
Target
49eafd305c087014395f73e39363501f_JaffaCakes118
-
Size
1.2MB
-
Sample
240516-htphbahb2y
-
MD5
49eafd305c087014395f73e39363501f
-
SHA1
d8f4be58cf3a05aa6aab6b50ccef12ebc21f05bb
-
SHA256
510c92f4ed90b092940d8d47585e2a55d1ad71e7ecd87b3e6ec783ab23fc9ed9
-
SHA512
7ba281fe90b1e8f2d7c9109f0a731a3766141c6f53bd4b0cf07bacb6925d1be677f97d56502cd78c7b2847434bce4a9b767de9d5292f847150affe55c118c80d
-
SSDEEP
24576:/0CDJu+x6QjMLD3LzxEr3nPuSeXWWa3J4hGVyTmGaO3tdRmPddr2UmA5/qhooa69:/fD8G4i7PzeXQ5/N6devKUmA5zE
Static task
static1
Behavioral task
behavioral1
Sample
NaxorCrypter.exe
Resource
win7-20231129-en
Malware Config
Extracted
nanocore
1.2.2.0
1337day.ddns.net:1900
93979016-0516-4417-b883-a0edc923fe85
-
activate_away_mode
true
-
backup_connection_host
1337day.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-07-29T17:12:59.761069736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1900
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
93979016-0516-4417-b883-a0edc923fe85
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
0.6.4
HacKed
fal92.duckdns.org:10142
3d25feee885880d8ab876c66d8b91d84
-
reg_key
3d25feee885880d8ab876c66d8b91d84
-
splitter
|'|'|
Targets
-
-
Target
NaxorCrypter.exe
-
Size
2.2MB
-
MD5
b29c154b97950a07caf5aa3e3795a4a1
-
SHA1
8940008c6630ad14a42f76c72b63341adb406736
-
SHA256
51a39194cd5c21c1de6e9724f9b5890a2b50f9d7e3b7fa003a5e50beb9559fb4
-
SHA512
c21b40a6e412f0022da398212ddcf6cfdf51522715297d0275fb2983d936a1ace29f4f8a54f751617fc92121b825424389bdd096b9c59c4cff6a58a57bde7bc3
-
SSDEEP
24576:NkGGdafLtcWAjB9XvdBqLP2XDBxkdgGAQjdhnF61A5w/8yYBBifgqH3P64F7:G4ovIbqxCTx5w/Xf5f
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1