Overview

overview

10

Static

static

3

53b6adccfa...18.exe

windows7-x64

10

53b6adccfa...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe

  • Size

    852KB

  • MD5

    53b6adccfa92bc14352aec7289ab2950

  • SHA1

    6067cca668cfb9ac87441cf0156af321202f2d04

  • SHA256

    c5fa6b9642b737e1318245b039002b26141092ca9d055bc99f9250c1ea91b966

  • SHA512

    883965f9d5aff1f8b137b063e7fc6e978ba8805bb4769d112a87d04c4858f2e1e397da19884a45b0723671357484b781dc2be2f294838d30a717a3f74afde5f3

  • SSDEEP

    24576:L2O/GlmnhDKoc9JT3Q0cKvkw7+2qJ787g6zwm4m53Sb2n:P5KRT3Q0cKvkwS2Q785kFm53Syn

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

154.16.63.21:8777

Mutex

e8ddcb63-1ab8-4f2b-8233-40ab2aa77e6c

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    154.16.63.21

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2017-01-13T08:26:18.817282736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    8777

  • default_group

    uk

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    e8ddcb63-1ab8-4f2b-8233-40ab2aa77e6c

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    154.16.63.21

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Users\Admin\AppData\Roaming\khc\fqx.exe
      "C:\Users\Admin\AppData\Roaming\khc\fqx.exe" anm-tjs
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Users\Admin\AppData\Roaming\khc\fqx.exe
        C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\ITCWJ
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          4⤵
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2940
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          C:\Users\Admin\AppData\Roaming\khc\ITCWJ
          4⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\khc\ITCWJ
    Filesize

    91KB

    MD5

    e75f7afd6c1fc384fae32f662a3c5939

    SHA1

    920548e0c819204b114267a1ac5198eb01d2eb43

    SHA256

    81b7d64bf1736312351fd0207fde3e2c23aa3231607415748ec51c01c377a17a

    SHA512

    ec1741b87dc453c3e0d91a77f00bf2830445176b8b4ee80722f2c4e6bb53b5a7675a2c8f70274a737023906fa325bc150d10a58688b498c03d0e6a4de1765859

    Download Submit
  • C:\Users\Admin\AppData\Roaming\khc\anm-tjs
    Filesize

    7.4MB

    MD5

    6276212be5f4f3dc51113b6bff9a4cb4

    SHA1

    b26e74f82e1fa09a8c332ab39505be5f6efabab0

    SHA256

    74f704dbe98256359a2593e0883a79152b1c61271405685384a94b12858261c8

    SHA512

    8b9bd50aff0c896dd587a413162054d8f887426784eaa9fbc09023ce12421cff31ba63378b45bc75f0a3e556a42d18d7c206b16605f8c870a9fce54d5b2b5ceb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\khc\faa.bmp
    Filesize

    618KB

    MD5

    a337884da35ac1afc9cb434fd4b0cd9e

    SHA1

    f9d1935c8cfc8b697c40fa6da71bd950129bef0d

    SHA256

    d5f05d19ae26abc515edbd0b1328d73c0a43a9b577fbed041b640d49d9b0320c

    SHA512

    1bddd5d445ec89186043bdabe42f9817ea999eaed702dcc7fab1bec50a8e879ae0f12e706770091644912cd1e7de6f389b396c8af05f8e78a71f4005f9485e4e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\khc\fqx.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit
  • C:\Users\Admin\AppData\Roaming\khc\spd
    Filesize

    4B

    MD5

    098f6bcd4621d373cade4e832627b4f6

    SHA1

    a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

    SHA256

    9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

    SHA512

    ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

    Download Submit
  • memory/1708-95-0x0000000000D00000-0x0000000000DCC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/1708-98-0x0000000000D00000-0x0000000000DCC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/2940-93-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download