General
-
Target
53fef215700b1e1c3d781f2be9f333d8_JaffaCakes118
-
Size
223KB
-
Sample
240518-k6awssda9y
-
MD5
53fef215700b1e1c3d781f2be9f333d8
-
SHA1
ee868bdf2ab4b80ae5f48c54fcd30f10ef799f30
-
SHA256
0e62e4cceadbe0a5b50309f73956bbd1cf51b345b1a4d324e66c10d00c3494d7
-
SHA512
7b769b5a349c8fae8dedca1401760b8a00a5bdb2f588f4ab43beeabccce4f0d6d58f0ccb0788933ab8b50531651d4262806b9894914463d735def67a2390c022
-
SSDEEP
6144:hjnGoaxXgxL4lWZYGPpz9tPccAiEuHG7jVNG:hjG5gyMPRcydm7jVs
Static task
static1
Behavioral task
behavioral1
Sample
shipping document.exe
Resource
win7-20240508-en
Malware Config
Extracted
nanocore
1.2.2.0
dengsman.duckdns.org:30201
127.0.0.1:30201
68929715-1cd3-418e-9481-b31bf6322d48
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2018-04-15T16:24:33.310279636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
30201
-
default_group
dengs
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68929715-1cd3-418e-9481-b31bf6322d48
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dengsman.duckdns.org
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
shipping document.exe
-
Size
258KB
-
MD5
612dbb3e0e9540bd711321f239e6ae59
-
SHA1
2f3f519aa1dda89459173f4d4df7b1a9edeb545f
-
SHA256
68035b3c8c61cb3fd66d50c97af1167418e84d169aa6424364d1effa09598497
-
SHA512
c8358bc80ba266e6ea7369ae29251e7d6ed30eb83ba1ed28b0369cd2bd7f515373eab55838194ac0e12095c4c4359237ba359d3a2f8cbd3f5b1a3feda4b4edaf
-
SSDEEP
6144:DT9Tn0sHnkKY3gJ3oQrU3gFE4qt2/gMq0f06:DRT0sHi3g/IgqZ2/J
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-