Overview

overview

10

Static

static

3

63b7c9c97c...18.exe

windows7-x64

10

63b7c9c97c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe

  • Size

    906KB

  • MD5

    63b7c9c97cb399ef233ce10e83b65663

  • SHA1

    85e539468312c87fc6daed7164f246e5fa638f20

  • SHA256

    feac8bae828a3756389b379ae1bc0eda56bdcbec371c62bd3c980ffe11c1b0a0

  • SHA512

    137d2579c257ee22e7416fad42dcbb2e24c20a6a2ea9079a58bf7f8d30ab6203837646e74b24142bf015f806f26de5522edb40255fd4b479f9ba6e8b9dcd7fa2

  • SSDEEP

    24576:f2O/GlPO2+Bl8CXU+b+lwmxhKbH3w1GthA0E:Bz8t+alwmxUT3zg0E

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

leosmart.zapto.org:3365

212.7.218.52:3365
Mutex

5eddd847-a776-47e0-824c-cf94d3e848d6

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    212.7.218.52

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2017-12-05T04:53:06.594023236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3365

  • default_group

    cash out

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    5eddd847-a776-47e0-824c-cf94d3e848d6

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    leosmart.zapto.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63b7c9c97cb399ef233ce10e83b65663_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
      "C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe" cri=bmv
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe
        C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\ZAQEU
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\40633691\ZAQEU
    Filesize

    86KB

    MD5

    458a1b6d11ccc54ff99f06fafbcc4f15

    SHA1

    a52b6d318b797b3dbece1ba5c0fb87f212de81f7

    SHA256

    433a04b587e62bd4baf7192d783bc4fdea4ce2ebb1a951332e03f32e46463f61

    SHA512

    f7d73f100ee0b5f9e79f7fb119e1b0123b65a3d1d6ec8c7bec487f6b7027cb51a8a1262bf838dc97c0a0a39dfbef9a25dd1cdcb6d192cafe73d333e43cd3d879

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\40633691\cri=bmv
    Filesize

    183KB

    MD5

    ca49d5e6c03a09032728e91d192b9905

    SHA1

    ebbc137ac900d5e8fea261606024f35078ab2a21

    SHA256

    f3d52b4c5fbcc79cdb3a249401cf5413df1e4d24656a5767e22380a0d1bbdc8d

    SHA512

    4fbdef69b005276cb7e0129d6571d40a27dbcfd47c40c1d77c62a81c3694f341094188f94382087875a4032d11382aeb6b714e2bca9f3640d66c3ab52c84ac0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\40633691\ipg.icm
    Filesize

    64B

    MD5

    7a80edf15dc0a33c0019c9b37d38bc1c

    SHA1

    b27c1be7d270b7478a1d7781bf1bef2bb7dd3893

    SHA256

    db50b5f644811c57f4591bffb64d6aad80e48547318dc6a0831872e9c28f26e9

    SHA512

    e6f39ed9885e781ebffd67f9589add54747e632320aa6997256b3e7c827b8e41e37e27c6de697f082feb5a76d2cd972dc4f981cc886080d435af04edd89a77e6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\40633691\wcn.ico
    Filesize

    399B

    MD5

    c91231980cac0c054acb16d337e660f6

    SHA1

    a26bd4f0b3ba8b212c59b77b38e0a1105875071c

    SHA256

    262e13318a1fe6de6fcabc2240323a50680164f0b4d553210542744c6f46330d

    SHA512

    2f9c65ee51e859580d9ba51c5d6d2c3fcd69004ff029a28858d2fc33049964308ea6f255e56d6329cfd5e6f15d3f76d5b12cec6c4c73463c947bcf0faa822071

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\40633691\wdv.ppt
    Filesize

    635KB

    MD5

    d271c6cc1e107d4812b14b6aca3e8af4

    SHA1

    4f829384cf691c8a257936ca1858a9607ce71fbf

    SHA256

    f9c07a3bf95df9704c38fa941894fc3b0c5b79d862afb47a6b92ef0b3a5ad462

    SHA512

    4925016c1c937a1a2e60fa5db9a976f91e099e4d65f1bc5dc3c8894474c0f0d7ef464016b403d4ecfeca506de4abff7a74de4ef29d3f32f89e134d178ef16753

    Download Submit
  • \Users\Admin\AppData\Local\Temp\40633691\epr.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • memory/108-137-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/108-136-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/108-126-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/108-135-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/108-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/108-132-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/108-130-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/108-128-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/108-140-0x00000000003A0000-0x00000000003AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/108-141-0x00000000003B0000-0x00000000003CE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/108-142-0x00000000003E0000-0x00000000003EA000-memory.dmp
    Filesize

    40KB

    Download