Overview

overview

10

Static

static

3

Cracking t....1.exe

windows7-x64

1

Cracking t....1.exe

windows10-2004-x64

1

Cracking t...er.exe

windows7-x64

10

Cracking t...er.exe

windows10-2004-x64

10

Kidux Prox....1.exe

windows7-x64

7

Kidux Prox....1.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    87649ab3fbcff08a7565780073c5ad72_JaffaCakes118

  • Size

    5.1MB

  • Sample

    240531-r91d7abh51

  • MD5

    87649ab3fbcff08a7565780073c5ad72

  • SHA1

    8c76e6aab15520a1c53df63c755b9412b1aedf4c

  • SHA256

    4edc648c3c801e361a050a6a9325ab8c0755b20d7300712652d0d39cf3a606a2

  • SHA512

    b95764cdc01f4bff2b62874198631879b2ec8370de38f2f45f73e0a75e1fd7ae951900c4117302c6c77338f78e9e8f57cf105b827cc0e1fd75b29c3feef88ecf

  • SSDEEP

    98304:xDWuS0E5HNdaDyEwH0pSuqarR//DXMt5E6ZUs827VE16pT6mUKab/:c508H5u9B/cK6F827ddPUXL

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

174.0.39.108:3630

127.0.0.1:3630
Mutex

c6590fee-559c-4f07-930c-03e097f82346

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-02-07T23:45:22.900084736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3630

  • default_group

    CLIENTS

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    c6590fee-559c-4f07-930c-03e097f82346

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    174.0.39.108

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    50

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      Cracking tutorial/Kidux Leecher v1.0.1.exe

    • Size

      685KB

    • MD5

      1ff65929b157aa4492c82eca85d832f9

    • SHA1

      d82b6469538f73145b0097cd16b4f2417ab5c899

    • SHA256

      b4b6819a64cdab331bc5229185899597fbc51f0b68c04743a20db4fe942a6407

    • SHA512

      458c43ae0ff5c5fbb213b916bc705beaf997466a452dcc4b39c1589eb067c223182a30054a48fd4ffc16ef95d52d63d394dc3f8d03359045874e0d20d5b632c0

    • SSDEEP

      6144:bvtUyEPh93fQmTZ5dut5chvtUyEPh93fQmT:GTIT

    Score
    1/10
    behavioral1behavioral2

    • Target

      Cracking tutorial/Spotify Checker.exe

    • Size

      5.4MB

    • MD5

      1481c5c586484f3d5247cde3b1cc63a5

    • SHA1

      25ef72d31ac28b95f5709c67e9058d729804ccea

    • SHA256

      d84b13737ed85eec8262144d55f9b913dd6c495173a09b92f4729c0313bdf5bc

    • SHA512

      3ce947a536ef00096376a45bc627c6c4f8b869456ed2e071ed55f1e21e959e52ee4348d60f01e527911bac2ebd2763b6c8edbd1cc431f39cfd39b305cb1ce340

    • SSDEEP

      98304:YAJ+av4amuhNMcNucJu/n/HlxGIiT3MxGg0:nk4mAMcP4/hIw

    Score
    10/10
    nanocoreevasionkeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      Kidux Proxy Scraper v1.0.1.exe

    • Size

      3.6MB

    • MD5

      2d1e1d99099fddf9f1ba1f30d7ff5922

    • SHA1

      51ce6348bb301aa4e701948e65576fe84136bf28

    • SHA256

      1b01f6bc2ba4416668ed6c1d2d7bbdcdf1b2b40dd16658a2d3f16cdba6c23b71

    • SHA512

      7853d7b8cfc848652dfa52929feccb11cdc97f434884eefc28b11c2666bb45b1d654050b1487d6488c5a9329e550caa0f947dd02d0b9c832a396aafeba72e8c0

    • SSDEEP

      98304:cviz/27qWGq/TzuqCDl2Ptao7jPqHtr105:cviq75/Tzuf8CL05

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks