General
-
Target
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118
-
Size
2.2MB
-
Sample
240602-f254xscd3s
-
MD5
8d049a60a5d45859ef538f4ffd8f5a63
-
SHA1
24e38f415f188dbcd8565eb2f2ea04cd5543e3bb
-
SHA256
2a6440c783aea184f39f5a16a120d705f5f0f01067ae795e38d87028049edb2e
-
SHA512
3023dfba4e816bb3fa2707db8f588b7e92d08f70d750234d5c719c9046f027ada5c94fa490b84911e874fc4061b60616c61281d7f2907ed76e716ac6cb891900
-
SSDEEP
49152:zNfdKKoEuMIc/D8MTfVr68c9hGo6v1EMc:zNfdKsnI4dPYn6v1E
Static task
static1
Behavioral task
behavioral1
Sample
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
nanocore
1.2.2.0
gamercore.exilionps.com:5604
127.0.0.1:5604
436cdb80-4f2d-4ccc-b631-8fd76c11acd4
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-12-30T20:18:56.661488536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3000
-
connection_port
5604
-
default_group
RektEm
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
436cdb80-4f2d-4ccc-b631-8fd76c11acd4
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
gamercore.exilionps.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118
-
Size
2.2MB
-
MD5
8d049a60a5d45859ef538f4ffd8f5a63
-
SHA1
24e38f415f188dbcd8565eb2f2ea04cd5543e3bb
-
SHA256
2a6440c783aea184f39f5a16a120d705f5f0f01067ae795e38d87028049edb2e
-
SHA512
3023dfba4e816bb3fa2707db8f588b7e92d08f70d750234d5c719c9046f027ada5c94fa490b84911e874fc4061b60616c61281d7f2907ed76e716ac6cb891900
-
SSDEEP
49152:zNfdKKoEuMIc/D8MTfVr68c9hGo6v1EMc:zNfdKsnI4dPYn6v1E
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1