General
-
Target
90b5267e66528dc92aa5165e3fa032ca_JaffaCakes118
-
Size
839KB
-
Sample
240603-gbf8jsdd4t
-
MD5
90b5267e66528dc92aa5165e3fa032ca
-
SHA1
d83390083b2048a93a64d79b9869bcdff6e8f6cd
-
SHA256
7394ee8ddb65ac8259b13576834fc9976c839f11eb1e13c05d8f2c145d04cd85
-
SHA512
34c1ee7a928c3cd2171d6c088944ee37d41156acb045d316f5b966f826a9f6a35f51d606ce832d882f1d78f85149692077460455eeff9ced06907b587383f2aa
-
SSDEEP
12288:aNgGkjCP+z8cA8mrCXip2q3p7srGAbsk8rr3fmndjYe7+br13f3VxN4Jxk8RMp:aNIQ+zlGCXiCrPs3mdRKbB3VxN4fpRMp
Static task
static1
Behavioral task
behavioral1
Sample
BILL OF LOADING/BILL OF LOADING.exe
Resource
win7-20240508-en
Malware Config
Extracted
nanocore
1.2.2.0
leosmart.zapto.org:3365
212.7.218.52:3365
5eddd847-a776-47e0-824c-cf94d3e848d6
-
activate_away_mode
true
-
backup_connection_host
212.7.218.52
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-12-05T04:53:06.594023236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3365
-
default_group
cash out
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5eddd847-a776-47e0-824c-cf94d3e848d6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
leosmart.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
BILL OF LOADING/BILL OF LOADING.exe
-
Size
906KB
-
MD5
63b7c9c97cb399ef233ce10e83b65663
-
SHA1
85e539468312c87fc6daed7164f246e5fa638f20
-
SHA256
feac8bae828a3756389b379ae1bc0eda56bdcbec371c62bd3c980ffe11c1b0a0
-
SHA512
137d2579c257ee22e7416fad42dcbb2e24c20a6a2ea9079a58bf7f8d30ab6203837646e74b24142bf015f806f26de5522edb40255fd4b479f9ba6e8b9dcd7fa2
-
SSDEEP
24576:f2O/GlPO2+Bl8CXU+b+lwmxhKbH3w1GthA0E:Bz8t+alwmxUT3zg0E
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-