General
-
Target
94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118
-
Size
1.8MB
-
Sample
240604-n21s7sfc5x
-
MD5
94bdf1b1404a90c7563bee8143c37c40
-
SHA1
d00a543f39971f38f24b4fe6c92643cedeba2fa2
-
SHA256
39fdf7cb955de78bb4c9e55ff269fd4dbdf8d5d38d540e2245f87cefb21fb91b
-
SHA512
eaed717fae7552e8701f5d2e5289afe042863f2ed2eaf4f1d29de74185ea414cbea2f1d618f48a06fdb1abf1dec8f837c61ac305e299cbb956ae100ff8fbd164
-
SSDEEP
49152:rRTEexqIGEChCWAO8UK1I6neT4iGmrabygTp:rRTEeVVChCW2UK1IKdugT
Static task
static1
Behavioral task
behavioral1
Sample
94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
nanocore
1.2.2.0
dns.kingspy.info:54984
127.0.0.1:54984
c6b3af3c-732f-423f-ad11-734155201ae2
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-03-12T20:07:17.102579136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
hacce
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c6b3af3c-732f-423f-ad11-734155201ae2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dns.kingspy.info
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118
-
Size
1.8MB
-
MD5
94bdf1b1404a90c7563bee8143c37c40
-
SHA1
d00a543f39971f38f24b4fe6c92643cedeba2fa2
-
SHA256
39fdf7cb955de78bb4c9e55ff269fd4dbdf8d5d38d540e2245f87cefb21fb91b
-
SHA512
eaed717fae7552e8701f5d2e5289afe042863f2ed2eaf4f1d29de74185ea414cbea2f1d618f48a06fdb1abf1dec8f837c61ac305e299cbb956ae100ff8fbd164
-
SSDEEP
49152:rRTEexqIGEChCWAO8UK1I6neT4iGmrabygTp:rRTEeVVChCW2UK1IKdugT
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-