General
-
Target
b68c8cf4bc68a9f68fd47c9e94cfebb8_JaffaCakes118
-
Size
303KB
-
Sample
240617-d2e7dssbpe
-
MD5
b68c8cf4bc68a9f68fd47c9e94cfebb8
-
SHA1
1faa3f2b2f2f731108eec475e3f9a4e10821f03d
-
SHA256
d4810df62c42b3e525e4662fba9b4fe9d1916bc88087bf8ded45a00ea02680f9
-
SHA512
98290eefc1bfc3c5eed124dba39c0e55898c0b9574e672a76f5f8347a37d25fb3f5f0e6adfc61b0701e54734e35e01121c37b785b77c9303361a7e76a963f2db
-
SSDEEP
6144:4YlpFjGJk95WMLFWVRRsgpHxKPw+QreiGdPVbSIcn:R7xG6Tjgpscr9Ge
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20240221-en
Malware Config
Extracted
nanocore
1.2.2.0
kskent.dynu.net:333
127.0.0.1:333
4d94aa95-8442-4268-a4c7-1d0109c44f55
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-24T03:50:49.960434136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
333
-
default_group
2020
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4d94aa95-8442-4268-a4c7-1d0109c44f55
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kskent.dynu.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
invoice.exe
-
Size
427KB
-
MD5
c9521986c45818165a3344c4ad821d17
-
SHA1
59360e8cda98f594c57dbec84484ef3c7a953dd9
-
SHA256
a68d6f1f8eac6e726187af10e2c6a7372696792cfd1b73eecbe4b77a874590a7
-
SHA512
da06e36625034650f93500c874c77f7d3ffa66a7d3043c01daeea74b04f5219561b43de5fb563dbd72165726e325b86f5a985a1ecbb7823766f7ffb61d13beef
-
SSDEEP
6144:Vs6sCfPRYwK+8sl7gNLmn8FY90SMjFWVLlIgMHxuPw+Qr8iGdPVbpqH:FPRYw0mgNLm8GezgM0cr/Go
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-