Overview

overview

10

Static

static

7

DOCS-04394...DF.exe

windows7-x64

10

DOCS-04394...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b0b1d912a753f49aa1ea9f77a62abe76_JaffaCakes118

  • Size

    775KB

  • Sample

    240820-y5s8msvgnr

  • MD5

    b0b1d912a753f49aa1ea9f77a62abe76

  • SHA1

    c45ee6ca535016f3d68e5f2bc843870146a45241

  • SHA256

    bfdf80276b2b7b988a742e3b04b36dcaf35db1d83c386f2e8a862cbccd38b6e6

  • SHA512

    e5f28959119377e64341ff37fac2293e5072b72dc37074df0d4194757f550440254c3cb2f2ecfc128f433fd28a7b06a0347cc7baa37bc501490cfd0629986190

  • SSDEEP

    12288:ZNAX9MTpXjylXikEMnyM3t2UFMmFZ578/7rjcQLK8qxLcVKBarWyqR4Pc:A9c97kbnz3tluSZ578/PnK8kLsKAQ4Pc

Score
10/10
nanocorediscoverykeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

yes.dnsabr.com:54984

Mutex

0d98a690-f5c9-413d-9215-84bcef0238ef

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    yes.dnsabr.com

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-02-18T10:20:04.432974736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    54984

  • default_group

    YESMA

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    0d98a690-f5c9-413d-9215-84bcef0238ef

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    yes.dnsabr.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      DOCS-0439439-45939943-349543-430-PDF.exe

    • Size

      847KB

    • MD5

      30eb668bbc6eae06f6282a6a3d7a1aec

    • SHA1

      2e8e768880d5bf150138f98d2af3d0dab086ce2c

    • SHA256

      32dc7221db0e7b9c6a51eeff7e9d5aab76e9c787c7905c08879b10ec4bfe2968

    • SHA512

      fd5b359bf14dc56f3805bbdcb7c9ebf738fc35eed6d333ebcf263479a59a518ffd729be3d9e14ea92c0923f54db955cf5b9888caeebd9ef31dd354a6e2472b9d

    • SSDEEP

      12288:gYV6MorX7qzuC3QHO9FQVHPF51jgcIhHZV7Ozjr1CqN88wx5gLKnc1Qyqr4pl:/BXu9HGaVHIdZV7Ozn988a5eKco4pl

    Score
    10/10
    nanocorediscoverykeyloggerpersistencespywarestealertrojanupx

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Drops startup file

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks