General
-
Target
b1b23978ae7a18c5f28a09eca0bf8e50_JaffaCakes118
-
Size
316KB
-
Sample
240821-cawjmavapc
-
MD5
b1b23978ae7a18c5f28a09eca0bf8e50
-
SHA1
f28c9c99a8b71521f23a0fd9dd3868da124e849a
-
SHA256
7f8bdee09f7ad19ccf0e02479519ad9ce9a42a2adf1321d0f9c51b21a020e758
-
SHA512
64bf49de51fc88e551576449976a1ff7f2188b89d7b10bf4c19ed2082b87f289f3647b1617e8234a47d48208ecd2182b452c90ea1721142da6b5fb0b8325812c
-
SSDEEP
6144:VCNGkm+LczdMjS+6FoDPYgsgcgHouMiprxZ44Qgth0cNE7b6QJsDGD:0NhrczOjS4DPYgsg7LFtxW7sDGD
Malware Config
Extracted
nanocore
1.2.2.0
adikaremix.linkpc.net:1790
185.140.53.13:1790
9493864b-27d9-4410-9dcc-9a0c4732a1d5
-
activate_away_mode
true
-
backup_connection_host
185.140.53.13
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-21T11:14:38.887176036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1790
-
default_group
June@@
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9493864b-27d9-4410-9dcc-9a0c4732a1d5
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
adikaremix.linkpc.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Mehmood Khan.CV.exe
-
Size
369KB
-
MD5
f98ab1125e0263ed1605f5d9ccd6ccee
-
SHA1
56391f8225064d48438853a4f1c95befed4a6d76
-
SHA256
705d90649c0c2c0fe3c5939d2ec0309c3d0ec89c145b3e7da280e52a2361b588
-
SHA512
b2f7047514f175388846d547e617c4f9c5d20f575e9e2af0b48bc9866fde66054a071cb197a91b696fe267910331c44ece073061f62214e33ac72b4ea2232695
-
SSDEEP
6144:AL/ArCpGcROMjS26FoDPQQsgceHou4iprxJ44Ggdz0UNE7b6Q9cdnhVm:3Cp5RZjSADPQQsg7XTdZW70dnh
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1