General
-
Target
cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118
-
Size
1.7MB
-
Sample
240830-v2df8swhrm
-
MD5
cb4fab4e71dd1b69d127da402f1fc6e0
-
SHA1
cafdcc17f25f5c3be6bf78f87741708d553ff3c8
-
SHA256
3b52e2715d15a2e959d559fe820e7f71ddf1307f1bf4a52da683097a759ef319
-
SHA512
eb679dd222d56bf39f2d22d5be259283c43d6492eaf8f07f4d8332e572ee4a9702e9aa459d083c6a461eb90a3a218f04b2521857eb24493e2bc84de2833f88c9
-
SSDEEP
24576:BLXXgOM61tPSgPCGoQqS5haQnI/C+wH7cT:BLN1tPS/GoZS82H7i
Malware Config
Extracted
nanocore
1.2.2.0
blackhill.ddns.net:54984
185.125.205.75:54984
c7192853-3ef1-495d-8d9e-aa7345c98e7f
-
activate_away_mode
true
-
backup_connection_host
185.125.205.75
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-07-28T15:08:16.000917836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Lord
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c7192853-3ef1-495d-8d9e-aa7345c98e7f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
blackhill.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118
-
Size
1.7MB
-
MD5
cb4fab4e71dd1b69d127da402f1fc6e0
-
SHA1
cafdcc17f25f5c3be6bf78f87741708d553ff3c8
-
SHA256
3b52e2715d15a2e959d559fe820e7f71ddf1307f1bf4a52da683097a759ef319
-
SHA512
eb679dd222d56bf39f2d22d5be259283c43d6492eaf8f07f4d8332e572ee4a9702e9aa459d083c6a461eb90a3a218f04b2521857eb24493e2bc84de2833f88c9
-
SSDEEP
24576:BLXXgOM61tPSgPCGoQqS5haQnI/C+wH7cT:BLN1tPS/GoZS82H7i
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta payload
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1