General
-
Target
f0dfe6865f1a78a0aa9322ad5f44aa38_JaffaCakes118
-
Size
10.2MB
-
Sample
240921-3yxpps1fqk
-
MD5
f0dfe6865f1a78a0aa9322ad5f44aa38
-
SHA1
2f46d15bac4377fa0eb80ae808890b682a0bc5f2
-
SHA256
50d9e490042d226bfaeef0b39c7903d4e166803fd743f6e6a7a6c2aaadfd933c
-
SHA512
9f40c9abd1e01ca9ed49679fbfdd340b3f36e7eb470ba489882f73bfa4ac7a0fc359d1b3641079b75e18ac4a1b17fd974361fd842c19694688c58b63ea978b4b
-
SSDEEP
196608:bxKVueahTl5JzepP4sd/Pa8mxOjvtV/eU9GU9eCLs+S939fH1DcV:lKVW1lHzgXPadovtV/egRpY7fH1DcV
Malware Config
Extracted
nanocore
1.2.2.0
XeKush32.chickenkiller.com:63072
127.0.0.1:63072
9a386a9b-a46f-49c4-91d6-d82c1b252ecb
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-05T08:02:20.893902836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
63072
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9a386a9b-a46f-49c4-91d6-d82c1b252ecb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
XeKush32.chickenkiller.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
0.7d
HacKed
godsechf.chickenkiller.com:5556
e197faddd5376f8214ee6bd8f0245c39
-
reg_key
e197faddd5376f8214ee6bd8f0245c39
-
splitter
|'|'|
Targets
-
-
Target
Rekt/Rekt/#REKTEDTOOLS.rtf
-
Size
380B
-
MD5
af0f37810662aede69ed48519d86a4e9
-
SHA1
15a96807a74bcbc172549b3a16046fd306bf94d3
-
SHA256
dc9a8a2225208c975624c6bcd22128a8f3b933fa45958b3a287003d46d27affa
-
SHA512
c23da05bf64bd45c79fb240534a55e138790d4e1426d0748648833102a35084f7410b3a43854595d1bc728cc78f83a9aa7e69bf366aed1f981fbbfe2080e293f
Score4/10 -
-
-
Target
Rekt/Rekt/#RektedToolsMultiGameTool.exe
-
Size
5.6MB
-
MD5
5f550a12065b23d985fec1f32c6f78a2
-
SHA1
2092caac12f23081a89d6aed70722606ab32fcee
-
SHA256
6692e62af43ebdba8e2fa35aa2a4bb0faf43658a1ba6892d6afd7a7d9ac550ba
-
SHA512
93cd04a3b1fcb44b1fda84a0dc87049ce4d57df1876754bb968cd18ba36264da97b0c2e7bc19969d4dd5c28a578f9f65086b9e844d53c6f591f5632af07c15f5
-
SSDEEP
98304:1z14DaUCyCWUartDr8Jmk4mUJF24dl8asICU/pw7r+UNgDHmsE2V02S4h:r4fwert/3JmscksINK7r+U6zmTu
Score3/10 -
-
-
Target
Rekt/Rekt/33333333333.exe
-
Size
5.6MB
-
MD5
054bf72f469f8ab9aa22bbd0ad61921a
-
SHA1
e676cc65e9610c628cbd3a542f5f4c6e58132146
-
SHA256
bbd286a15e181385091572031936857e40217bfc8e0e0ae1ca9f5ac8aa2614e8
-
SHA512
1b735b8a2b00efb816249ba83c9d1f6d63423e21ff32310eab6b7351da99324c659646166e21636305e2509dc3be2813c1c4329e05d4b26bdbb5d5965c1b1e7b
-
SSDEEP
98304:Jz14DaUCyCWUartDr8Jmk4mUJF24dl8asICU/pw7r+UNgDHmsE2V02S4h:H4fwert/3JmscksINK7r+U6zmTu
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
Rekt/Rekt/JRPC.dll
-
Size
26KB
-
MD5
3141fa33649b9579a7eec662e917ac3f
-
SHA1
7f2e836d2a3fd9adf5958cbdd22103139598551b
-
SHA256
911366a82f457e2a65e1bebd6eafde9ce561b33555aa54e0844d2adb27f69662
-
SHA512
71f717c66bf5172797dbfc476e89325a875e715c1d2dc428eb6c31bfd610b953ac9b9aaea8019057163750e8a760adeeb5fb67292562e5a39cba4cef5a257ea9
-
SSDEEP
384:ey+EX+XyDf3pnyonEI05dYkCTex+t9jOyDCSbtVpF1JoAMr5w+:ey+er3y5pqCC1EAS
Score3/10 -
-
-
Target
Rekt/Rekt/MetroFramework.dll
-
Size
133KB
-
MD5
a3a380676711eac89f67e0043c21b5d6
-
SHA1
587c765dc3ca8d3ea2fa55b9f227cef284287522
-
SHA256
c23cdacb0de78c5c6e8a1dde085cca1bf8261d3b90dac39379a4ac4518d212d1
-
SHA512
98a8a6741fce19d7817e412d0d2fbe772d8fbda527a3f3a56ddce8dec0bcd23c6e0755402ad816af089f50fdd7b33bd8d834f3af6beb85dbff53830b5c130697
-
SSDEEP
1536:evymZ39Uy6/ZDJALk8TWPdQNqUkkNZ8TS3SAqAxi0P77jRnZcHe+YNb:wJ/D6/lJAL4kqUZNMS371xi0DRFtb
Score1/10 -
-
-
Target
Rekt/Rekt/Nipples.dll
-
Size
648KB
-
MD5
4b10bfc6d44c4d40c42d079de2966e2c
-
SHA1
f16c9ef35bfeef1d6f0fa0c666f543c422021d7f
-
SHA256
6ea0b84c815e9bd6ba422e503dd5d9bb91ec404390049cb9abe2052033cab3d2
-
SHA512
b8b956fc12006fb744f506553371b018df04b6213b182bfb3862159e8a233417036cefdf9b75510c52b65d9c23261af7c2ca9ec27e1ae9bdf8f4c1a2ac5fff8c
-
SSDEEP
12288:p3f6/Um0ka+ekLBzy8KIs9ymF30lpcTARKYnJ04an93W0wBI5ggk:p3sUnWBzy85s9K/cTARznG9m02gk
Score3/10 -
-
-
Target
Rekt/Rekt/UpdaterBypass.exe
-
Size
272KB
-
MD5
466b0d1009bfef71e27740092bc4c286
-
SHA1
66754e3aaf8128a790f9ddebf9f6830fc0db24cd
-
SHA256
0af94596f1f3bfb0b3b1d61bf7bedf28347254e5e5e1e8a07110f26e07f8b3cc
-
SHA512
86ec2fe6ac85a83572753ddb0ed93bdfe1e81b3c955476b3e9a54345b1cc3ab1c3f86f18a61cc7e6ecb8774e07b69f7dcf754afb5e8e23ad17409cde529258d2
-
SSDEEP
6144:iMhANGQqRGT1HPRPAeZID3ziZSzlGYnC939:hhANyg1HdAeZIviZSzlG6
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
-
-
Target
Rekt/Rekt/xdevkit.dll
-
Size
48KB
-
MD5
406d89939b61884e9e7741a6d39f1df7
-
SHA1
1ac1e990854d863c90f934f188f60febbc144125
-
SHA256
2d3e3df51bccb07ecae7a33f1beb4bf8029d7f7acd92d5383b925ce5a201cb56
-
SHA512
e03c0fab1691f0af86f86df21b27b0a8ba21b5fe168bbef69c1363132ada2e703995a6cd198a0deaa9bae178aa847a776c9fd602728a54c993dde5dc14ae3ab6
-
SSDEEP
768:CQG2KXjMSlsQaBrknnz3tVXoxrnnFMe9m/s3DWdOl/VJ:CQGljsQaBInz3tVXI34nW
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1