General
-
Target
fc1b0dfab0dc3819b458ef5022a6f195_JaffaCakes118
-
Size
2.0MB
-
Sample
240928-mkghkatbrb
-
MD5
fc1b0dfab0dc3819b458ef5022a6f195
-
SHA1
023bcdb8082d3b1c98841632218658e1928268b8
-
SHA256
2f4e3f50a4a6bc5b4317b85031dc3365fd57feb2a4a9f9fbf9539b716f0c958a
-
SHA512
c6bb854f8ef6358192ee1af2bb4af9715a58556c43e8ee5921f1dddb264094728047092eabe78a06e1b0eb0fb798dec563aad84f2e619a1c52f6e3d8547f4961
-
SSDEEP
49152:ZmsyuZ/4z4s0+4QcnJJ2Z5nk8l/f02vA9bbSj4N50MX7wKsuKgR7:Zpysps0+q2Z5nk8tNab04Nl7wKslI
Malware Config
Extracted
nanocore
1.2.2.0
flashgen.ddns.net:54984
127.0.0.1:54984
312410cb-0e7d-40c6-9d4f-bb0a9736a976
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-05-08T16:35:34.725233836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
1000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
312410cb-0e7d-40c6-9d4f-bb0a9736a976
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
flashgen.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Red Zone's Proxy Generator/Design/MaterialDesignColors.dll
-
Size
223KB
-
MD5
2d078609c19884b327188318739527bc
-
SHA1
9d55d36f1e483853924422d59419700eb809a1dc
-
SHA256
8226b774a4e4ec60cb84c1e4f59d744c288194d86ae161f8c4183e73efe64b8d
-
SHA512
feb391b175e41662c517496bad74bfe8d3021b096d03e4e2f0ea972772eb6a44cee509a5837f706e50529c440330bc863c1bf1abb675091e6405dc886bfc678d
-
SSDEEP
768:y7hDFQcm9tgo6cMTmBvuayPCfJrJrl/jamRPHPxm2AxpH75APja3l3FNfl19YBjI:y7Zic6tnMTmBvuaU6sH
Score1/10 -
-
-
Target
Red Zone's Proxy Generator/Design/MaterialDesignThemes.Wpf.dll
-
Size
5.3MB
-
MD5
b6ef5eaa3d0b5a1e658d7f8f7d9c0472
-
SHA1
c50825933cbe463c5574c7786b2ba9e07aca465d
-
SHA256
e4fc9b407067033354c3ebe4e1086ea5c878684ccc263589913071174efcbf7a
-
SHA512
52f03ce331fb28f29ff1a41001cab9228b381696cf9317e7ad375990fa0aff6aafcc4a9d33871b9472b474e995494033ec5216fc021fe86827746dbee6cffb7d
-
SSDEEP
98304:0iJmXJDntBksKY+ND3WyA4+TLVei10vMzPv8/4C8B5XVS49Xzy83IiEcJMrCR2ft:0QwnJ45/9iD54+V11bFv4zqGG+AY+C1
Score1/10 -
-
-
Target
Red Zone's Proxy Generator/Leaf.xNet.dll
-
Size
112KB
-
MD5
3e6e381e6f5eee0c6ff318c867445b5c
-
SHA1
985db2157f5b8c71ce52cc61cb7d720c9b31a14d
-
SHA256
f0a8d81da3c3b9eace2df44a155604722915c2b414bb00201158d0d40e30cc9b
-
SHA512
e70ddae37b01959dff344007b196c007650b56b7d494caea2d1babddfbb997c93f470bd9123fecdf342a128d4db39318fdedc036046032a59c72bed5bc98252f
-
SSDEEP
1536:I8ImNuJfLnCgkrpABjFvMT/rkNs7rT6yk2PrtYSek/f165cJBvr/vgl:I8ksKvMTV7rT6yzthek/f165+ZrAl
Score1/10 -
-
-
Target
Red Zone's Proxy Generator/Newtonsoft.Json.dll
-
Size
659KB
-
MD5
d827dd8a8c4b2a2cfa23c7f90f3cce95
-
SHA1
26c78dad612aff904f216f19f49089f84cc77eb8
-
SHA256
b66749b81e1489fcd8d754b2ad39ebe0db681344e392a3f49dc9235643bdbd06
-
SHA512
9ce24c4497fe614b78b3f2f985cafb817d52f21d090aa23fd87f1a3478135abe95e0abe3557dd3f12a5b3f4c9a09e8337169988314c12c51b4951317e0569787
-
SSDEEP
12288:4uLQZbq16LMLq42433d25X8STJmMRv0niBXh8KOBAj0W:4z/LMLq42t5X8STJmMRv0nQHOBAjx
Score1/10 -
-
-
Target
Red Zone's Proxy Generator/Red Zone's Proxy Generator.exe
-
Size
242KB
-
MD5
82d5d5ce76665e103aa71b07cdfe6303
-
SHA1
2ae80c6398c41a3e260f7bfaad79de7974fe9251
-
SHA256
61edc1adee16976a1b8e6e07c8ab7584bdbc5f876158dca0482489d1d5d26271
-
SHA512
792f9f0a477391e0a6e1357fbddf874bc1b90cd700cbb8539d8e8a18ba7fb904e16f9f42f0ac47ca5608d3d54faa42c3bd446f2720d531039f088cb86b11f870
-
SSDEEP
6144:pLV6Bta6dtJmakIM5stADSOY8GL+1WUQ52F+/8Ej4e9:pLV6Btpmk5u2EGLUcQsEEj4A
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1