Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29-09-2024 02:58
General
-
Target
fdaad4eb64eccc6953ff1ce550eae36f_JaffaCakes118.exe
-
Size
536KB
-
MD5
fdaad4eb64eccc6953ff1ce550eae36f
-
SHA1
35992f8c51d54da131a04824faaac9c76e916943
-
SHA256
01ab9c62c600b245f23843974f3c51494e52dedc6147385e968dd9da85a8fee0
-
SHA512
2dd5d39c2b9fc0641df1b9dae1ac80f0429162b649f0661f9056f2a0c7a47b7c336f42ca56111a4165a0f5e1fc573bffb02a6160a380e4280052601fde907c6c
-
SSDEEP
12288:aox8a9XqSYVr9N4VGLLOwwfghkNANPuMVfJ3bfguQ:0s50M2OkWShBg
Malware Config
Extracted
nanocore
1.2.2.0
ghostcum.ddns.net:4040
5bbc7391-512a-4cae-9589-1734252a7b7d
-
activate_away_mode
true
-
backup_connection_host
ghostcum.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-07-02T10:14:45.673398236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4040
-
default_group
EUROS
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5bbc7391-512a-4cae-9589-1734252a7b7d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ghostcum.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdaad4eb64eccc6953ff1ce550eae36f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fdaad4eb64eccc6953ff1ce550eae36f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
244KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB