General

  • Target

    09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118

  • Size

    2.4MB

  • Sample

    241002-kw9blsxfpn

  • MD5

    09e2e1a6fed75bce3684e7fb237e5818

  • SHA1

    3d3456b92a86cf69ea5a691911d9d5a611c00db8

  • SHA256

    f21cfffd24512c2d3d799d7ad57ada42770586dd7ece54d9314aa0a2175af856

  • SHA512

    d32a319e55e1e3db4a8ca14a17385403b2b05d5e49a2f6b576e4e66bd07f7025304f2794dc5de0943b57c338051a8671fa51046f72db9403486ca458d548e805

  • SSDEEP

    49152:JCdW+NIRVRT111findksB10gI5h0kRKZg19awdDWNMQr5VmY2NQn8G7mKWteskA:JWtIxT11cGsBYFKm10wZWNKtVcmKikA

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.29.216:4050

Mutex

176627fc-9b6d-4f0a-ab26-654a31d03cfd

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    185.244.29.216

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-02-15T10:38:24.409596736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    4050

  • default_group

    baby new

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    176627fc-9b6d-4f0a-ab26-654a31d03cfd

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      09e2e1a6fed75bce3684e7fb237e5818_JaffaCakes118

    • Size

      2.4MB

    • MD5

      09e2e1a6fed75bce3684e7fb237e5818

    • SHA1

      3d3456b92a86cf69ea5a691911d9d5a611c00db8

    • SHA256

      f21cfffd24512c2d3d799d7ad57ada42770586dd7ece54d9314aa0a2175af856

    • SHA512

      d32a319e55e1e3db4a8ca14a17385403b2b05d5e49a2f6b576e4e66bd07f7025304f2794dc5de0943b57c338051a8671fa51046f72db9403486ca458d548e805

    • SSDEEP

      49152:JCdW+NIRVRT111findksB10gI5h0kRKZg19awdDWNMQr5VmY2NQn8G7mKWteskA:JWtIxT11cGsBYFKm10wZWNKtVcmKikA

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.