General
-
Target
2b66ca254c7c9100343699af457f9d81_JaffaCakes118
-
Size
17.0MB
-
Sample
241009-fsqmwa1dnl
-
MD5
2b66ca254c7c9100343699af457f9d81
-
SHA1
36a13e65f57b4ed2f515e752f7ab29b68aa341c7
-
SHA256
1fd3e2f6d6e9166cba0086664635f86ba4b4aaf1277a853cf718f6f24d672d6d
-
SHA512
4ad6155146eecfcc5f2638772444056ed2c7ebd6867711be66cab87c3156820ce1bb179b96762ae2db3bb98fca16c0daab5e5dc9da294cb3963cd2ba3151ec85
-
SSDEEP
393216:UHNOPJo4+k2Br1BMgUD6okK/o4CgMi4GZfT2qZV5:UtOdB2B0gmNkK/Zv4GZPV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Extracted
nanocore
1.2.2.0
hitexe.endofinternet.net:33045
f6e3cbdc-25fe-4e6f-9495-3c5a40bf4ed0
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-12-29T23:08:57.329436536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
33045
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f6e3cbdc-25fe-4e6f-9495-3c5a40bf4ed0
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hitexe.endofinternet.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
2b66ca254c7c9100343699af457f9d81_JaffaCakes118
-
Size
17.0MB
-
MD5
2b66ca254c7c9100343699af457f9d81
-
SHA1
36a13e65f57b4ed2f515e752f7ab29b68aa341c7
-
SHA256
1fd3e2f6d6e9166cba0086664635f86ba4b4aaf1277a853cf718f6f24d672d6d
-
SHA512
4ad6155146eecfcc5f2638772444056ed2c7ebd6867711be66cab87c3156820ce1bb179b96762ae2db3bb98fca16c0daab5e5dc9da294cb3963cd2ba3151ec85
-
SSDEEP
393216:UHNOPJo4+k2Br1BMgUD6okK/o4CgMi4GZfT2qZV5:UtOdB2B0gmNkK/Zv4GZPV
Score10/10-
Modifies firewall policy service
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5