Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 08:28

General

  • Target

    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe

  • Size

    455KB

  • MD5

    2dea383222c2f6c5cf3d59e3835f5596

  • SHA1

    528fa6cc47f0d35e795a96fe7b155845e9f3a2dd

  • SHA256

    52946c1de0c9b20d391c82fa46051ed332cff66c1110f4e68ad5de2e85ee3a33

  • SHA512

    dd567617a71ab048aacd8920080aa6f7f3a3e5d5ff09c1a5ceb5b11d689bedcf2408254715294befb88a52e5f6513e5aa095ce6347e244a72d7aa3d85863b909

  • SSDEEP

    6144:Zhj43S0fyovQFfN4YP9Buod3ZuuzQdhfWa+b2xnHeANm17iZoigy:ZhjefQF15BdFkH+6SeoHy

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

bedlinezone.dynu.net:9091

tourismes2.ddns.net:9091

Mutex

c489d320-311b-429a-b5a8-dc76eb34ed45

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    tourismes2.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-08-18T06:30:26.742368936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    9091

  • default_group

    bedlinezone

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    c489d320-311b-429a-b5a8-dc76eb34ed45

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    bedlinezone.dynu.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    PID:2736

Network

    No results found
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
  • 127.0.0.1:9033
    2dea383222c2f6c5cf3d59e3835f5596_JaffaCakes118.exe
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2736-0-0x000000007481E000-0x000000007481F000-memory.dmp

    Filesize

    4KB

  • memory/2736-1-0x00000000008F0000-0x0000000000968000-memory.dmp

    Filesize

    480KB

  • memory/2736-2-0x0000000000570000-0x00000000005B0000-memory.dmp

    Filesize

    256KB

  • memory/2736-3-0x0000000074810000-0x0000000074EFE000-memory.dmp

    Filesize

    6.9MB

  • memory/2736-4-0x0000000001F00000-0x0000000001F3E000-memory.dmp

    Filesize

    248KB

  • memory/2736-8-0x0000000004C00000-0x0000000004C38000-memory.dmp

    Filesize

    224KB

  • memory/2736-10-0x000000007481E000-0x000000007481F000-memory.dmp

    Filesize

    4KB

  • memory/2736-11-0x0000000074810000-0x0000000074EFE000-memory.dmp

    Filesize

    6.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.