floxif | e8d9684735b9381923bc8d3cecc54924c3066e59365d566f0c5b1f86898e2307

General

Target

a94073813049ac2fa9d9ff63cb24ca39_JaffaCakes118
Size

5.3MB
Sample

241127-xv98qssnbl
MD5

a94073813049ac2fa9d9ff63cb24ca39
SHA1

a0fdf54a84adddae4ee4a37f9a7fa17b4aa3629b
SHA256

e8d9684735b9381923bc8d3cecc54924c3066e59365d566f0c5b1f86898e2307
SHA512

0679c0ee3515f1dddf9294f0c0103811788ec8abf130cac328d471e75554d56a601ab46bef12f882df2e65a4d87ed4021ad746d2c8158a55d7ca01a6fd1219a9
SSDEEP

98304:nOHbemITihoBh5tQ1g/vw9GcoNOqFWz7NI3URESZa7sLOvi6gTe2z6GgJpd4feL+:nOCLiQQV/Om+3UHZZfe2z6GsdwKLSQ8z

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.5.98.8:4573

127.0.0.1:4573

Mutex

596f453d-09e9-4806-a8b3-3cb60bb40d33

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-07T14:14:06.182021736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4573
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
596f453d-09e9-4806-a8b3-3cb60bb40d33
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
194.5.98.8
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  a94073813049ac2fa9d9ff63cb24ca39_JaffaCakes118
- Size
  
  5.3MB
- MD5
  
  a94073813049ac2fa9d9ff63cb24ca39
- SHA1
  
  a0fdf54a84adddae4ee4a37f9a7fa17b4aa3629b
- SHA256
  
  e8d9684735b9381923bc8d3cecc54924c3066e59365d566f0c5b1f86898e2307
- SHA512
  
  0679c0ee3515f1dddf9294f0c0103811788ec8abf130cac328d471e75554d56a601ab46bef12f882df2e65a4d87ed4021ad746d2c8158a55d7ca01a6fd1219a9
- SSDEEP
  
  98304:nOHbemITihoBh5tQ1g/vw9GcoNOqFWz7NI3URESZa7sLOvi6gTe2z6GgJpd4feL+:nOCLiQQV/Om+3UHZZfe2z6GsdwKLSQ8z
Score

10^/10

floxif nanocore backdoor discovery keylogger persistence privilege_escalation spyware stealer trojan upx
- Floxif family
  floxif
- Floxif, Floodfix
  Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
  backdoor trojan floxif
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Detects Floxif payload
  backdoor
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2