General
-
Target
ab0f429587409856cbf8b7eeda784818_JaffaCakes118
-
Size
569KB
-
Sample
241128-fkz7casncp
-
MD5
ab0f429587409856cbf8b7eeda784818
-
SHA1
11361e5f830be948fe2f3115875baf8bd784009b
-
SHA256
9b916d451ce81a4fa56209262065797748bcbce9d8819288e46004c6d0f95c6b
-
SHA512
83ea74f260d64b143b44fbc067696aebe6e2cd670a4456b30b12282c0cb538428296fa53fd5ad37960d2edc146c95b4f383459f3ef666f4e672fd4dc243a801e
-
SSDEEP
12288:2NeZIXMuf2BBHkr4AgKB2E3/XjCPncDMQNvdL3XO2:68vLkrsE3/Xkc3vNnO
Malware Config
Extracted
nanocore
1.2.2.0
0.tcp.ngrok.io:15642
d61fa598-6d05-4c22-9eba-11b25460477f
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-05-15T14:08:35.896694436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
15642
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d61fa598-6d05-4c22-9eba-11b25460477f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
0.tcp.ngrok.io
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
ab0f429587409856cbf8b7eeda784818_JaffaCakes118
-
Size
569KB
-
MD5
ab0f429587409856cbf8b7eeda784818
-
SHA1
11361e5f830be948fe2f3115875baf8bd784009b
-
SHA256
9b916d451ce81a4fa56209262065797748bcbce9d8819288e46004c6d0f95c6b
-
SHA512
83ea74f260d64b143b44fbc067696aebe6e2cd670a4456b30b12282c0cb538428296fa53fd5ad37960d2edc146c95b4f383459f3ef666f4e672fd4dc243a801e
-
SSDEEP
12288:2NeZIXMuf2BBHkr4AgKB2E3/XjCPncDMQNvdL3XO2:68vLkrsE3/Xkc3vNnO
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-