General
-
Target
b08b3e32d70824efc376be391784dc48_JaffaCakes118
-
Size
1.1MB
-
Sample
241129-l7pl1svlbp
-
MD5
b08b3e32d70824efc376be391784dc48
-
SHA1
5697e5cbdf89875fcde4e0138502e2c5fd5c2158
-
SHA256
cb3ec57389ef463a58a5721042355cda8d227c151ea528e949817534e214bdc8
-
SHA512
316887470946ab9d046d290f4ff4f7bc2dae1039e48d0c9d614992e23e56b6354260b8c477f374035aa68f2c2d28cd65c4cb46c20c3d34f6696bf65619eb08b1
-
SSDEEP
12288:6BkjXoeDZJ7Y4jhWaItUs9jS4/lMmmGvgwV9iSCnnRs3bCa8QHmaqOY3haOp9nHP:6CXo6ZVY4jqS5Q81RsfHmkY3t6L
Malware Config
Extracted
nanocore
1.2.2.0
timmy01.ddns.net:39399
timmy005.ddns.net:39399
924ff6b4-65b7-475c-a744-25c39eaa2d77
-
activate_away_mode
true
-
backup_connection_host
timmy005.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-12-03T14:32:05.909912836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
39399
-
default_group
FEBUARY 2021
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
924ff6b4-65b7-475c-a744-25c39eaa2d77
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
timmy01.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
b08b3e32d70824efc376be391784dc48_JaffaCakes118
-
Size
1.1MB
-
MD5
b08b3e32d70824efc376be391784dc48
-
SHA1
5697e5cbdf89875fcde4e0138502e2c5fd5c2158
-
SHA256
cb3ec57389ef463a58a5721042355cda8d227c151ea528e949817534e214bdc8
-
SHA512
316887470946ab9d046d290f4ff4f7bc2dae1039e48d0c9d614992e23e56b6354260b8c477f374035aa68f2c2d28cd65c4cb46c20c3d34f6696bf65619eb08b1
-
SSDEEP
12288:6BkjXoeDZJ7Y4jhWaItUs9jS4/lMmmGvgwV9iSCnnRs3bCa8QHmaqOY3haOp9nHP:6CXo6ZVY4jqS5Q81RsfHmkY3t6L
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1