General
-
Target
fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118
-
Size
2.3MB
-
Sample
241219-axetaayngv
-
MD5
fdbaf1cf150f8ce9892cd77f8f57ee3a
-
SHA1
30b9e7f9fd621887cc3c0d386e8f39e2d5c82229
-
SHA256
2d68a08146c225053c8314282aca4053408e85ff77a9bbd302efe44f1db4739e
-
SHA512
1c9b52214898992d138da884da8c360eb8a40aabb3fa8b9027bcc93686d4f1df2a77f00ecc75944eec063e896b65bc70d1e0c865c6a51e03f1894a4838a75caa
-
SSDEEP
49152:qAoTSV3SSpwtb9rRbipPihj+dPGyFUJ8pg:qnu3nERmpPiF+9GyFUJ8K
Static task
static1
Behavioral task
behavioral1
Sample
fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nanocore
1.2.2.2
swagkhalifa.ddns.net:1338
e113746a-962b-4f99-ad1e-17a39d3fb1d8
-
activate_away_mode
true
-
backup_connection_host
swagkhalifa.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-06-25T17:24:03.224329436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1338
-
default_group
Agar
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e113746a-962b-4f99-ad1e-17a39d3fb1d8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
swagkhalifa.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.2
-
wan_timeout
8000
Targets
-
-
Target
fdbaf1cf150f8ce9892cd77f8f57ee3a_JaffaCakes118
-
Size
2.3MB
-
MD5
fdbaf1cf150f8ce9892cd77f8f57ee3a
-
SHA1
30b9e7f9fd621887cc3c0d386e8f39e2d5c82229
-
SHA256
2d68a08146c225053c8314282aca4053408e85ff77a9bbd302efe44f1db4739e
-
SHA512
1c9b52214898992d138da884da8c360eb8a40aabb3fa8b9027bcc93686d4f1df2a77f00ecc75944eec063e896b65bc70d1e0c865c6a51e03f1894a4838a75caa
-
SSDEEP
49152:qAoTSV3SSpwtb9rRbipPihj+dPGyFUJ8pg:qnu3nERmpPiF+9GyFUJ8K
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1