nanocore | 2de716414a5246e7d4f1d9679a9c5fdefd194c30807331d05798253ebceb87a2

General

Target

#CHOO2.js
Size

7KB
MD5

4fc18805b5686d320a0ccdab8438ed7e
SHA1

afbe3e8f7448be3ace8f48f37c1524748533ed94
SHA256

7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
SHA512

9ec6470aadce9ddaebd57167658d1a8a22ddb496e452b3a4574d3c8fa8b5d643e49d96b31df64f89fe3847bc4c7be792e21f8de063be07ef3452e936931ded14

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

nanoboss.duckdns.org:6129

Mutex

f795cec6-1cfb-44f9-898a-e041c33422fe

Attributes

activate_away_mode
false
backup_connection_host
nanoboss.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-10T14:25:49.368918836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6129
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f795cec6-1cfb-44f9-898a-e041c33422fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
nanoboss.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

6 656 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

nano6129.exe

pid process

3492 nano6129.exe

flow	pid	process
6	656	wscript.exe

pid	process
3492	nano6129.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nano6129.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	nano6129.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nano6129.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano6129.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nano6129.exe

Drops file in Program Files directory 2 IoCs

Processes:

nano6129.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	nano6129.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	nano6129.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1624 schtasks.exe
3596 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

nano6129.exe

pid process

3492 nano6129.exe
3492 nano6129.exe
3492 nano6129.exe
3492 nano6129.exe
3492 nano6129.exe
3492 nano6129.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nano6129.exe

pid process

3492 nano6129.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nano6129.exe

description pid process

Token: SeDebugPrivilege 3492 nano6129.exe

pid	process
1624	schtasks.exe
3596	schtasks.exe

pid	process
3492	nano6129.exe
3492	nano6129.exe
3492	nano6129.exe
3492	nano6129.exe
3492	nano6129.exe
3492	nano6129.exe

pid	process
3492	nano6129.exe

description	pid	process
Token: SeDebugPrivilege	3492	nano6129.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exenano6129.exe

description	pid	process	target process
PID 656 wrote to memory of 3492	656	wscript.exe	nano6129.exe
PID 656 wrote to memory of 3492	656	wscript.exe	nano6129.exe
PID 656 wrote to memory of 3492	656	wscript.exe	nano6129.exe
PID 3492 wrote to memory of 1624	3492	nano6129.exe	schtasks.exe
PID 3492 wrote to memory of 1624	3492	nano6129.exe	schtasks.exe
PID 3492 wrote to memory of 1624	3492	nano6129.exe	schtasks.exe
PID 3492 wrote to memory of 3596	3492	nano6129.exe	schtasks.exe
PID 3492 wrote to memory of 3596	3492	nano6129.exe	schtasks.exe
PID 3492 wrote to memory of 3596	3492	nano6129.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#CHOO2.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\nano6129.exe
"C:\Users\Admin\AppData\Local\Temp\nano6129.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB27.tmp"
3⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCBF.tmp"
3⤵
- Creates scheduled task(s)
PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nano6129.exe
MD5
4c342f040ad8b94e4f814e1f62e488ed

SHA1
f440ce00e772abd74f9e9e0ff8d227792b48712c

SHA256
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

SHA512
046adff832e07b7dbca40020a4c65412e5ed5e2d342b9d55219258b59f25a391752c0065e4ff9b1d504149a6f7226a6c8c4282aeb4a3fad3aeb68aa8f88e58cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nano6129.exe
MD5
4c342f040ad8b94e4f814e1f62e488ed

SHA1
f440ce00e772abd74f9e9e0ff8d227792b48712c

SHA256
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

SHA512
046adff832e07b7dbca40020a4c65412e5ed5e2d342b9d55219258b59f25a391752c0065e4ff9b1d504149a6f7226a6c8c4282aeb4a3fad3aeb68aa8f88e58cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB27.tmp
MD5
c04dd5db5ad0101acca7163a01d3e067

SHA1
d264e1533dd4275af3748d386a77843386fd4b38

SHA256
d0c5ea5cd181a81af880a92988e689623f65586add14524daade790313167051

SHA512
96bcce0ba28fc21621af5de08cb0d68258e02d90e699c90731dfa486712d6e2740932f17bef70933cbf7e3d4c29ab41f127ccc4b32480c5520a331f83fa36900

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBF.tmp
MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
memory/1624-119-0x0000000000000000-mapping.dmp

Download
memory/3492-115-0x0000000000000000-mapping.dmp

Download
memory/3492-118-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/3596-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads