nanocore | f2dcd87ed48d9b6f3f1f8bb61de7f2ad480130fa932176679d3b1e81d17fcd36

General

Target

INV563626625366262737.js
Size

393KB
MD5

262dda971083308d2494ba848fa06d30
SHA1

852ae4f8992e07933a7024f9797532ba97860c4d
SHA256

f2dcd87ed48d9b6f3f1f8bb61de7f2ad480130fa932176679d3b1e81d17fcd36
SHA512

bcb00350b338d86f93caf9d01fd13e21f416aabb872f9f5237552d9e3b83c111c57cc58e74ca33451455013a0b89379570656cf79114af21cf5835355dd2c38c

Score

10^/10

nanocore vjw0rm evasion keylogger persistence spyware stealer trojan worm

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

benztel.hopto.org:3265

24.133.1.29:3265

Mutex

0471501d-d60a-48fe-8824-9a9aaa8f6bbe

Attributes

activate_away_mode
true
backup_connection_host
24.133.1.29
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-09-13T16:56:52.414482136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3265
default_group
delaggrace
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0471501d-d60a-48fe-8824-9a9aaa8f6bbe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
benztel.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

wscript.exe

flow	pid	process
5	1896	wscript.exe
8	1896	wscript.exe
9	1896	wscript.exe
11	1896	wscript.exe
12	1896	wscript.exe
13	1896	wscript.exe
15	1896	wscript.exe
16	1896	wscript.exe
17	1896	wscript.exe
19	1896	wscript.exe
20	1896	wscript.exe
21	1896	wscript.exe
23	1896	wscript.exe
24	1896	wscript.exe
25	1896	wscript.exe
27	1896	wscript.exe
28	1896	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

MY NEW NANO STUB.exe

pid process

632 MY NEW NANO STUB.exe

pid	process
632	MY NEW NANO STUB.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YGuLNAbIBf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YGuLNAbIBf.js	wscript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeMY NEW NANO STUB.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\YGuLNAbIBf.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Service = "C:\\Program Files (x86)\\AGP Service\\agpsvc.exe"	MY NEW NANO STUB.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MY NEW NANO STUB.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MY NEW NANO STUB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MY NEW NANO STUB.exe

Drops file in Program Files directory 2 IoCs

Processes:

MY NEW NANO STUB.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Service\agpsvc.exe	MY NEW NANO STUB.exe
File opened for modification	C:\Program Files (x86)\AGP Service\agpsvc.exe	MY NEW NANO STUB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1452 schtasks.exe
680 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MY NEW NANO STUB.exe

pid process

632 MY NEW NANO STUB.exe
632 MY NEW NANO STUB.exe
632 MY NEW NANO STUB.exe
632 MY NEW NANO STUB.exe
632 MY NEW NANO STUB.exe
632 MY NEW NANO STUB.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MY NEW NANO STUB.exe

pid process

632 MY NEW NANO STUB.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MY NEW NANO STUB.exe

description pid process

Token: SeDebugPrivilege 632 MY NEW NANO STUB.exe

pid	process
1452	schtasks.exe
680	schtasks.exe

pid	process
632	MY NEW NANO STUB.exe
632	MY NEW NANO STUB.exe
632	MY NEW NANO STUB.exe
632	MY NEW NANO STUB.exe
632	MY NEW NANO STUB.exe
632	MY NEW NANO STUB.exe

pid	process
632	MY NEW NANO STUB.exe

description	pid	process
Token: SeDebugPrivilege	632	MY NEW NANO STUB.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.exeMY NEW NANO STUB.exe

description	pid	process	target process
PID 2036 wrote to memory of 1896	2036	wscript.exe	wscript.exe
PID 2036 wrote to memory of 1896	2036	wscript.exe	wscript.exe
PID 2036 wrote to memory of 1896	2036	wscript.exe	wscript.exe
PID 2036 wrote to memory of 632	2036	wscript.exe	MY NEW NANO STUB.exe
PID 2036 wrote to memory of 632	2036	wscript.exe	MY NEW NANO STUB.exe
PID 2036 wrote to memory of 632	2036	wscript.exe	MY NEW NANO STUB.exe
PID 2036 wrote to memory of 632	2036	wscript.exe	MY NEW NANO STUB.exe
PID 632 wrote to memory of 1452	632	MY NEW NANO STUB.exe	schtasks.exe
PID 632 wrote to memory of 1452	632	MY NEW NANO STUB.exe	schtasks.exe
PID 632 wrote to memory of 1452	632	MY NEW NANO STUB.exe	schtasks.exe
PID 632 wrote to memory of 1452	632	MY NEW NANO STUB.exe	schtasks.exe
PID 632 wrote to memory of 680	632	MY NEW NANO STUB.exe	schtasks.exe
PID 632 wrote to memory of 680	632	MY NEW NANO STUB.exe	schtasks.exe
PID 632 wrote to memory of 680	632	MY NEW NANO STUB.exe	schtasks.exe
PID 632 wrote to memory of 680	632	MY NEW NANO STUB.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INV563626625366262737.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YGuLNAbIBf.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1896
- C:\Users\Admin\AppData\Roaming\MY NEW NANO STUB.exe
  "C:\Users\Admin\AppData\Roaming\MY NEW NANO STUB.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF47C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1452
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "AGP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFAE3.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF47C.tmp

MD5
cd7b4fbc58504187512ceb3472c6a9ed

SHA1
ece6e96cc613b961a6f05188cc936e194b25cdf6

SHA256
3b01b02720e685d48ebf12b0ddb93039251fce5df7dda4121729c28ffbfbe335

SHA512
909c9177fc7bb84e92cbdeba47f366ed4d3da3f9b1459808e4a23009b66e652c5e2f6346aeededc735d8c5fcf404b12b1f97fdf7713c81b1cf0c6ef0d2bead93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAE3.tmp

MD5
ce8deae9b307cca32e099a025ea9a8cb

SHA1
00905c64da02c878f96693ac40ce8c33210380a2

SHA256
ea5a64295a4fc20df3bc4357439aae98ba4777940ca879f4ad61c34d8f056b33

SHA512
1b6f852b1f4d1763972bff01693751755eabe920591ee22f0b7cbe85dcfdbac26d286576f6671e56046f9e37f199b1d1f8d0717fcd8efacb68d0d514a6018fd4

Download Submit
C:\Users\Admin\AppData\Roaming\MY NEW NANO STUB.exe

MD5
db44d2b392da6d967253d012e4b01d1f

SHA1
89657385961cc49a63e9833f7d2d6c306bf18080

SHA256
59b09c74bf406194c3312c49cfd379417c75a664a8e85fd27449d298bd7f4061

SHA512
42b011c4808a0c36e85a615f24a8d45b1a7fa7b3fe3aa8a2b15882f0b9ef189e972098980654470e42876b1e565b51a852c66b57061029196a9b8c11fa12edc4

Download Submit
C:\Users\Admin\AppData\Roaming\MY NEW NANO STUB.exe

MD5
db44d2b392da6d967253d012e4b01d1f

SHA1
89657385961cc49a63e9833f7d2d6c306bf18080

SHA256
59b09c74bf406194c3312c49cfd379417c75a664a8e85fd27449d298bd7f4061

SHA512
42b011c4808a0c36e85a615f24a8d45b1a7fa7b3fe3aa8a2b15882f0b9ef189e972098980654470e42876b1e565b51a852c66b57061029196a9b8c11fa12edc4

Download Submit
C:\Users\Admin\AppData\Roaming\YGuLNAbIBf.js

MD5
19325a9e704b640074e611e29d7f184b

SHA1
ffb6091bbd9862229f704241f606de9faafc566a

SHA256
80fd74dd6a11d8082804738706f7721e92643bb95ca1abb84fe21f634ced60d5

SHA512
66bdb165c86df472fff8dd62c3f69fea94dcb6f4454e00d096362a528b8d4c9caedca81cfd809ab1662e83e7e440fad751af2cfb34bb14581f7efacfdd2a1990

Download Submit
memory/632-58-0x0000000000000000-mapping.dmp

Download
memory/632-61-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/632-62-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/680-65-0x0000000000000000-mapping.dmp

Download
memory/1452-63-0x0000000000000000-mapping.dmp

Download
memory/1896-56-0x0000000000000000-mapping.dmp

Download
memory/2036-55-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads