nanocore | f2dcd87ed48d9b6f3f1f8bb61de7f2ad480130fa932176679d3b1e81d17fcd36

General

Target

INV563626625366262737.js
Size

393KB
MD5

262dda971083308d2494ba848fa06d30
SHA1

852ae4f8992e07933a7024f9797532ba97860c4d
SHA256

f2dcd87ed48d9b6f3f1f8bb61de7f2ad480130fa932176679d3b1e81d17fcd36
SHA512

bcb00350b338d86f93caf9d01fd13e21f416aabb872f9f5237552d9e3b83c111c57cc58e74ca33451455013a0b89379570656cf79114af21cf5835355dd2c38c

Score

10^/10

nanocore vjw0rm evasion keylogger persistence spyware stealer trojan worm

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

benztel.hopto.org:3265

24.133.1.29:3265

Mutex

0471501d-d60a-48fe-8824-9a9aaa8f6bbe

Attributes

activate_away_mode
true
backup_connection_host
24.133.1.29
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-09-13T16:56:52.414482136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3265
default_group
delaggrace
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0471501d-d60a-48fe-8824-9a9aaa8f6bbe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
benztel.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

wscript.exe

flow	pid	process
9	2616	wscript.exe
20	2616	wscript.exe
21	2616	wscript.exe
28	2616	wscript.exe
29	2616	wscript.exe
30	2616	wscript.exe
33	2616	wscript.exe
36	2616	wscript.exe
37	2616	wscript.exe
38	2616	wscript.exe
39	2616	wscript.exe
40	2616	wscript.exe
41	2616	wscript.exe
42	2616	wscript.exe
43	2616	wscript.exe
44	2616	wscript.exe
45	2616	wscript.exe
46	2616	wscript.exe

Executes dropped EXE 1 IoCs

Processes:

MY NEW NANO STUB.exe

pid process

584 MY NEW NANO STUB.exe

pid	process
584	MY NEW NANO STUB.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YGuLNAbIBf.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YGuLNAbIBf.js	wscript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeMY NEW NANO STUB.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\YGuLNAbIBf.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	MY NEW NANO STUB.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MY NEW NANO STUB.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MY NEW NANO STUB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MY NEW NANO STUB.exe

Drops file in Program Files directory 2 IoCs

Processes:

MY NEW NANO STUB.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	MY NEW NANO STUB.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	MY NEW NANO STUB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1832 schtasks.exe
1852 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MY NEW NANO STUB.exe

pid process

584 MY NEW NANO STUB.exe
584 MY NEW NANO STUB.exe
584 MY NEW NANO STUB.exe
584 MY NEW NANO STUB.exe
584 MY NEW NANO STUB.exe
584 MY NEW NANO STUB.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MY NEW NANO STUB.exe

pid process

584 MY NEW NANO STUB.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MY NEW NANO STUB.exe

description pid process

Token: SeDebugPrivilege 584 MY NEW NANO STUB.exe

pid	process
1832	schtasks.exe
1852	schtasks.exe

pid	process
584	MY NEW NANO STUB.exe
584	MY NEW NANO STUB.exe
584	MY NEW NANO STUB.exe
584	MY NEW NANO STUB.exe
584	MY NEW NANO STUB.exe
584	MY NEW NANO STUB.exe

pid	process
584	MY NEW NANO STUB.exe

description	pid	process
Token: SeDebugPrivilege	584	MY NEW NANO STUB.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeMY NEW NANO STUB.exe

description	pid	process	target process
PID 3752 wrote to memory of 2616	3752	wscript.exe	wscript.exe
PID 3752 wrote to memory of 2616	3752	wscript.exe	wscript.exe
PID 3752 wrote to memory of 584	3752	wscript.exe	MY NEW NANO STUB.exe
PID 3752 wrote to memory of 584	3752	wscript.exe	MY NEW NANO STUB.exe
PID 3752 wrote to memory of 584	3752	wscript.exe	MY NEW NANO STUB.exe
PID 584 wrote to memory of 1832	584	MY NEW NANO STUB.exe	schtasks.exe
PID 584 wrote to memory of 1832	584	MY NEW NANO STUB.exe	schtasks.exe
PID 584 wrote to memory of 1832	584	MY NEW NANO STUB.exe	schtasks.exe
PID 584 wrote to memory of 1852	584	MY NEW NANO STUB.exe	schtasks.exe
PID 584 wrote to memory of 1852	584	MY NEW NANO STUB.exe	schtasks.exe
PID 584 wrote to memory of 1852	584	MY NEW NANO STUB.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INV563626625366262737.js
1⤵
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YGuLNAbIBf.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2616
- C:\Users\Admin\AppData\Roaming\MY NEW NANO STUB.exe
  "C:\Users\Admin\AppData\Roaming\MY NEW NANO STUB.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp23D0.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1832
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp26BF.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp23D0.tmp

MD5
cd7b4fbc58504187512ceb3472c6a9ed

SHA1
ece6e96cc613b961a6f05188cc936e194b25cdf6

SHA256
3b01b02720e685d48ebf12b0ddb93039251fce5df7dda4121729c28ffbfbe335

SHA512
909c9177fc7bb84e92cbdeba47f366ed4d3da3f9b1459808e4a23009b66e652c5e2f6346aeededc735d8c5fcf404b12b1f97fdf7713c81b1cf0c6ef0d2bead93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26BF.tmp

MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
C:\Users\Admin\AppData\Roaming\MY NEW NANO STUB.exe

MD5
db44d2b392da6d967253d012e4b01d1f

SHA1
89657385961cc49a63e9833f7d2d6c306bf18080

SHA256
59b09c74bf406194c3312c49cfd379417c75a664a8e85fd27449d298bd7f4061

SHA512
42b011c4808a0c36e85a615f24a8d45b1a7fa7b3fe3aa8a2b15882f0b9ef189e972098980654470e42876b1e565b51a852c66b57061029196a9b8c11fa12edc4

Download Submit
C:\Users\Admin\AppData\Roaming\MY NEW NANO STUB.exe

MD5
db44d2b392da6d967253d012e4b01d1f

SHA1
89657385961cc49a63e9833f7d2d6c306bf18080

SHA256
59b09c74bf406194c3312c49cfd379417c75a664a8e85fd27449d298bd7f4061

SHA512
42b011c4808a0c36e85a615f24a8d45b1a7fa7b3fe3aa8a2b15882f0b9ef189e972098980654470e42876b1e565b51a852c66b57061029196a9b8c11fa12edc4

Download Submit
C:\Users\Admin\AppData\Roaming\YGuLNAbIBf.js

MD5
19325a9e704b640074e611e29d7f184b

SHA1
ffb6091bbd9862229f704241f606de9faafc566a

SHA256
80fd74dd6a11d8082804738706f7721e92643bb95ca1abb84fe21f634ced60d5

SHA512
66bdb165c86df472fff8dd62c3f69fea94dcb6f4454e00d096362a528b8d4c9caedca81cfd809ab1662e83e7e440fad751af2cfb34bb14581f7efacfdd2a1990

Download Submit
memory/584-120-0x0000000000000000-mapping.dmp

Download
memory/584-123-0x0000000000A50000-0x0000000000B9A000-memory.dmp

Filesize
1.3MB

Download
memory/1832-124-0x0000000000000000-mapping.dmp

Download
memory/1852-126-0x0000000000000000-mapping.dmp

Download
memory/2616-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads