nanocore

General

Target

INV198763.js
Size

490KB
Sample

220614-f8allacbbr
MD5

d2f059207365496e0882106890b537fc
SHA1

8f58c2d8cdf2e45cd8bc2550ad3297bbd411e7f2
SHA256

ccfa8f60748182d0624626398d29548e4912c930152fd14da7ea172b29953871
SHA512

e042589d54a0ca9eb8b88208d046fff27920bd1853791f7f1c7b9f63fc3edaeb909c7f8a5cdb94249278cc35f0d74ca2e216cf697838bb4be5e1e5efe15ffc60

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

blessed147.ddns.net:8089

Mutex

40ea8615-bb8c-4ed8-9592-a1252dd082e6

Attributes

activate_away_mode
true
backup_connection_host
blessed147.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-03-26T04:34:52.362349036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8089
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
40ea8615-bb8c-4ed8-9592-a1252dd082e6
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  INV198763.js
- Size
  
  490KB
- MD5
  
  d2f059207365496e0882106890b537fc
- SHA1
  
  8f58c2d8cdf2e45cd8bc2550ad3297bbd411e7f2
- SHA256
  
  ccfa8f60748182d0624626398d29548e4912c930152fd14da7ea172b29953871
- SHA512
  
  e042589d54a0ca9eb8b88208d046fff27920bd1853791f7f1c7b9f63fc3edaeb909c7f8a5cdb94249278cc35f0d74ca2e216cf697838bb4be5e1e5efe15ffc60
Score

10^/10

nanocore vjw0rm evasion keylogger persistence spyware stealer suricata trojan worm
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- suricata: ET MALWARE Possible NanoCore C2 60B
  suricata: ET MALWARE Possible NanoCore C2 60B
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Vjw0rm

suricata: ET MALWARE Possible NanoCore C2 60B

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2