nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

pdf-extension.vhd
Size

16.0MB
Sample

230331-tgbw8sbd22
MD5

f4de49c946dea5b9557aca693bea6fd4
SHA1

2a598525f8e5f88be0ab1d9cf179915bf07a38cc
SHA256

a858b2b8b4be7cb23e0a7d37a0c08489a6820cb1be5523a7a466014eb994391f
SHA512

063bc71bc324c688dea117bed9e42b0ef3617229a8f5069d7e78f81fbfb32c3e9374424775eb52e551def4723f4dd5697abe29dd2494c4bc0af7dbf79dbb06ef
SSDEEP

24576:lSnSwh/M4YK6dJ5xA8F2nFnHb6T8Ujl6vO01C1GCTsYoQZtlsZdc40QDrUYuGG10:4SwV4kBHdTUwTGTTOWjBiO8pG+

Score

10^/10

Malware Config

Extracted

Family

vjw0rm

http://veegod.duckdns.org:7777

http://demon666.duckdns.org:9011

Extracted

Family

nanocore

Version

1.2.2.0

wordz54.duckdns.org:8687

rt54.duckdns.org:8687

Mutex

f631006b-8446-49fb-86fd-51078e24df70

Attributes

activate_away_mode
false
backup_connection_host
rt54.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-08-11T20:00:42.860060236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8687
default_group
secure
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f631006b-8446-49fb-86fd-51078e24df70
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
wordz54.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  $RECYCLE.BIN/$R5K4GOK.js
- Size
  
  9.0MB
- MD5
  
  2fe9e3828a214aedecdfe07148b67070
- SHA1
  
  8a6653fc596bb68fdfcb50516dfb61d745bd5dbf
- SHA256
  
  a7ea02884d2af760f1bb1e0c7f7b65cfa40825ed236d7ba2a93a57c0369ba4c2
- SHA512
  
  fa3b3b2b8e17d131f4175d6d0eae1f4006eb7f34c0e70e8b93c93e80802da93f8e15fb36e6914a53403202be8eaacf241a05834f29b6b2c9c76f42840378e052
- SSDEEP
  
  96:7ZH1uy5XIWBof2lcJc9FJtSPBkk+l4Py5zfI2X2D2xRO1IXyYRZGzO00d4Qn19dz:7ZVhSWx1rSOX2D2rzpRZYO00x9nVLxK
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  $RECYCLE.BIN/$R7M8AKV.scr
- Size
  
  180KB
- MD5
  
  c80e8eac4376b250584da075ba90d8a8
- SHA1
  
  d9078f0a1264d9aa95027a5564a1f193e0e4401d
- SHA256
  
  144cc8d0b542290d38b475f126cc78ea9843b0e760226d307e89f857219167c4
- SHA512
  
  b41553b0f5baf2b20f6b9e3164666aba9377dd28557954c475b84c479365faa7449b09a3448b7f881c35609b34a61af84299412d7222619d6194425bbe3343bc
- SSDEEP
  
  1536:4xk51s+W+yEReHiB0dJoVssssssswksck930mlS4:4xk5DyTHiB0dJoVssssssswks5hS4
Score

1^/10
behavioral3 behavioral4
- Target
  
  $RECYCLE.BIN/$RC3SQXJ.exe
- Size
  
  787KB
- MD5
  
  6a31cd7386f96213190e07b4e5691821
- SHA1
  
  1dc0686217192136ade3ea4c97751692f2719086
- SHA256
  
  dff6fb4233937c2f69694da9fc0e85182ae3fb9a4d36aadfd2e6220e557ef5ca
- SHA512
  
  5527eb4b429808deb2f3032ee008f9d71a044bb2ad108d999bfc287e1b50f35c29f4f080fa43decfe62a2786a383b421f8d44c2476a1159fe4d40fc056c07396
- SSDEEP
  
  24576:Y6T8Ujl6vO01C1GCTsYoQZtlsZdc40QDrUYuGG1ihTGTTi0Cx:+TUwTGTTo
Score

3^/10
behavioral5 behavioral6
- Target
  
  $RECYCLE.BIN/$RCMX6RL.js
- Size
  
  30KB
- MD5
  
  5755b6a40493ddbef7a340f21189a16c
- SHA1
  
  88a3c0693ec96eb4cbdbd1bdeece2519cdadb5b5
- SHA256
  
  476eed72d60eff3ae7cec8fe621e38cd12131c567501f0e7b7688b8618800bc2
- SHA512
  
  107c48d26e7e64acc987bf49871780e7ac29c577c495a5d804f45cd5a1ef14b80917d5e55b3e9b41ba769e5fa77d1aada9bc80d1dc33c88e0717e4389c53746f
- SSDEEP
  
  768:HUYnBbm0aifjNfwp1nXFCfIaf9fgyQ7buighAZK:9zamq1n1Cwaf9gbuIZK
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  $RECYCLE.BIN/$RHL25IB.exe
- Size
  
  181KB
- MD5
  
  dee74fb4b0a75386df85859443bc7cea
- SHA1
  
  1dd13451cf532dad57321840476300f7d91f2d26
- SHA256
  
  3054aceb57920cfbdf9e5f276d9037a804bcfcea1ee125da4ee2300ed335e666
- SHA512
  
  6d7b5d3c723bca9bd077e665bd254ee924e05477bebb55376fcaadf2892c4410780afabc3970f8085e373ddd7e104800018681da432b33ce8dba159463b7a292
- SSDEEP
  
  1536:B1s+W+yEReHiB0dJoVssssssswksck930mlSF:BDyTHiB0dJoVssssssswks5hSF
Score

1^/10
behavioral10 behavioral9
- Target
  
  $RECYCLE.BIN/$RJXIQS1.bat
- Size
  
  325KB
- MD5
  
  09329152d36bbe721ce3504787436cf2
- SHA1
  
  713a6fb0da4a111649bc7268f193ba52463e3576
- SHA256
  
  67e3ece7d1bf12285f01930d6eb28b91ba4a02551d24648ddc79a17cbb9d9423
- SHA512
  
  ee5ad3c41a7822bcc759fa3a33dd2d404cf57f1b074973a61f59c2163bb4062c908b820eb9a0e7fde009be42e6cdcab85ea5373805bbc242ea47957c9fd44a7e
- SSDEEP
  
  6144:uhhAqNRvU+SV6ukYulDTHKqFSC6M+cnyJZAneGwJZfNiINj:uhhAANCkJlqqFSC6dcyQo15j
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  pdf-extensions.vbs
- Size
  
  111KB
- MD5
  
  3fa09c9c6deff87d8c7d42b352ce52b6
- SHA1
  
  c69283b1d90cd7fbec45521149292956ca4c6a1f
- SHA256
  
  4b18539613e1c78a58734ef5e60fe4793ca83384930a4172dbe7a008b14fec31
- SHA512
  
  90696b88151fe173fd2bf64c049b6f7f30493d4daf033f36b9f67f8c94f8b75047df1e7129a119d93bfeafb35007a6341bc745dfac78f817f070c2f9ca44f40e
- SSDEEP
  
  12:O+h3awpefBNRxkj5H6NPnqkc+h3awpeZ9nF6NPnJo:O+9xYZNRxo5wqh+9xYZlym
Score

10^/10

nanocore keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14