nanocore

General

Target

3ab4567f554b6bb6b7d042e79f8ff20d_JaffaCakes118
Size

329KB
Sample

240330-m3mgjaed49
MD5

3ab4567f554b6bb6b7d042e79f8ff20d
SHA1

2665f3b61b3689358350b6b1c4133d8c85659280
SHA256

60736642b3c21361fb3aab74bd57a05a2f1f13f5b19fb7c970466bddafd4925f
SHA512

c357a5cce8ebcf195bcaa0e43e201181a74d3e408a13903eacc896ec8fed8ac940dffb32b64f755e4089d0062edbf8961472d012bb3c36361c2acc856c39c76e
SSDEEP

6144:k7rV+JJ8CsHamG5g8fEysBRZunvVZXP/0i1jxDBAQ+KM+yrvdpYiwOeJ+32Qh:srV+z8BIRMBRZ6VhXfjjO+yzPwbJ0

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

quasbackup2017.mywire.org:3847

127.0.0.1:3847

Mutex

decc4a5c-f17e-4e9c-a7cb-718ee9a997be

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
127.0.0.1
buffer_size
65535
build_time
2017-05-14T07:16:35.737114036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
3847
default_group
shaw click
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
decc4a5c-f17e-4e9c-a7cb-718ee9a997be
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
quasbackup2017.mywire.org
primary_dns_server
quasbackup2017.mywire.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  3ab4567f554b6bb6b7d042e79f8ff20d_JaffaCakes118
- Size
  
  329KB
- MD5
  
  3ab4567f554b6bb6b7d042e79f8ff20d
- SHA1
  
  2665f3b61b3689358350b6b1c4133d8c85659280
- SHA256
  
  60736642b3c21361fb3aab74bd57a05a2f1f13f5b19fb7c970466bddafd4925f
- SHA512
  
  c357a5cce8ebcf195bcaa0e43e201181a74d3e408a13903eacc896ec8fed8ac940dffb32b64f755e4089d0062edbf8961472d012bb3c36361c2acc856c39c76e
- SSDEEP
  
  6144:k7rV+JJ8CsHamG5g8fEysBRZunvVZXP/0i1jxDBAQ+KM+yrvdpYiwOeJ+32Qh:srV+z8BIRMBRZ6VhXfjjO+yzPwbJ0
Score

10^/10

nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2