nanocore | 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a

General

Target

0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe
Size

513KB
MD5

0a242406df260af40a8b4fd6258cfb5e
SHA1

2eac5ee482bc4b74a40f3d2d4537412d2708f2e5
SHA256

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a
SHA512

86b958e94a2d2ca5bafad1250920e1a1ab700757dabb0e53a5a8d6962ddcb55f5af07f42801c30604526418d18d636755d00d4d583ec988eca219da8b933f3d1
SSDEEP

12288:p4fijaKuilYLV6BtpmkIMEcc7hyXDC8TW0C4yIfMZ/W:pbGKrlqApfIMEccdSm0xMt

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

128.226.252.143:54984

127.0.0.1:54984

Mutex

71004c52-6256-4356-bd30-5affe1ec6914

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-31T01:18:37.502649636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
71004c52-6256-4356-bd30-5affe1ec6914
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
128.226.252.143
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
2920	HWID CHANGER.EXE
2976	SERVICES.EXE

Loads dropped DLL 3 IoCs

pid	Process
2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe
2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe
2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe"	SERVICES.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SERVICES.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	SERVICES.EXE
File opened for modification	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	SERVICES.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2692	schtasks.exe
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2976	SERVICES.EXE
2976	SERVICES.EXE
2976	SERVICES.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2976	SERVICES.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	SERVICES.EXE
Token: SeDebugPrivilege	2976	SERVICES.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2920	2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2920	2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2920	2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2920	2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2976	2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2976	2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2976	2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2976	2872	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	29
PID 2976 wrote to memory of 2692	2976	SERVICES.EXE	30
PID 2976 wrote to memory of 2692	2976	SERVICES.EXE	30
PID 2976 wrote to memory of 2692	2976	SERVICES.EXE	30
PID 2976 wrote to memory of 2692	2976	SERVICES.EXE	30
PID 2976 wrote to memory of 2696	2976	SERVICES.EXE	32
PID 2976 wrote to memory of 2696	2976	SERVICES.EXE	32
PID 2976 wrote to memory of 2696	2976	SERVICES.EXE	32
PID 2976 wrote to memory of 2696	2976	SERVICES.EXE	32

C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
  "C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1507.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2692
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1575.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1507.tmp

Filesize
1KB

MD5
ceee50b15e8af3709e3b6797b4fe0dff

SHA1
94686fe6430122551a42b8c9871845c0990161f3

SHA256
9d5d630ffb1574bb8c5345c56805fcbd7879d2b9b7b7b799825cc6f33b232ce0

SHA512
372c46f1e7a50282fcc0aec8747fe82b29ec4cad9fa0e8f7a40d831b0e5aeca1925366da0f5edc22eeed5ef412a0f7a3785669a62874f7c4d40b3b089926604d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1575.tmp

Filesize
1KB

MD5
4b7ef560289c0f62d0baf6f14f48a57a

SHA1
8331acb90dde588aa3196919f6e847f398fd06d1

SHA256
062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207

SHA512
ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

Download Submit
\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

Filesize
138KB

MD5
88b430e9224557e9eeab96a9096a0e3b

SHA1
cb7a4f3efbfe68009c6b1677ed50991e134161e8

SHA256
c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c

SHA512
e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

Download Submit
\Users\Admin\AppData\Local\Temp\SERVICES.EXE

Filesize
203KB

MD5
fbf4540d5b491f75fe1c22ac4815fa83

SHA1
83275825f4b8c75bb0b7395baf910a64d2dffe61

SHA256
e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6

SHA512
1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

Download Submit
memory/2920-29-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-18-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-17-0x0000000000DB0000-0x0000000000DD8000-memory.dmp

Filesize
160KB

Download
memory/2976-20-0x0000000073450000-0x00000000739FB000-memory.dmp

Filesize
5.7MB

Download
memory/2976-21-0x0000000073450000-0x00000000739FB000-memory.dmp

Filesize
5.7MB

Download
memory/2976-19-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2976-30-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2976-31-0x0000000073450000-0x00000000739FB000-memory.dmp

Filesize
5.7MB

Download
memory/2976-32-0x0000000073450000-0x00000000739FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads