nanocore | 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a

General

Target

0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe
Size

513KB
MD5

0a242406df260af40a8b4fd6258cfb5e
SHA1

2eac5ee482bc4b74a40f3d2d4537412d2708f2e5
SHA256

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a
SHA512

86b958e94a2d2ca5bafad1250920e1a1ab700757dabb0e53a5a8d6962ddcb55f5af07f42801c30604526418d18d636755d00d4d583ec988eca219da8b933f3d1
SSDEEP

12288:p4fijaKuilYLV6BtpmkIMEcc7hyXDC8TW0C4yIfMZ/W:pbGKrlqApfIMEccdSm0xMt

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3096	HWID CHANGER.EXE
3212	SERVICES.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe"	SERVICES.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SERVICES.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DDP Service\ddpsv.exe	SERVICES.EXE
File opened for modification	C:\Program Files (x86)\DDP Service\ddpsv.exe	SERVICES.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4792	schtasks.exe
1572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3212	SERVICES.EXE
3212	SERVICES.EXE
3212	SERVICES.EXE
3212	SERVICES.EXE
3212	SERVICES.EXE
3212	SERVICES.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3212	SERVICES.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	SERVICES.EXE
Token: SeDebugPrivilege	3212	SERVICES.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 3096	1580	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	83
PID 1580 wrote to memory of 3096	1580	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	83
PID 1580 wrote to memory of 3096	1580	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	83
PID 1580 wrote to memory of 3212	1580	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	84
PID 1580 wrote to memory of 3212	1580	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	84
PID 1580 wrote to memory of 3212	1580	0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe	84
PID 3212 wrote to memory of 4792	3212	SERVICES.EXE	85
PID 3212 wrote to memory of 4792	3212	SERVICES.EXE	85
PID 3212 wrote to memory of 4792	3212	SERVICES.EXE	85
PID 3212 wrote to memory of 1572	3212	SERVICES.EXE	87
PID 3212 wrote to memory of 1572	3212	SERVICES.EXE	87
PID 3212 wrote to memory of 1572	3212	SERVICES.EXE	87

C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
  "C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp345E.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4792
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp352A.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

Filesize
138KB

MD5
88b430e9224557e9eeab96a9096a0e3b

SHA1
cb7a4f3efbfe68009c6b1677ed50991e134161e8

SHA256
c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c

SHA512
e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE

Filesize
203KB

MD5
fbf4540d5b491f75fe1c22ac4815fa83

SHA1
83275825f4b8c75bb0b7395baf910a64d2dffe61

SHA256
e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6

SHA512
1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp345E.tmp

Filesize
1KB

MD5
ceee50b15e8af3709e3b6797b4fe0dff

SHA1
94686fe6430122551a42b8c9871845c0990161f3

SHA256
9d5d630ffb1574bb8c5345c56805fcbd7879d2b9b7b7b799825cc6f33b232ce0

SHA512
372c46f1e7a50282fcc0aec8747fe82b29ec4cad9fa0e8f7a40d831b0e5aeca1925366da0f5edc22eeed5ef412a0f7a3785669a62874f7c4d40b3b089926604d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp352A.tmp

Filesize
1KB

MD5
93d357e6194c8eb8d0616a9f592cc4bf

SHA1
5cc3a3d95d82cb88f65cb6dc6c188595fa272808

SHA256
a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713

SHA512
4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

Download Submit
memory/3096-21-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/3096-36-0x0000000073EA0000-0x0000000074650000-memory.dmp

Filesize
7.7MB

Download
memory/3096-23-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/3096-38-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3096-25-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/3096-29-0x0000000004FB0000-0x0000000005006000-memory.dmp

Filesize
344KB

Download
memory/3096-28-0x0000000004D00000-0x0000000004D0A000-memory.dmp

Filesize
40KB

Download
memory/3096-22-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/3096-20-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/3096-19-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/3212-31-0x0000000073810000-0x0000000073DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3212-37-0x0000000073810000-0x0000000073DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3212-24-0x0000000073810000-0x0000000073DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3212-39-0x0000000073810000-0x0000000073DC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads