nanocore | 50268a0bf2f611895387a18f608dd3ade4d3022fd371a72512f9dcef8a7abcb1 | Triage

Submit
Reports

Overview

overview

Static

static

3

0deda404c1...18.exe

windows7-x64

0deda404c1...18.exe

windows10-2004-x64

Sharing

General

Target

0deda404c17d8ea28089403f53e4ade4_JaffaCakes118
Size

939KB
Sample

240502-jqqrmscf8x
MD5

0deda404c17d8ea28089403f53e4ade4
SHA1

0e6a4a0b652bb8dfb9024a14c53bf54118d18d1b
SHA256

50268a0bf2f611895387a18f608dd3ade4d3022fd371a72512f9dcef8a7abcb1
SHA512

0057ba55d96f2ca61fd4415b512f48d3822db2883b18f38c6f2329955f9a6f02babd61a05472782016a75c756b359132cec1f2187824e1fb4b67e6586c5b181c
SSDEEP

12288:X+2cqiK+Kr8PNjpKJjqo5TQZyf7SBNiQb05gQMhMLhrTVjPsacrLCAg9epPT4I8A:XSQ7sNkj5Iig1a5TILCAOeN4xK

Score

10^/10

nanocore evasion keylogger spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0deda404c17d8ea28089403f53e4ade4_JaffaCakes118.exe

Resource

win7-20240419-en

nanocore evasion keylogger spyware stealer trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

0deda404c17d8ea28089403f53e4ade4_JaffaCakes118.exe

Resource

win10v2004-20240419-en

nanocore evasion keylogger spyware stealer trojan upx

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

finlandmc.com:54984

127.0.0.1:54984

Mutex

b7c5d67b-f577-4d35-adc7-6994a8049b53

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-07-14T18:20:34.159605436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b7c5d67b-f577-4d35-adc7-6994a8049b53
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
finlandmc.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  0deda404c17d8ea28089403f53e4ade4_JaffaCakes118
- Size
  
  939KB
- MD5
  
  0deda404c17d8ea28089403f53e4ade4
- SHA1
  
  0e6a4a0b652bb8dfb9024a14c53bf54118d18d1b
- SHA256
  
  50268a0bf2f611895387a18f608dd3ade4d3022fd371a72512f9dcef8a7abcb1
- SHA512
  
  0057ba55d96f2ca61fd4415b512f48d3822db2883b18f38c6f2329955f9a6f02babd61a05472782016a75c756b359132cec1f2187824e1fb4b67e6586c5b181c
- SSDEEP
  
  12288:X+2cqiK+Kr8PNjpKJjqo5TQZyf7SBNiQb05gQMhMLhrTVjPsacrLCAg9epPT4I8A:XSQ7sNkj5Iig1a5TILCAOeN4xK
Score

10^/10

nanocore evasion keylogger spyware stealer trojan upx
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Drops startup file
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocoreevasionkeyloggerspywarestealertrojanupx

behavioral2

nanocoreevasionkeyloggerspywarestealertrojanupx

© 2018-2024

Terms | Privacy