nanocore | 6e7aa00edd15b0cab85deb4dbaad16398279e14ad6adc2d381dc267571872f07

General

Target

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
Size

566KB
MD5

41ed9c48d22e555ed02bc93e51dac8e6
SHA1

ec762a6769490d2c80b7225355ff8a97e01f08f2
SHA256

6e7aa00edd15b0cab85deb4dbaad16398279e14ad6adc2d381dc267571872f07
SHA512

72c77f8d38309e776737f55963a79200ea2e698d46e8e5a08b442244151e221951e1e43ec295e00b0680225b41a98e88fee9c341df82a42fdbd84f76cb02c344
SSDEEP

6144:K1zdkQj1QZcb4GLW6G/Zis+XZeys0n4aqrx22VXmELVryNCETgi:C2QjyZcPq6Gxis+NDq92cWEhrypTgi

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

160.202.163.243:9588

Mutex

053c92c8-05d8-440d-ac8b-77913651b7e7

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-05-01T02:27:05.117625036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9588
default_group
20th=
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
053c92c8-05d8-440d-ac8b-77913651b7e7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
160.202.163.243
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe

description pid process target process

PID 2940 set thread context of 2284 2940 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2620 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exeRegAsm.exe

pid process

2940 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
2940 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
2284 RegAsm.exe
2284 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2284 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2940 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
Token: SeDebugPrivilege 2284 RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

description	pid	process	target process
PID 2940 set thread context of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe

pid	process
2620	schtasks.exe

pid	process
2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
2284	RegAsm.exe
2284	RegAsm.exe

pid	process
2284	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
Token: SeDebugPrivilege	2284	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.execsc.exeRegAsm.exe

description	pid	process	target process
PID 2940 wrote to memory of 2540	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	csc.exe
PID 2940 wrote to memory of 2540	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	csc.exe
PID 2940 wrote to memory of 2540	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	csc.exe
PID 2940 wrote to memory of 2540	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	csc.exe
PID 2540 wrote to memory of 2656	2540	csc.exe	cvtres.exe
PID 2540 wrote to memory of 2656	2540	csc.exe	cvtres.exe
PID 2540 wrote to memory of 2656	2540	csc.exe	cvtres.exe
PID 2540 wrote to memory of 2656	2540	csc.exe	cvtres.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2940 wrote to memory of 2284	2940	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 2284 wrote to memory of 2620	2284	RegAsm.exe	schtasks.exe
PID 2284 wrote to memory of 2620	2284	RegAsm.exe	schtasks.exe
PID 2284 wrote to memory of 2620	2284	RegAsm.exe	schtasks.exe
PID 2284 wrote to memory of 2620	2284	RegAsm.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wkh2fuiq\wkh2fuiq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B0F.tmp" "c:\Users\Admin\AppData\Local\Temp\wkh2fuiq\CSCD8DAD89766804E6E9013E0114A79AFB.TMP"
3⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp"
3⤵
- Creates scheduled task(s)
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1B0F.tmp
Filesize
1KB

MD5
8f8c7894e9170a059804325bebaf6fca

SHA1
56108be024542ea8530c0c7b6ff7db420705c7b4

SHA256
a5039209a6736dee49366f75652d7da5832ba6867cbcc507a4725035a8b9fcb0

SHA512
5af176f1c9e8fb840d6ce6b397474d5c5d909d686f63b6163916b3bb55fbcbbb2d32fa49f81d97dc6a80c3d2d98bea7501b9b1bd8bc668edbefe9a81bcb1d80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp
Filesize
1KB

MD5
48ef7fa9033389ad7929d7a6b9d10298

SHA1
9db6cb7325c8bdf66a15f7b5f34703709a45aeb6

SHA256
0c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15

SHA512
ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkh2fuiq\wkh2fuiq.dll
Filesize
10KB

MD5
b3214513af2fa958a9a6d73491ae8cfb

SHA1
3830e384c6341a06d4960e13fd2233e5308e9795

SHA256
2235251c9cb95ee4c0eea16330984acccab832330a9ddcf92ed3116386aa4097

SHA512
e610e7afbe76ae930922154e6d8b613a2ff3874b1b73eba112c15fc5521ab70174db9eac0571305d739487f71557c456821933a209d419b81c9babe122879572

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkh2fuiq\wkh2fuiq.pdb
Filesize
29KB

MD5
2467ae5318e3605959caea7df00d002b

SHA1
2a346a032c50ac81d08b2dd5d30dc3b05a08dd51

SHA256
c63fea5236d15b6f29e1e7baff47ab100ce3c354be784a791efe8ca2df476734

SHA512
2acd8d02cd05570dca2da6c1a963934ef993e46bb0c3747f421605641d9605518530f09f4a3c2a5d400fd4148745ae5de3f90fcda0e7c40bf68deb29dc3969a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wkh2fuiq\CSCD8DAD89766804E6E9013E0114A79AFB.TMP
Filesize
1KB

MD5
e0e21cc074df6bc9a27b8f82e8762750

SHA1
c9a16a77ef47a163e7d19d224ca51b6b5aad95b7

SHA256
b075fe2b81d2f24145cacab9019378cba0ae319013e19595610cbc04830af225

SHA512
bb12abe9d39f141a4c088d670cbd3a1ee8d287357e89b1cea987f66a94a5c042ceb7005dc21ee601f13dccd30ae12bd24ec2677db9878ecb37acfa0d83c23d7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wkh2fuiq\wkh2fuiq.0.cs
Filesize
11KB

MD5
7366bed61be86bb57e4850100733dc2f

SHA1
1426ced8b65c7a96b3a25ee6eb0f417a590af1b5

SHA256
f33a4040638b27b83af1a1ba7d66467b019c504cc74b1a5020d8d56246df266b

SHA512
b195126e1ae3e4fcec6b167cd7f53ce6d12a0ce38eabb44a9f37ed28de808216c6ae48a30f8acbd3f9cb91b37ae9c9d8ac759c578aa71e8dab88edf38badad1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wkh2fuiq\wkh2fuiq.cmdline
Filesize
312B

MD5
efbadf4ea655f462a8a80b16318bcd5c

SHA1
9dfbcf4bd28f1dd31ae76974f1c9fbc7d5b7ca15

SHA256
51699179d2e2eac6736cdf71016c167a0e7834a4904ebd512eb5d89dd8291e3a

SHA512
ed64a6b966c7f4ad6aa42504c716178fd71efa4d6ade355498b10cbc9f47ca6fd1efa65e355f1ebce5a8f9e9d4d338c9af54890bfdb9946b0d7b3c612dda6894

Download Submit
memory/2284-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-42-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/2284-41-0x0000000000810000-0x000000000082E000-memory.dmp

Filesize
120KB

Download
memory/2284-40-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2284-30-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2284-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2284-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2940-0-0x000000007415E000-0x000000007415F000-memory.dmp

Filesize
4KB

Download
memory/2940-23-0x0000000002190000-0x00000000021C8000-memory.dmp

Filesize
224KB

Download
memory/2940-6-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-35-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-1-0x00000000008E0000-0x000000000095C000-memory.dmp

Filesize
496KB

Download
memory/2940-20-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2940-19-0x00000000020F0000-0x0000000002134000-memory.dmp

Filesize
272KB

Download
memory/2940-17-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads