nanocore | 6e7aa00edd15b0cab85deb4dbaad16398279e14ad6adc2d381dc267571872f07

General

Target

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
Size

566KB
MD5

41ed9c48d22e555ed02bc93e51dac8e6
SHA1

ec762a6769490d2c80b7225355ff8a97e01f08f2
SHA256

6e7aa00edd15b0cab85deb4dbaad16398279e14ad6adc2d381dc267571872f07
SHA512

72c77f8d38309e776737f55963a79200ea2e698d46e8e5a08b442244151e221951e1e43ec295e00b0680225b41a98e88fee9c341df82a42fdbd84f76cb02c344
SSDEEP

6144:K1zdkQj1QZcb4GLW6G/Zis+XZeys0n4aqrx22VXmELVryNCETgi:C2QjyZcPq6Gxis+NDq92cWEhrypTgi

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

160.202.163.243:9588

Mutex

053c92c8-05d8-440d-ac8b-77913651b7e7

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-05-01T02:27:05.117625036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9588
default_group
20th=
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
053c92c8-05d8-440d-ac8b-77913651b7e7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
160.202.163.243
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe

description pid process target process

PID 3080 set thread context of 1048 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2756 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

description	pid	process	target process
PID 3080 set thread context of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe

pid	process
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exeRegAsm.exe

pid	process
3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
1048	RegAsm.exe
1048	RegAsm.exe
1048	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1048 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3080 41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
Token: SeDebugPrivilege 1048 RegAsm.exe

pid	process
1048	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
Token: SeDebugPrivilege	1048	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.execsc.exeRegAsm.exe

description	pid	process	target process
PID 3080 wrote to memory of 2744	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	csc.exe
PID 3080 wrote to memory of 2744	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	csc.exe
PID 3080 wrote to memory of 2744	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	csc.exe
PID 2744 wrote to memory of 4876	2744	csc.exe	cvtres.exe
PID 2744 wrote to memory of 4876	2744	csc.exe	cvtres.exe
PID 2744 wrote to memory of 4876	2744	csc.exe	cvtres.exe
PID 3080 wrote to memory of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 3080 wrote to memory of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 3080 wrote to memory of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 3080 wrote to memory of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 3080 wrote to memory of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 3080 wrote to memory of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 3080 wrote to memory of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 3080 wrote to memory of 1048	3080	41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe	RegAsm.exe
PID 1048 wrote to memory of 2756	1048	RegAsm.exe	schtasks.exe
PID 1048 wrote to memory of 2756	1048	RegAsm.exe	schtasks.exe
PID 1048 wrote to memory of 2756	1048	RegAsm.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41ed9c48d22e555ed02bc93e51dac8e6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36BF.tmp" "c:\Users\Admin\AppData\Local\Temp\xfn5yeqy\CSC611DD0E5B3648189C98B5B1D8E19630.TMP"
3⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3A69.tmp"
3⤵
- Creates scheduled task(s)
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES36BF.tmp
Filesize
1KB

MD5
ebc0630f72fe68b7c3d3e915c728ea76

SHA1
7c8941cb86b1f8fa5881b51e6e99382dea07978e

SHA256
b23aba827ee2a5ff22cb5443773e649e47951fbad4818f8a5c89e51e73e496ba

SHA512
0b89b30c31f3f92499e94c832694263d5f9b45a84a7b50708df58bf6f8492bb2fa5365c12b1b31bc598f2c4ce84e1fd648d0f36478549aed727216cfda444f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A69.tmp
Filesize
1KB

MD5
48ef7fa9033389ad7929d7a6b9d10298

SHA1
9db6cb7325c8bdf66a15f7b5f34703709a45aeb6

SHA256
0c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15

SHA512
ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.dll
Filesize
10KB

MD5
eba219c38f0999397db863a25a0c1b90

SHA1
245d3ea6ca941a42ebff0d8a82574758d3896e0e

SHA256
15c063290cd0d7f94b7337d0d11eebb48294363aa2716ece75f59a2afa5d979a

SHA512
f3c94a40722154a22d771c948044aeff93818b0543ebd5c8dce890ae4390b08a46fc6eaabd57ccfeba04573f7b95f224ee658f508969e5d5a24ad171831fc8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.pdb
Filesize
29KB

MD5
85c135da68075f32b84b14c1c3b5a9b4

SHA1
bc0b1a7bacec2a37e662480a0119e6a3301b1076

SHA256
8159d6b4565668d22db0b2556a813057e6a022d913066fb2700a8ee2973a33ec

SHA512
70145c0f809e0913219fbeae129fee44706ad65185abdc78349f4b2450050195e081d7e0f7ec77af5b8fea8b2d7a672e073ef86592e9638fb4854d8175fc887c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfn5yeqy\CSC611DD0E5B3648189C98B5B1D8E19630.TMP
Filesize
1KB

MD5
37d8db18f30a477469af450e13796ceb

SHA1
90356c5d1463369db3adc3d65a49e58e9d46527f

SHA256
e7ab8ad37e3ff1d110f07f8a921b30d9d16295a4002e245107ef652e61084db2

SHA512
a784c0ed5c01a009f6618845f3c84ea5a92f5a25078a7e7d1d747ffe7153d87b9c94bfb87d923fbee8d388b7ab93d985cb6ba468b8b4bcc5c06dd857c975af73

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.0.cs
Filesize
11KB

MD5
7366bed61be86bb57e4850100733dc2f

SHA1
1426ced8b65c7a96b3a25ee6eb0f417a590af1b5

SHA256
f33a4040638b27b83af1a1ba7d66467b019c504cc74b1a5020d8d56246df266b

SHA512
b195126e1ae3e4fcec6b167cd7f53ce6d12a0ce38eabb44a9f37ed28de808216c6ae48a30f8acbd3f9cb91b37ae9c9d8ac759c578aa71e8dab88edf38badad1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfn5yeqy\xfn5yeqy.cmdline
Filesize
312B

MD5
55572c97f777f82f7c4a174c3c606839

SHA1
78204bb41b1f855ed10892ee3dc4ccd38ce012e1

SHA256
a4b386d5fe72ae9ce8efc63674822ff6de8e57eddf3e5cf548192cdf572b3821

SHA512
b9e48424031dc30bf6af3a588802b88126cd61fcd87a478ec6ad0459f8cc3a4dc66ed161f60c2bd241bd621a870b1c7c68d7583106c9d737cb76d1c04a6074b7

Download Submit
memory/1048-29-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/1048-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1048-39-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/1048-38-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/1048-37-0x0000000005280000-0x000000000529E000-memory.dmp

Filesize
120KB

Download
memory/1048-36-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/1048-31-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/1048-30-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3080-28-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3080-5-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3080-25-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/3080-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/3080-24-0x0000000004E80000-0x0000000004EB8000-memory.dmp

Filesize
224KB

Download
memory/3080-1-0x00000000000D0000-0x000000000014C000-memory.dmp

Filesize
496KB

Download
memory/3080-21-0x0000000004AE0000-0x0000000004AEC000-memory.dmp

Filesize
48KB

Download
memory/3080-20-0x0000000004D10000-0x0000000004D54000-memory.dmp

Filesize
272KB

Download
memory/3080-19-0x0000000004AF0000-0x0000000004B82000-memory.dmp

Filesize
584KB

Download
memory/3080-17-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads