nanocore | 8feb48eae4ca6d55b2d5ad244917791ba9129f821b92d451dd7f02c64b3b5541

General

Target

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
Size

1.1MB
MD5

484e27072482dbdaad8dc5ba3b42ee02
SHA1

4ee146db76435dd8db6678b0a3b1c1e6d167469e
SHA256

8feb48eae4ca6d55b2d5ad244917791ba9129f821b92d451dd7f02c64b3b5541
SHA512

5fd696e79a62b2caf8ea939ed77c8175f6bdf7bd5a316011e7aaf0cba81683669d9fe7197a3d740e9a196dd0143831864ba13725f0260f3892403db264955668
SSDEEP

6144:sM2LRbpRbW/yTgXyYSZIaQdaS1BCjLxzi/oyF32SCQoSd:sMqbXTXqa0aSvALs/pF3vZoA

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

4344 tmp.exe

pid	process
4344	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe"	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

description	pid	process	target process
PID 2748 set thread context of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2992 schtasks.exe
3180 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5100 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe

pid	process
2992	schtasks.exe
3180	schtasks.exe

pid	process
5100	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

pid	process
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

pid process

4216 484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

pid	process
4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
Token: SeDebugPrivilege	4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.execmd.execmd.exe484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe

description	pid	process	target process
PID 2748 wrote to memory of 1140	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 1140	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 1140	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 844	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 844	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 844	1140	cmd.exe	reg.exe
PID 2748 wrote to memory of 4344	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	tmp.exe
PID 2748 wrote to memory of 4344	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	tmp.exe
PID 2748 wrote to memory of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
PID 2748 wrote to memory of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
PID 2748 wrote to memory of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
PID 2748 wrote to memory of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
PID 2748 wrote to memory of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
PID 2748 wrote to memory of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
PID 2748 wrote to memory of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
PID 2748 wrote to memory of 4216	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
PID 2748 wrote to memory of 4252	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 4252	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 4252	2748	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	cmd.exe
PID 4252 wrote to memory of 5100	4252	cmd.exe	timeout.exe
PID 4252 wrote to memory of 5100	4252	cmd.exe	timeout.exe
PID 4252 wrote to memory of 5100	4252	cmd.exe	timeout.exe
PID 4216 wrote to memory of 2992	4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	schtasks.exe
PID 4216 wrote to memory of 2992	4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	schtasks.exe
PID 4216 wrote to memory of 2992	4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	schtasks.exe
PID 4216 wrote to memory of 3180	4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	schtasks.exe
PID 4216 wrote to memory of 3180	4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	schtasks.exe
PID 4216 wrote to memory of 3180	4216	484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
3⤵
PID:844

C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
2⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Local\Temp\484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\484e27072482dbdaad8dc5ba3b42ee02_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp870D.tmp"
3⤵
- Creates scheduled task(s)
PID:2992

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp89AE.tmp"
3⤵
- Creates scheduled task(s)
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp870D.tmp
Filesize
1KB

MD5
ab1bdedf35a82e7d9ad05f87c81e63bc

SHA1
cdf75718dfd405b3ede7b04619733a5b36004ef8

SHA256
4c7e04b43a233fe219f029de35afbf8cb3dd84a8cc0f4af86271892f3c9add8d

SHA512
109c4521f1903f3c7dc53aaa30c861b82b39c9d4b1122a3cf4acc3cbbcf660cecbeea31f60c02b2845d629ae658b34c45681cf2228cd686fd8254f194f65cdd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89AE.tmp
Filesize
1KB

MD5
0339b45ef206f4becc88be0d65e24b9e

SHA1
6503a1851f4ccd8c80a31f96bd7ae40d962c9fad

SHA256
3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83

SHA512
c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe
Filesize
1.1MB

MD5
484e27072482dbdaad8dc5ba3b42ee02

SHA1
4ee146db76435dd8db6678b0a3b1c1e6d167469e

SHA256
8feb48eae4ca6d55b2d5ad244917791ba9129f821b92d451dd7f02c64b3b5541

SHA512
5fd696e79a62b2caf8ea939ed77c8175f6bdf7bd5a316011e7aaf0cba81683669d9fe7197a3d740e9a196dd0143831864ba13725f0260f3892403db264955668

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
Filesize
189B

MD5
dca86f6bec779bba1b58d992319e88db

SHA1
844e656d3603d15ae56f36298f8031ad52935829

SHA256
413b4ee68f5400fcd30ae5df957d723989b400637dbc7f5d158fa050bdc20743

SHA512
4b9d532a777921543b3243020ea4b655a8b956c400b237ce714b5bd8e9a3ad7fdbcb11410e84e2e0ecc45e87dcd107385a487f5bb5b359aabd1322314ef2d24c

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe
Filesize
203KB

MD5
ea4e711b570883a5f601e3c134b4d666

SHA1
4845379009f04bb888e3194ddc613e57fccb5999

SHA256
d5a68669dcc8d060b385202713a80a79eb068dc78a78cdb5a912ddfa12820ba1

SHA512
e8f80eef1a303d72160d55d93870fd2ce24f8632b06af3adadcc0d5b5804d5dee44eb72889b39fe72e4688a0d3d064c6e632631bb570f912178e2872ce6fe102

Download Submit
memory/2748-10-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2748-2-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2748-21-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2748-41-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2748-0-0x0000000074FC2000-0x0000000074FC3000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/2748-9-0x0000000074FC2000-0x0000000074FC3000-memory.dmp

Filesize
4KB

Download
memory/4216-25-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4216-26-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4216-22-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4216-43-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4344-32-0x000000001B5F0000-0x000000001BABE000-memory.dmp

Filesize
4.8MB

Download
memory/4344-28-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/4344-37-0x000000001B040000-0x000000001B0DC000-memory.dmp

Filesize
624KB

Download
memory/4344-38-0x000000001BC70000-0x000000001BD16000-memory.dmp

Filesize
664KB

Download
memory/4344-39-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads