nanocore | 510c92f4ed90b092940d8d47585e2a55d1ad71e7ecd87b3e6ec783ab23fc9ed9 | Triage

Sharing

General

Target

49eafd305c087014395f73e39363501f_JaffaCakes118
Size

1.2MB
Sample

240516-htphbahb2y
MD5

49eafd305c087014395f73e39363501f
SHA1

d8f4be58cf3a05aa6aab6b50ccef12ebc21f05bb
SHA256

510c92f4ed90b092940d8d47585e2a55d1ad71e7ecd87b3e6ec783ab23fc9ed9
SHA512

7ba281fe90b1e8f2d7c9109f0a731a3766141c6f53bd4b0cf07bacb6925d1be677f97d56502cd78c7b2847434bce4a9b767de9d5292f847150affe55c118c80d
SSDEEP

24576:/0CDJu+x6QjMLD3LzxEr3nPuSeXWWa3J4hGVyTmGaO3tdRmPddr2UmA5/qhooa69:/fD8G4i7PzeXQ5/N6devKUmA5zE

Score

10^/10

nanocore njrat hacked evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

1337day.ddns.net:1900

Mutex

93979016-0516-4417-b883-a0edc923fe85

Attributes

activate_away_mode
true
backup_connection_host
1337day.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-29T17:12:59.761069736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1900
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
93979016-0516-4417-b883-a0edc923fe85
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

fal92.duckdns.org:10142

Mutex

3d25feee885880d8ab876c66d8b91d84

Attributes

reg_key
3d25feee885880d8ab876c66d8b91d84
splitter
|'|'|

Targets

- Target
  
  NaxorCrypter.exe
- Size
  
  2.2MB
- MD5
  
  b29c154b97950a07caf5aa3e3795a4a1
- SHA1
  
  8940008c6630ad14a42f76c72b63341adb406736
- SHA256
  
  51a39194cd5c21c1de6e9724f9b5890a2b50f9d7e3b7fa003a5e50beb9559fb4
- SHA512
  
  c21b40a6e412f0022da398212ddcf6cfdf51522715297d0275fb2983d936a1ace29f4f8a54f751617fc92121b825424389bdd096b9c59c4cff6a58a57bde7bc3
- SSDEEP
  
  24576:NkGGdafLtcWAjB9XvdBqLP2XDBxkdgGAQjdhnF61A5w/8yYBBifgqH3P64F7:G4ovIbqxCTx5w/Xf5f
Score

10^/10

nanocore njrat hacked evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocorenjrathackedevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocorenjrathackedevasionkeyloggerpersistencespywarestealertrojan