nanocore | b2fb69fe5a4d38d7c2ee4c2a9aa7badac6f342ec93fca10de04a4d9b2893fa56

General

Target

51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe
Size

2.1MB
MD5

51ddbe4cbd6cf9e71ed36656961f62ac
SHA1

d4515419337741285e9ddefa13c4ad02f8dea4dd
SHA256

b2fb69fe5a4d38d7c2ee4c2a9aa7badac6f342ec93fca10de04a4d9b2893fa56
SHA512

3afee0f39b039b4551b77ea38029b5cef2aed7fd9db7f70bb8dd7a61e4abb4a5ec712bdfa92e3b20a8063db2440e4d13e1cf2547f59489d830b316563556fa99
SSDEEP

49152:rh5n9jt3/btUZhdrQ31JeuhO45Eg9wVwdOv:RFgrQ3j/g45Eg9wiOv

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 3 IoCs

Processes:

netprotocol.exenetprotocol.exespoolsc.exe

pid process

2264 netprotocol.exe
2436 netprotocol.exe
1356 spoolsc.exe

pid	process
2264	netprotocol.exe
2436	netprotocol.exe
1356	spoolsc.exe

Loads dropped DLL 10 IoCs

Processes:

51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exenetprotocol.exenetprotocol.exe

pid	process
2236	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe
2264	netprotocol.exe
2264	netprotocol.exe
2264	netprotocol.exe
2264	netprotocol.exe
2436	netprotocol.exe
2436	netprotocol.exe
2436	netprotocol.exe
2264	netprotocol.exe
2264	netprotocol.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

netprotocol.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe"	netprotocol.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

netprotocol.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA netprotocol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

netprotocol.exe

description pid process target process

PID 2264 set thread context of 2436 2264 netprotocol.exe netprotocol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	netprotocol.exe

description	pid	process	target process
PID 2264 set thread context of 2436	2264	netprotocol.exe	netprotocol.exe

Drops file in Program Files directory 2 IoCs

Processes:

netprotocol.exe

description	ioc	process
File created	C:\Program Files (x86)\DOS Manager\dosmgr.exe	netprotocol.exe
File opened for modification	C:\Program Files (x86)\DOS Manager\dosmgr.exe	netprotocol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

netprotocol.exenetprotocol.exespoolsc.exe

pid	process
2436	netprotocol.exe
2436	netprotocol.exe
2264	netprotocol.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe
1356	spoolsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

netprotocol.exe

pid process

2436 netprotocol.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

netprotocol.exenetprotocol.exespoolsc.exe

description pid process

Token: SeDebugPrivilege 2264 netprotocol.exe
Token: SeDebugPrivilege 2436 netprotocol.exe
Token: SeDebugPrivilege 1356 spoolsc.exe

description	pid	process
Token: SeDebugPrivilege	2264	netprotocol.exe
Token: SeDebugPrivilege	2436	netprotocol.exe
Token: SeDebugPrivilege	1356	spoolsc.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exenetprotocol.execmd.exevbc.exe

description	pid	process	target process
PID 2236 wrote to memory of 2264	2236	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 2236 wrote to memory of 2264	2236	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 2236 wrote to memory of 2264	2236	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 2236 wrote to memory of 2264	2236	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 2236 wrote to memory of 2264	2236	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 2236 wrote to memory of 2264	2236	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 2236 wrote to memory of 2264	2236	51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe	netprotocol.exe
PID 2264 wrote to memory of 2588	2264	netprotocol.exe	cmd.exe
PID 2264 wrote to memory of 2588	2264	netprotocol.exe	cmd.exe
PID 2264 wrote to memory of 2588	2264	netprotocol.exe	cmd.exe
PID 2264 wrote to memory of 2588	2264	netprotocol.exe	cmd.exe
PID 2264 wrote to memory of 2588	2264	netprotocol.exe	cmd.exe
PID 2264 wrote to memory of 2588	2264	netprotocol.exe	cmd.exe
PID 2264 wrote to memory of 2588	2264	netprotocol.exe	cmd.exe
PID 2588 wrote to memory of 2616	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2616	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2616	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2616	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2616	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2616	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2616	2588	cmd.exe	reg.exe
PID 2264 wrote to memory of 2728	2264	netprotocol.exe	vbc.exe
PID 2264 wrote to memory of 2728	2264	netprotocol.exe	vbc.exe
PID 2264 wrote to memory of 2728	2264	netprotocol.exe	vbc.exe
PID 2264 wrote to memory of 2728	2264	netprotocol.exe	vbc.exe
PID 2264 wrote to memory of 2728	2264	netprotocol.exe	vbc.exe
PID 2264 wrote to memory of 2728	2264	netprotocol.exe	vbc.exe
PID 2264 wrote to memory of 2728	2264	netprotocol.exe	vbc.exe
PID 2728 wrote to memory of 2724	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 2724	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 2724	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 2724	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 2724	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 2724	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 2724	2728	vbc.exe	cvtres.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 2436	2264	netprotocol.exe	netprotocol.exe
PID 2264 wrote to memory of 1356	2264	netprotocol.exe	spoolsc.exe
PID 2264 wrote to memory of 1356	2264	netprotocol.exe	spoolsc.exe
PID 2264 wrote to memory of 1356	2264	netprotocol.exe	spoolsc.exe
PID 2264 wrote to memory of 1356	2264	netprotocol.exe	spoolsc.exe

C:\Users\Admin\AppData\Local\Temp\51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\51ddbe4cbd6cf9e71ed36656961f62ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
4⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lmlja_kv.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E4A.tmp"
4⤵
PID:2724

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
"C:\Users\Admin\AppData\Local\Temp\spoolsc.exe" -n
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1E4B.tmp
Filesize
1KB

MD5
70de5c7d11f90912a3d414eedba982a0

SHA1
be947caaf392ed974f8057d2a9dac3d26d22b3c5

SHA256
3f31e2e1df13ee51cdca6c21533d2ba98f6047e27577c7f7a3f0e12b15c71868

SHA512
c6ce5552142598c2d352096717656033688d813338d940366a7924616ea51a983e8b84d08151160dc92bf246f5537c67e7a1506df69de9d15e92df6a66527540

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmlja_kv.0.vb
Filesize
3KB

MD5
e40446114fd3a07083f484e14fcba4c4

SHA1
086fcf1aac441cbb6f59fa079b506aabb94a493c

SHA256
ec6b3348f5b776c8adaba5b50714667f393c693d1839bccf01385f7094d6c9ac

SHA512
4143d482b15938b44505f5e5ecba5c0080f83d8c29b84f4e93819afd5da1bf37327f16911ff1ace253b9167c514bf5422f1c85fa72cdbe7892180fe22e9b5cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmlja_kv.cmdline
Filesize
224B

MD5
4ebf49ede84b140073144879c8867ece

SHA1
7f3179cddaa4eab27d5579abe991e93b1635d332

SHA256
1eaa0f66e9052657af12680c0322ef40b41f4815bb88ad2236556c3380983d3b

SHA512
ffdd5e38e1b584a014d2d60aa1f796a025ea173158ec1a3bcd96e4a74a8e63ded367b9b471a491c13c0303176aa8f17d6eebfa312d31b4849b027bbf36767a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
Filesize
8KB

MD5
0bea2c8d6695992278b8a7709ea05e47

SHA1
9a7445393bea489eec625fef4e2a0ae7b39e8c6e

SHA256
a3473c7d1cb0f97a4f85dd87f06e1df66fb2d41214141cf2f587e22b8f4347b4

SHA512
77faf398362b55f3ff1253e6e24961a700524a20b5108dd23cea698ed1b545fbd80b366f4abaa7d689a3349ea8e54ecf7a5b19a93096adc9b17923b5ef793d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E4A.tmp
Filesize
964B

MD5
52d9c8ba23ef6a3c6542be3c34f9adbf

SHA1
3bf7b4f0ba7ac08798c5f5c52d119f79c26017d3

SHA256
e7c06aca847231b51e5303b631cf78f34cd2fcb074a239267bc737258f6a5e9b

SHA512
6dc22e583b418ca4da2cb996f3bc1e18127d3849ca3fd175f580d34768e32eb12a3f4675a2a346b324e72845b870d42fa6397d2aeab305dd08a2eac9f3fe57a0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
Filesize
2.1MB

MD5
51ddbe4cbd6cf9e71ed36656961f62ac

SHA1
d4515419337741285e9ddefa13c4ad02f8dea4dd

SHA256
b2fb69fe5a4d38d7c2ee4c2a9aa7badac6f342ec93fca10de04a4d9b2893fa56

SHA512
3afee0f39b039b4551b77ea38029b5cef2aed7fd9db7f70bb8dd7a61e4abb4a5ec712bdfa92e3b20a8063db2440e4d13e1cf2547f59489d830b316563556fa99

Download Submit
memory/2236-0-0x0000000074912000-0x0000000074914000-memory.dmp

Filesize
8KB

Download
memory/2264-13-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2264-50-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-28-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2436-37-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2436-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-34-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2436-39-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2436-40-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2436-32-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2436-30-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads