nanocore | c5fa6b9642b737e1318245b039002b26141092ca9d055bc99f9250c1ea91b966

General

Target

53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe
Size

852KB
MD5

53b6adccfa92bc14352aec7289ab2950
SHA1

6067cca668cfb9ac87441cf0156af321202f2d04
SHA256

c5fa6b9642b737e1318245b039002b26141092ca9d055bc99f9250c1ea91b966
SHA512

883965f9d5aff1f8b137b063e7fc6e978ba8805bb4769d112a87d04c4858f2e1e397da19884a45b0723671357484b781dc2be2f294838d30a717a3f74afde5f3
SSDEEP

24576:L2O/GlmnhDKoc9JT3Q0cKvkw7+2qJ787g6zwm4m53Sb2n:P5KRT3Q0cKvkwS2Q785kFm53Syn

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

154.16.63.21:8777

Mutex

e8ddcb63-1ab8-4f2b-8233-40ab2aa77e6c

Attributes

activate_away_mode
true
backup_connection_host
154.16.63.21
backup_dns_server
buffer_size
65535
build_time
2017-01-13T08:26:18.817282736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
8777
default_group
uk
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e8ddcb63-1ab8-4f2b-8233-40ab2aa77e6c
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
154.16.63.21
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

fqx.exefqx.exe

pid process

2588 fqx.exe
1504 fqx.exe

Loads dropped DLL 5 IoCs

Processes:

53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exefqx.exe

pid	process
2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe
2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe
2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe
2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe
2588	fqx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fqx.exeRegSvcs.exeRegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\khc\\fqx.exe C:\\Users\\Admin\\AppData\\Roaming\\khc\\anm-tjs"	fqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\khc\\fqx.exe C:\\Users\\Admin\\AppData\\Roaming\\khc\\anm-tjs"	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fqx.exe

description	pid	process	target process
PID 1504 set thread context of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 set thread context of 1620	1504	fqx.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\TCP Service\tcpsv.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\TCP Service\tcpsv.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fqx.exeRegSvcs.exeRegSvcs.exe

pid	process
2588	fqx.exe
2676	RegSvcs.exe
2676	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe
1620	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

2676 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2676 RegSvcs.exe

pid	process
2676	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2676	RegSvcs.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exefqx.exefqx.exe

description	pid	process	target process
PID 2328 wrote to memory of 2588	2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe	fqx.exe
PID 2328 wrote to memory of 2588	2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe	fqx.exe
PID 2328 wrote to memory of 2588	2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe	fqx.exe
PID 2328 wrote to memory of 2588	2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe	fqx.exe
PID 2328 wrote to memory of 2588	2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe	fqx.exe
PID 2328 wrote to memory of 2588	2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe	fqx.exe
PID 2328 wrote to memory of 2588	2328	53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe	fqx.exe
PID 2588 wrote to memory of 1504	2588	fqx.exe	fqx.exe
PID 2588 wrote to memory of 1504	2588	fqx.exe	fqx.exe
PID 2588 wrote to memory of 1504	2588	fqx.exe	fqx.exe
PID 2588 wrote to memory of 1504	2588	fqx.exe	fqx.exe
PID 2588 wrote to memory of 1504	2588	fqx.exe	fqx.exe
PID 2588 wrote to memory of 1504	2588	fqx.exe	fqx.exe
PID 2588 wrote to memory of 1504	2588	fqx.exe	fqx.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 2676	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe
PID 1504 wrote to memory of 1620	1504	fqx.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53b6adccfa92bc14352aec7289ab2950_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Roaming\khc\fqx.exe
"C:\Users\Admin\AppData\Roaming\khc\fqx.exe" anm-tjs
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Roaming\khc\fqx.exe
C:\Users\Admin\AppData\Roaming\khc\fqx.exe C:\Users\Admin\AppData\Roaming\khc\JILQR
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
C:\Users\Admin\AppData\Roaming\khc\JILQR
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\khc\JILQR
Filesize
91KB

MD5
e75f7afd6c1fc384fae32f662a3c5939

SHA1
920548e0c819204b114267a1ac5198eb01d2eb43

SHA256
81b7d64bf1736312351fd0207fde3e2c23aa3231607415748ec51c01c377a17a

SHA512
ec1741b87dc453c3e0d91a77f00bf2830445176b8b4ee80722f2c4e6bb53b5a7675a2c8f70274a737023906fa325bc150d10a58688b498c03d0e6a4de1765859

Download Submit
C:\Users\Admin\AppData\Roaming\khc\anm-tjs
Filesize
7.4MB

MD5
6276212be5f4f3dc51113b6bff9a4cb4

SHA1
b26e74f82e1fa09a8c332ab39505be5f6efabab0

SHA256
74f704dbe98256359a2593e0883a79152b1c61271405685384a94b12858261c8

SHA512
8b9bd50aff0c896dd587a413162054d8f887426784eaa9fbc09023ce12421cff31ba63378b45bc75f0a3e556a42d18d7c206b16605f8c870a9fce54d5b2b5ceb

Download Submit
C:\Users\Admin\AppData\Roaming\khc\faa.bmp
Filesize
618KB

MD5
a337884da35ac1afc9cb434fd4b0cd9e

SHA1
f9d1935c8cfc8b697c40fa6da71bd950129bef0d

SHA256
d5f05d19ae26abc515edbd0b1328d73c0a43a9b577fbed041b640d49d9b0320c

SHA512
1bddd5d445ec89186043bdabe42f9817ea999eaed702dcc7fab1bec50a8e879ae0f12e706770091644912cd1e7de6f389b396c8af05f8e78a71f4005f9485e4e

Download Submit
C:\Users\Admin\AppData\Roaming\khc\spd
Filesize
4B

MD5
098f6bcd4621d373cade4e832627b4f6

SHA1
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

SHA256
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

SHA512
ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

Download Submit
\Users\Admin\AppData\Roaming\khc\fqx.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/1620-113-0x00000000002D0000-0x000000000039C000-memory.dmp

Filesize
816KB

Download
memory/1620-119-0x00000000002D0000-0x000000000039C000-memory.dmp

Filesize
816KB

Download
memory/1620-117-0x00000000002D0000-0x000000000039C000-memory.dmp

Filesize
816KB

Download
memory/1620-116-0x00000000002D0000-0x000000000039C000-memory.dmp

Filesize
816KB

Download
memory/2676-107-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-100-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-99-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-102-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-104-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-108-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-109-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads