nanocore | 4c36c6698bdc43b8ec9a9745b1c106b2035f0892b0b7b36ddb08701d4a795b49 | Triage

Sharing

General

Target

55c3c36dcb62a5e8ebd0ff41e07cf4d3_JaffaCakes118
Size

461KB
Sample

240518-vaqx9ada8w
MD5

55c3c36dcb62a5e8ebd0ff41e07cf4d3
SHA1

68721bf5ac9732c076bea84d466c09cd4b099bbc
SHA256

4c36c6698bdc43b8ec9a9745b1c106b2035f0892b0b7b36ddb08701d4a795b49
SHA512

35d28442975affe91102a27483624103802a92b887bc077bf3c1afaaa1d28da56ecfbf7ae3ce8149a15e115dd59ef9257992a59526e13f45ec155b6509101e76
SSDEEP

6144:Ac7xeEXpi/whlpjKmTIbICh1yvFNc6LqI00K1On/GYNzfafDkufKSkxGsRByJkvO:B7xeE5zhlpjKmTIXyfTLy0oOm4gnkk+K

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.231.113.95:5401

Mutex

449dabd0-b2cc-40a3-9d7c-418ef76898a8

Attributes

activate_away_mode
true
backup_connection_host
185.231.113.95
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-07-04T20:55:16.048555336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5401
default_group
pappay
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
449dabd0-b2cc-40a3-9d7c-418ef76898a8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.231.113.95
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  55c3c36dcb62a5e8ebd0ff41e07cf4d3_JaffaCakes118
- Size
  
  461KB
- MD5
  
  55c3c36dcb62a5e8ebd0ff41e07cf4d3
- SHA1
  
  68721bf5ac9732c076bea84d466c09cd4b099bbc
- SHA256
  
  4c36c6698bdc43b8ec9a9745b1c106b2035f0892b0b7b36ddb08701d4a795b49
- SHA512
  
  35d28442975affe91102a27483624103802a92b887bc077bf3c1afaaa1d28da56ecfbf7ae3ce8149a15e115dd59ef9257992a59526e13f45ec155b6509101e76
- SSDEEP
  
  6144:Ac7xeEXpi/whlpjKmTIbICh1yvFNc6LqI00K1On/GYNzfafDkufKSkxGsRByJkvO:B7xeE5zhlpjKmTIXyfTLy0oOm4gnkk+K
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocoreevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealertrojan