nanocore | 520a9841c77609dc1c87d0cc7e8ca7ac4e36fb9a78c4401e056c12585ceaec04 | Triage

Sharing

General

Target

5b4966b97a3e3979116e52661911d864_JaffaCakes118
Size

922KB
Sample

240519-y5gvlsgb8y
MD5

5b4966b97a3e3979116e52661911d864
SHA1

dfd59d35031a179590e5ad0c62af4a3ad258809a
SHA256

520a9841c77609dc1c87d0cc7e8ca7ac4e36fb9a78c4401e056c12585ceaec04
SHA512

a1c5abc309def3522556bfc43b75f3d6fd63f861e6070c2483e1cffa0de019a098c63e4fcba0488b94eaa879eb9298113c31c5378cf633ad06847fcde364a94f
SSDEEP

24576:f2O/GlVZNLG62ZnMCpdfnwYiOxNOCLs2lQlZP69/:cZsdPoYPuri9/

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

kgentle77.hopto.org:58887

Mutex

1515e7d6-0e18-4f91-8b5b-e41fb83e4640

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-11T13:50:06.165219536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
58887
default_group
kgentle
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1515e7d6-0e18-4f91-8b5b-e41fb83e4640
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kgentle77.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  5b4966b97a3e3979116e52661911d864_JaffaCakes118
- Size
  
  922KB
- MD5
  
  5b4966b97a3e3979116e52661911d864
- SHA1
  
  dfd59d35031a179590e5ad0c62af4a3ad258809a
- SHA256
  
  520a9841c77609dc1c87d0cc7e8ca7ac4e36fb9a78c4401e056c12585ceaec04
- SHA512
  
  a1c5abc309def3522556bfc43b75f3d6fd63f861e6070c2483e1cffa0de019a098c63e4fcba0488b94eaa879eb9298113c31c5378cf633ad06847fcde364a94f
- SSDEEP
  
  24576:f2O/GlVZNLG62ZnMCpdfnwYiOxNOCLs2lQlZP69/:cZsdPoYPuri9/
Score

10^/10

nanocore keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocorekeyloggerpersistencespywarestealertrojan

behavioral2