nanocore | de01b6a27d4eba814fe3ce5084cfc23fdeeb47d50f8bec5a973578e66b768a48

General

Target

6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe
Size

1.4MB
MD5

6282458b94ca8bc08801d124c4224ff1
SHA1

ec13b6b38599fbacc42f6cd11a94d3dc52cf3305
SHA256

de01b6a27d4eba814fe3ce5084cfc23fdeeb47d50f8bec5a973578e66b768a48
SHA512

1895487421339bce9b85b6c994490d3dea45bd7ed5d9ea442eb0492519ed15b2cd9c71ac45e332a0fd8d91b6076059e3760b2036a2275d8c6259da3ce15c29fd
SSDEEP

24576:bNA3R5drXUEC2ZAMXfgdjNAadRaShUkBnL111MD5rThQZhf6Ipp8QgHz+Cu1h6Lb:G5UECKAMXfgpAI5BnL3eD5/hQZB6DQgV

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

kartelicemoney.duckdns.org:59712

Mutex

91c5edaa-1adb-44e7-b5fb-9744c1bc0912

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-07-11T22:27:16.709090436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
59712
default_group
Gunna
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
91c5edaa-1adb-44e7-b5fb-9744c1bc0912
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kartelicemoney.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

xrfq.exe

pid process

2788 xrfq.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

1932 WScript.exe

pid	process
2788	xrfq.exe

pid	process
1932	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xrfq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dfghjklkjhrtyu.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23757645\\xrfq.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\23757645\\smqujemen.bcs"	xrfq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xrfq.exe

description pid process target process

PID 2788 set thread context of 372 2788 xrfq.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2008 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegSvcs.exe

pid process

372 RegSvcs.exe
372 RegSvcs.exe
372 RegSvcs.exe
372 RegSvcs.exe
372 RegSvcs.exe
372 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

372 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xrfq.exeRegSvcs.exe

description pid process

Token: 33 2788 xrfq.exe
Token: SeIncBasePriorityPrivilege 2788 xrfq.exe
Token: SeDebugPrivilege 372 RegSvcs.exe

description	pid	process	target process
PID 2788 set thread context of 372	2788	xrfq.exe	RegSvcs.exe

pid	process
2008	schtasks.exe

pid	process
372	RegSvcs.exe
372	RegSvcs.exe
372	RegSvcs.exe
372	RegSvcs.exe
372	RegSvcs.exe
372	RegSvcs.exe

pid	process
372	RegSvcs.exe

description	pid	process
Token: 33	2788	xrfq.exe
Token: SeIncBasePriorityPrivilege	2788	xrfq.exe
Token: SeDebugPrivilege	372	RegSvcs.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exeWScript.exexrfq.exeRegSvcs.exe

description	pid	process	target process
PID 2348 wrote to memory of 1932	2348	6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe	WScript.exe
PID 2348 wrote to memory of 1932	2348	6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe	WScript.exe
PID 2348 wrote to memory of 1932	2348	6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe	WScript.exe
PID 2348 wrote to memory of 1932	2348	6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe	WScript.exe
PID 1932 wrote to memory of 2788	1932	WScript.exe	xrfq.exe
PID 1932 wrote to memory of 2788	1932	WScript.exe	xrfq.exe
PID 1932 wrote to memory of 2788	1932	WScript.exe	xrfq.exe
PID 1932 wrote to memory of 2788	1932	WScript.exe	xrfq.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 2788 wrote to memory of 372	2788	xrfq.exe	RegSvcs.exe
PID 372 wrote to memory of 2008	372	RegSvcs.exe	schtasks.exe
PID 372 wrote to memory of 2008	372	RegSvcs.exe	schtasks.exe
PID 372 wrote to memory of 2008	372	RegSvcs.exe	schtasks.exe
PID 372 wrote to memory of 2008	372	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6282458b94ca8bc08801d124c4224ff1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23757645\csweath.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe
    "C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe" smqujemen.bcs
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp50BF.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23757645\csweath.vbs

Filesize
46KB

MD5
7f52859621eeb2db44becedf97aa401b

SHA1
38f78a4a6b871d7570927f3f66fef53e56dc074a

SHA256
dda55d184d2023c6cb2e2b289a682e52dfdb6d698de2d09ebb30a7855f3d0091

SHA512
9e24e079ba2f7ab36f3247b7cfed495a3e523e3e83e7f97fd48de4c76072c4a878585a3c1ecd0e589ab5b8ce0b8c1c3868b69b028a1e18a1d26479cda0125371

Download Submit
C:\Users\Admin\AppData\Local\Temp\23757645\gfujvaac.txt

Filesize
466KB

MD5
22a0cddb35ab13b5829b2db5178fdeb5

SHA1
150abec46b7972d19668d7470cdfffa017e5e6b7

SHA256
39436dfc408cf317d0a69165d657c80eedbe1285f8f0a949330a1270951315f4

SHA512
ed87fb0fd0a99c815117935ab2ae632564835e0a5d8cce83d5309896ff0af03f8af82bb6fc027cfceee07f9aa9c357e4b786347fd36844f40f135ed623302192

Download Submit
C:\Users\Admin\AppData\Local\Temp\23757645\xrfq.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50BF.tmp

Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
memory/372-149-0x0000000000B20000-0x0000000001B20000-memory.dmp

Filesize
16.0MB

Download
memory/372-152-0x0000000000B20000-0x0000000001B20000-memory.dmp

Filesize
16.0MB

Download
memory/372-154-0x0000000000B20000-0x0000000001B20000-memory.dmp

Filesize
16.0MB

Download
memory/372-153-0x0000000000B20000-0x0000000001B20000-memory.dmp

Filesize
16.0MB

Download
memory/372-155-0x0000000000B20000-0x0000000000B58000-memory.dmp

Filesize
224KB

Download
memory/372-151-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/372-160-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/372-161-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/372-162-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads