nanocore | a072e83a9303a4011ae8ec7db630c3523cf1bec5dfa89dffac3c7d035487e879

General

Target

698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
Size

2.5MB
MD5

698576b6a938a5520eae41be49540f41
SHA1

ce10a0371196269b9917b8c2fac19a5bbc84a919
SHA256

a072e83a9303a4011ae8ec7db630c3523cf1bec5dfa89dffac3c7d035487e879
SHA512

823170f85924818f99c25711e69e91cedbe2ec609df3221e6505efd1922e10d31ea61679836038466ffa9683acbe91f117eb984b18a4df80be30f945af718cca
SSDEEP

24576:lCdxte/80jYLT3U1jfsWav8Cdxte/80jYLT3U1jfsWaawXa+5mYk6sPcQ05VvOEU:sw80cTsjkWav9w80cTsjkWaa1fTF7

Score

10^/10

nanocore xpertrat test evasion keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.125.205.93:9003

Mutex

f8886077-ec1e-423d-8a56-8a7e0476eccf

Attributes

activate_away_mode
true
backup_connection_host
185.125.205.93
backup_dns_server
185.125.205.93
buffer_size
65535
build_time
2018-06-23T08:47:17.286273736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9003
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f8886077-ec1e-423d-8a56-8a7e0476eccf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
185.125.205.93
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

185.125.205.93:9911

Mutex

P0V4N118-N5M3-W331-C1L0-Y2V3P6C8B2Q6

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

server_Protected.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server_Protected.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

server_Protected.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" server_Protected.exe
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server_Protected.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	server_Protected.exe

XpertRAT Core payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3812-38-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral2/memory/3812-40-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

698576b6a938a5520eae41be49540f41_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

Processes:

server_Protected.exeserver_Protected.exeserver_Protected.exeserver_Protected.exe

pid process

4388 server_Protected.exe
2252 server_Protected.exe
3620 server_Protected.exe
3812 server_Protected.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

server_Protected.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" server_Protected.exe

pid	process
4388	server_Protected.exe
2252	server_Protected.exe
3620	server_Protected.exe
3812	server_Protected.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	server_Protected.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegAsm.exeserver_Protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server_Protected.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

698576b6a938a5520eae41be49540f41_JaffaCakes118.exeserver_Protected.exeserver_Protected.exe

description	pid	process	target process
PID 3964 set thread context of 3828	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 4388 set thread context of 3620	4388	server_Protected.exe	server_Protected.exe
PID 3620 set thread context of 3812	3620	server_Protected.exe	server_Protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4628 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

RegAsm.exeserver_Protected.exe

pid process

3828 RegAsm.exe
3828 RegAsm.exe
3828 RegAsm.exe
3620 server_Protected.exe
3620 server_Protected.exe
3620 server_Protected.exe
3620 server_Protected.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

698576b6a938a5520eae41be49540f41_JaffaCakes118.exeserver_Protected.exeRegAsm.exe

pid process

3964 698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
4388 server_Protected.exe
3828 RegAsm.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

server_Protected.exe

pid process

3812 server_Protected.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exeserver_Protected.exe

description pid process

Token: SeDebugPrivilege 3828 RegAsm.exe
Token: SeDebugPrivilege 3812 server_Protected.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

server_Protected.exeserver_Protected.exe

pid process

3620 server_Protected.exe
3812 server_Protected.exe

pid	process
4628	schtasks.exe

pid	process
3828	RegAsm.exe
3828	RegAsm.exe
3828	RegAsm.exe
3620	server_Protected.exe
3620	server_Protected.exe
3620	server_Protected.exe
3620	server_Protected.exe

pid	process
3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
4388	server_Protected.exe
3828	RegAsm.exe

pid	process
3812	server_Protected.exe

description	pid	process
Token: SeDebugPrivilege	3828	RegAsm.exe
Token: SeDebugPrivilege	3812	server_Protected.exe

pid	process
3620	server_Protected.exe
3812	server_Protected.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

698576b6a938a5520eae41be49540f41_JaffaCakes118.exeRegAsm.exeserver_Protected.exeserver_Protected.exe

description	pid	process	target process
PID 3964 wrote to memory of 4388	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	server_Protected.exe
PID 3964 wrote to memory of 4388	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	server_Protected.exe
PID 3964 wrote to memory of 4388	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	server_Protected.exe
PID 3964 wrote to memory of 3828	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 3964 wrote to memory of 3828	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 3964 wrote to memory of 3828	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 3964 wrote to memory of 3828	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 3964 wrote to memory of 3828	3964	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	RegAsm.exe
PID 3828 wrote to memory of 4628	3828	RegAsm.exe	schtasks.exe
PID 3828 wrote to memory of 4628	3828	RegAsm.exe	schtasks.exe
PID 3828 wrote to memory of 4628	3828	RegAsm.exe	schtasks.exe
PID 4388 wrote to memory of 2252	4388	server_Protected.exe	server_Protected.exe
PID 4388 wrote to memory of 2252	4388	server_Protected.exe	server_Protected.exe
PID 4388 wrote to memory of 2252	4388	server_Protected.exe	server_Protected.exe
PID 4388 wrote to memory of 3620	4388	server_Protected.exe	server_Protected.exe
PID 4388 wrote to memory of 3620	4388	server_Protected.exe	server_Protected.exe
PID 4388 wrote to memory of 3620	4388	server_Protected.exe	server_Protected.exe
PID 4388 wrote to memory of 3620	4388	server_Protected.exe	server_Protected.exe
PID 4388 wrote to memory of 3620	4388	server_Protected.exe	server_Protected.exe
PID 3620 wrote to memory of 3812	3620	server_Protected.exe	server_Protected.exe
PID 3620 wrote to memory of 3812	3620	server_Protected.exe	server_Protected.exe
PID 3620 wrote to memory of 3812	3620	server_Protected.exe	server_Protected.exe
PID 3620 wrote to memory of 3812	3620	server_Protected.exe	server_Protected.exe
PID 3620 wrote to memory of 3812	3620	server_Protected.exe	server_Protected.exe
PID 3620 wrote to memory of 3812	3620	server_Protected.exe	server_Protected.exe
PID 3620 wrote to memory of 3812	3620	server_Protected.exe	server_Protected.exe
PID 3620 wrote to memory of 3812	3620	server_Protected.exe	server_Protected.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

server_Protected.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server_Protected.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server_Protected.exe

C:\Users\Admin\AppData\Local\Temp\698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\698576b6a938a5520eae41be49540f41_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
3⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
"C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3620

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp"
3⤵
- Creates scheduled task(s)
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
Filesize
1.2MB

MD5
b70299fccc7ec757022252ebbea4ab11

SHA1
7faf5605c714c171d57d8db47d4ca9e395e9e74b

SHA256
89e25df3ff39f74d6192a02bd1138fc5ba805f85d92cb81d93eff6f238b84e96

SHA512
9f410227c3086c484054ab36e04d0be8fbb98b03ed7aab928c1e367a9371f3d5689e1ca1ed8eba93399077cd678d4bdc4ff6ba13f7f60c0c331112ce64b03663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp
Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
memory/3620-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3620-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3812-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3812-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3828-19-0x0000000074102000-0x0000000074103000-memory.dmp

Filesize
4KB

Download
memory/3828-20-0x0000000074100000-0x00000000746B1000-memory.dmp

Filesize
5.7MB

Download
memory/3828-21-0x0000000074100000-0x00000000746B1000-memory.dmp

Filesize
5.7MB

Download
memory/3828-26-0x0000000074102000-0x0000000074103000-memory.dmp

Filesize
4KB

Download
memory/3828-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3828-46-0x0000000074100000-0x00000000746B1000-memory.dmp

Filesize
5.7MB

Download
memory/3964-18-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads