nanocore | 1538c0ddb80e85c1d2fa97bedacddd09fe087c3e7e76fcd19051ed6e3e2028fd

General

Target

6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
Size

633KB
MD5

6ad45efb4c6a213a85fe847dc228fcbe
SHA1

a2b482b6a9a95efdf086fd6e7604c119a6ab8285
SHA256

1538c0ddb80e85c1d2fa97bedacddd09fe087c3e7e76fcd19051ed6e3e2028fd
SHA512

ead0663183c0f63cd575bf413543a875be942e1f6316c4216dd91f33ec87dd0627e2a9c31c148dfe7b618f963c64e793ad01803ae7fe7fa82b84eaec656a3791
SSDEEP

12288:SEcVL8O4jrAioZX+t4O8vjNUu5JxjV653TxaOW4YizV58+u3GGUqXUQwQ3IQPH:KLlgAiobvZUqJxRmDxDbYEo3DXUxQYyH

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

newipset.hopto.org:4444

127.0.0.1:4444

Mutex

4ef41814-b3a0-4694-8a10-f8f3ea935772

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-07-09T07:25:16.502613836Z
bypass_user_account_control
true
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4444
default_group
Telescrapper
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4ef41814-b3a0-4694-8a10-f8f3ea935772
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
newipset.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 3 IoCs

Processes:

telescrap.exeteles.sfx.exeteles.exe

pid process

2620 telescrap.exe
2764 teles.sfx.exe
2724 teles.exe
Loads dropped DLL 7 IoCs

Processes:

6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.execmd.exeteles.sfx.exe

pid process

2228 6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
1280
2776 cmd.exe
2764 teles.sfx.exe
2764 teles.sfx.exe
2764 teles.sfx.exe
2764 teles.sfx.exe

pid	process
2620	telescrap.exe
2764	teles.sfx.exe
2724	teles.exe

pid	process
2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
1280
2776	cmd.exe
2764	teles.sfx.exe
2764	teles.sfx.exe
2764	teles.sfx.exe
2764	teles.sfx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

teles.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe"	teles.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

teles.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA teles.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	teles.exe

Drops file in Program Files directory 2 IoCs

Processes:

teles.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Host\isshost.exe	teles.exe
File opened for modification	C:\Program Files (x86)\ISS Host\isshost.exe	teles.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

teles.exe

pid process

2724 teles.exe
2724 teles.exe
2724 teles.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

teles.exe

pid process

2724 teles.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

teles.exe

description pid process

Token: SeDebugPrivilege 2724 teles.exe

pid	process
2724	teles.exe
2724	teles.exe
2724	teles.exe

pid	process
2724	teles.exe

description	pid	process
Token: SeDebugPrivilege	2724	teles.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exetelescrap.execmd.execmd.exeteles.sfx.exe

description	pid	process	target process
PID 2228 wrote to memory of 2620	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	telescrap.exe
PID 2228 wrote to memory of 2620	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	telescrap.exe
PID 2228 wrote to memory of 2620	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	telescrap.exe
PID 2228 wrote to memory of 2620	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	telescrap.exe
PID 2620 wrote to memory of 2564	2620	telescrap.exe	cmd.exe
PID 2620 wrote to memory of 2564	2620	telescrap.exe	cmd.exe
PID 2620 wrote to memory of 2564	2620	telescrap.exe	cmd.exe
PID 2564 wrote to memory of 2624	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 2624	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 2624	2564	cmd.exe	reg.exe
PID 2228 wrote to memory of 2776	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	cmd.exe
PID 2228 wrote to memory of 2776	2228	6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe	cmd.exe
PID 2776 wrote to memory of 2764	2776	cmd.exe	teles.sfx.exe
PID 2776 wrote to memory of 2764	2776	cmd.exe	teles.sfx.exe
PID 2776 wrote to memory of 2764	2776	cmd.exe	teles.sfx.exe
PID 2776 wrote to memory of 2764	2776	cmd.exe	teles.sfx.exe
PID 2764 wrote to memory of 2724	2764	teles.sfx.exe	teles.exe
PID 2764 wrote to memory of 2724	2764	teles.sfx.exe	teles.exe
PID 2764 wrote to memory of 2724	2764	teles.sfx.exe	teles.exe
PID 2764 wrote to memory of 2724	2764	teles.sfx.exe	teles.exe

C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ad45efb4c6a213a85fe847dc228fcbe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\164E.tmp\164F.tmp\1650.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
4⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
teles.sfx.exe -p9898 -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\164E.tmp\164F.tmp\1650.bat
Filesize
130B

MD5
78cf128c2c0b024aa9075d038f32c0f9

SHA1
ea941836117cb9f6d87a010806bbd5df58bd938a

SHA256
bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e

SHA512
d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat
Filesize
29B

MD5
7b3bcb606d504b0f4a6c1d94720aa979

SHA1
2e426175d2bc245d3946e2ba06092b8b969f13c1

SHA256
3a957ef77d0f1530721fb6bc305e39d1d1dee2db46008e710eeac2f9a2697929

SHA512
5d433ce3621b6039505186d47f29f8f27c5c53ee7eec9e5afaac6916b1d8d9a1af86d6cca3b2387cea012d211254516cabe9002e9ea17f1612890b2b5187af7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\teles.sfx.exe
Filesize
420KB

MD5
cb80b60fe4975dbbbb97bfd2de56bb1e

SHA1
b4c05c7999a3f3c12e6275b22a553401ac06caeb

SHA256
3bc56bcce1ba72e27832f83f4ce713577e8108db41ffc2e27a33d2e7fb9e41df

SHA512
80b811d5c05b07f3681883cd54a31dc18edf4abfc83a33c7fbf18a1cf3fc100e5d525b67f4c62de835de21791599c0e382b365a11badbfb383835cf814c07f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\teles.exe
Filesize
203KB

MD5
a2d1b1113d184205eed4835bf0cb06c6

SHA1
1b5775e187665f7c9131aee29c0daa4c3de43eb7

SHA256
fa82a26a7fcd1cd76fb893725f93aeaf878f033cbeda11f9d887972a36741e01

SHA512
182ba9d014e8434e5ea4154fd85239b768b7d126c8af4ed15c395bf40194e1df2eddba9ca9e4d753efdf7907d19388a2e974a5149838bae8112276c6632703e4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\telescrap.exe
Filesize
121KB

MD5
b4f5373a0c13a6b4598c8ed404a6bdae

SHA1
4a5cd535c4057acd1b7ed901d59ec6b2e76db6c9

SHA256
5aefc2e98446c1204ae1d6dfa5136488e3a1ef96ec62f3df1d8d0db68e9ea061

SHA512
29564e027aed141647660082ee12b56ecb43c9e3ac3785c7ff6f86a1a9f22aab2bc88a863f008b76856d5d17c0ebe89d6d34d332de96d7fba7ab13cf17df6d2d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads