nanocore | 672316bdeef6fa3c30828452e67394ce0b6e160e51e70a1c97f40db377c8aac0

General

Target

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
Size

1.4MB
MD5

820f6dd9860bebd89fd0374f70e436be
SHA1

1b75b8179f090063902b13281543c1367fef4081
SHA256

672316bdeef6fa3c30828452e67394ce0b6e160e51e70a1c97f40db377c8aac0
SHA512

f4c5e07ae0e027df7f6bd16a9d68768bfd45515a91cbe0d0ca5eb81435bd25205a592ef3984790223f8ce52f0985f040fde216d7e315201bfa7743d7de023388
SSDEEP

6144:rgLcb/d7rFFjZsvsZHV/jmVx4Z9zvmQVOelREPXvg+/oFyLaiQOKDaM:Uadf2UZHV/jmavBXsIy+dOW

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cashout.exe.lnk	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe"	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

description	pid	process	target process
PID 3608 set thread context of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\DHCP Service\dhcpsv.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DHCP Service\dhcpsv.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2576 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\grace\cashout.exe:Zone.Identifier cmd.exe

pid	process
2576	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\grace\cashout.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

pid	process
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
4040	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
4040	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
4040	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

pid process

4040 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

pid	process
4040	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
Token: SeDebugPrivilege	4040	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 3608 wrote to memory of 2380	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	cmd.exe
PID 3608 wrote to memory of 2380	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	cmd.exe
PID 3608 wrote to memory of 2380	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	cmd.exe
PID 2380 wrote to memory of 2952	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 2952	2380	cmd.exe	reg.exe
PID 2380 wrote to memory of 2952	2380	cmd.exe	reg.exe
PID 3608 wrote to memory of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
PID 3608 wrote to memory of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
PID 3608 wrote to memory of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
PID 3608 wrote to memory of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
PID 3608 wrote to memory of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
PID 3608 wrote to memory of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
PID 3608 wrote to memory of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
PID 3608 wrote to memory of 4040	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
PID 3608 wrote to memory of 4856	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	cmd.exe
PID 3608 wrote to memory of 4856	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	cmd.exe
PID 3608 wrote to memory of 4856	3608	820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe	cmd.exe
PID 4856 wrote to memory of 2576	4856	cmd.exe	timeout.exe
PID 4856 wrote to memory of 2576	4856	cmd.exe	timeout.exe
PID 4856 wrote to memory of 2576	4856	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\grace\cashout.exe.lnk" /f
3⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\grace\cashout.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\grace\cashout.exe
Filesize
1.4MB

MD5
820f6dd9860bebd89fd0374f70e436be

SHA1
1b75b8179f090063902b13281543c1367fef4081

SHA256
672316bdeef6fa3c30828452e67394ce0b6e160e51e70a1c97f40db377c8aac0

SHA512
f4c5e07ae0e027df7f6bd16a9d68768bfd45515a91cbe0d0ca5eb81435bd25205a592ef3984790223f8ce52f0985f040fde216d7e315201bfa7743d7de023388

Download Submit
C:\Users\Admin\AppData\Roaming\grace\cashout.exe.bat
Filesize
202B

MD5
d592662cb38e0e99d15afe9115097779

SHA1
8544f5f0854f4c0eafcf4c1396b13f7f81682b9f

SHA256
8960caea9115579f3b9706cfe72b898622348fc95490943424e9040dc98412e8

SHA512
67809225b002a68cc0514f6fc17b1bccdf1fccc213b9c89f6c8cb9793522f489a9c7be2c322b676541ccda76b8811ef078cdc7b33e0b62ea47430f0c8a2f16c7

Download Submit
memory/3608-0-0x0000000075092000-0x0000000075093000-memory.dmp

Filesize
4KB

Download
memory/3608-1-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3608-2-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/3608-23-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4040-13-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4040-14-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4040-17-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4040-21-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4040-24-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download
memory/4040-25-0x0000000075090000-0x0000000075641000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads