nanocore | 2a6440c783aea184f39f5a16a120d705f5f0f01067ae795e38d87028049edb2e

General

Target

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Size

2.2MB
MD5

8d049a60a5d45859ef538f4ffd8f5a63
SHA1

24e38f415f188dbcd8565eb2f2ea04cd5543e3bb
SHA256

2a6440c783aea184f39f5a16a120d705f5f0f01067ae795e38d87028049edb2e
SHA512

3023dfba4e816bb3fa2707db8f588b7e92d08f70d750234d5c719c9046f027ada5c94fa490b84911e874fc4061b60616c61281d7f2907ed76e716ac6cb891900
SSDEEP

49152:zNfdKKoEuMIc/D8MTfVr68c9hGo6v1EMc:zNfdKsnI4dPYn6v1E

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

gamercore.exilionps.com:5604

127.0.0.1:5604

Mutex

436cdb80-4f2d-4ccc-b631-8fd76c11acd4

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2016-12-30T20:18:56.661488536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
3000
connection_port
5604
default_group
RektEm
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
436cdb80-4f2d-4ccc-b631-8fd76c11acd4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
gamercore.exilionps.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

REG.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	REG.exe

Disables Task Manager via registry modification
evasion

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

securenet.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	securenet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "svchost.exe"	securenet.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

securenet.exesecurenet.exe

pid process

2328 securenet.exe
2128 securenet.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

securenet.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA securenet.exe

pid	process
2328	securenet.exe
2128	securenet.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	securenet.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exesecurenet.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	securenet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	securenet.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

securenet.exe

description pid process target process

PID 2328 set thread context of 2128 2328 securenet.exe securenet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5032 schtasks.exe

description	pid	process	target process
PID 2328 set thread context of 2128	2328	securenet.exe	securenet.exe

pid	process
5032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe

pid	process
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

securenet.exe

pid process

2128 securenet.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

securenet.exe

pid process

2328 securenet.exe

pid	process
2128	securenet.exe

pid	process
2328	securenet.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exesecurenet.exesecurenet.exe

description	pid	process
Token: SeDebugPrivilege	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Token: SeDebugPrivilege	2328	securenet.exe
Token: SeDebugPrivilege	2128	securenet.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.execmd.exesecurenet.exe

description	pid	process	target process
PID 2812 wrote to memory of 4820	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 2812 wrote to memory of 4820	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 2812 wrote to memory of 4820	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 2812 wrote to memory of 5032	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 2812 wrote to memory of 5032	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 2812 wrote to memory of 5032	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 2812 wrote to memory of 184	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	cmd.exe
PID 2812 wrote to memory of 184	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	cmd.exe
PID 2812 wrote to memory of 184	2812	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	cmd.exe
PID 184 wrote to memory of 2328	184	cmd.exe	securenet.exe
PID 184 wrote to memory of 2328	184	cmd.exe	securenet.exe
PID 184 wrote to memory of 2328	184	cmd.exe	securenet.exe
PID 2328 wrote to memory of 2128	2328	securenet.exe	securenet.exe
PID 2328 wrote to memory of 2128	2328	securenet.exe	securenet.exe
PID 2328 wrote to memory of 2128	2328	securenet.exe	securenet.exe
PID 2328 wrote to memory of 2128	2328	securenet.exe	securenet.exe
PID 2328 wrote to memory of 5076	2328	securenet.exe	REG.exe
PID 2328 wrote to memory of 5076	2328	securenet.exe	REG.exe
PID 2328 wrote to memory of 5076	2328	securenet.exe	REG.exe
PID 2328 wrote to memory of 396	2328	securenet.exe	REG.exe
PID 2328 wrote to memory of 396	2328	securenet.exe	REG.exe
PID 2328 wrote to memory of 396	2328	securenet.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\3d79fea3-2531-4dc3-9742-5f118ab61a73" /F
2⤵
PID:4820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\3d79fea3-2531-4dc3-9742-5f118ab61a73" /XML "C:\Users\Admin\AppData\Local\Temp\tmp956167654.tmp"
2⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\securenet.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:184

C:\Users\Admin\AppData\Roaming\securenet.exe
C:\Users\Admin\AppData\Roaming\securenet.exe
3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Roaming\securenet.exe
C:\Users\Admin\AppData\Roaming\securenet.exe
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\REG.exe
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
PID:5076

C:\Windows\SysWOW64\REG.exe
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
4⤵
- Disables RegEdit via registry modification
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp956167654.tmp
Filesize
1KB

MD5
07ec61b689f582e26ca8ef86dc163880

SHA1
0405ad32bda37ecca243aae6d93680cb15325a6f

SHA256
1c2b7e918366bddb9379b9afdd2f5ac5ed91c007e5de1f86205cd80df63d3693

SHA512
e8652a613075e1db6c1c68a98853d07c8e5d0e4ebd0f063f4123feff6cd60c6583cef36c0d76358ad5afdfd9bcc93bd849d7c33b84f4a408b3e36a40b84deeb9

Download Submit
C:\Users\Admin\AppData\Roaming\securenet.exe
Filesize
2.2MB

MD5
c8e549c5318134902fa7fa00bd756328

SHA1
337fbc3c1567161534b7867ac106b372e7213155

SHA256
7de9a099fb58bd2b2e796d0a70897ecfb76cfd034220e2b2f1269d6ce7db4506

SHA512
51b5763d9238523f1e4996848160daf8e9e8729f4e84cc148a2f6d0da448a8b72a51433fade01024f97efb7aec52eddeaf8424bf3e2ccecf5cdf3b2897781108

Download Submit
memory/2128-24-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2328-21-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2328-23-0x0000000005290000-0x0000000005293000-memory.dmp

Filesize
12KB

Download
memory/2328-30-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2328-28-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2328-20-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2328-19-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-15-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-2-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-3-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-0-0x00000000749F2000-0x00000000749F3000-memory.dmp

Filesize
4KB

Download
memory/2812-4-0x00000000749F2000-0x00000000749F3000-memory.dmp

Filesize
4KB

Download
memory/2812-1-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-6-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-5-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads