nanocore | 505d76702345bc95a07e30c9d7c57bb700e98124141d14b336e8d5c5e3e5c296 | Triage

Sharing

General

Target

934076e8eda59f04b18db8f262e885e0_JaffaCakes118
Size

763KB
Sample

240604-bnmcfaga9s
MD5

934076e8eda59f04b18db8f262e885e0
SHA1

deca51a91858374cce04f74bc503b33191143e2a
SHA256

505d76702345bc95a07e30c9d7c57bb700e98124141d14b336e8d5c5e3e5c296
SHA512

607447498f955e5217f5cf5d8b09635424ab5f212f4d1d72246048905df9744386befb39c5ed45e6a59de0de6a7758cf160df15286e48b86654c8024df0f41fe
SSDEEP

12288:xKpGbhBR/pzr9zlGdp+hqsFMY0HbAqbIopgfPNZhGWNJDypWy33HcAnmPv6YYUud:9bht1zlGfDsmY0kqUfUcD4j3HnmPiNU4

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

cboss33.hopto.org:4722

Mutex

f934e45a-6528-4b96-bd96-79fd13c4fe12

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2018-07-05T13:16:32.309254436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
4722
default_group
Dollar
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f934e45a-6528-4b96-bd96-79fd13c4fe12
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
cboss33.hopto.org
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  holf.exe
- Size
  
  884KB
- MD5
  
  912d6c88f475bb275629201d52ae0ae6
- SHA1
  
  3e64f86e98787997c98b98039bb491fa613e79cc
- SHA256
  
  6b8e10fb6b6aa647c8c0ba181184d950e9f47ca6753213fc96b1b3ec18409f93
- SHA512
  
  c8362c522e556166cc018800f721c8c4c3067d51209063f91424fbaf249b36441fc69e2556ee9b94cb7c0a6eee82d51b6105c3fa1a8148a98446e1a7e368d254
- SSDEEP
  
  24576:rmoO8itEqfZng7cw8lSQzuQM9saXICbmyX97i:qvZScwKSQzrM9ZzfN7i
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocoreevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealertrojan