nanocore | 39fdf7cb955de78bb4c9e55ff269fd4dbdf8d5d38d540e2245f87cefb21fb91b

General

Target

94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe
Size

1.8MB
MD5

94bdf1b1404a90c7563bee8143c37c40
SHA1

d00a543f39971f38f24b4fe6c92643cedeba2fa2
SHA256

39fdf7cb955de78bb4c9e55ff269fd4dbdf8d5d38d540e2245f87cefb21fb91b
SHA512

eaed717fae7552e8701f5d2e5289afe042863f2ed2eaf4f1d29de74185ea414cbea2f1d618f48a06fdb1abf1dec8f837c61ac305e299cbb956ae100ff8fbd164
SSDEEP

49152:rRTEexqIGEChCWAO8UK1I6neT4iGmrabygTp:rRTEeVVChCW2UK1IKdugT

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dns.kingspy.info:54984

127.0.0.1:54984

Mutex

c6b3af3c-732f-423f-ad11-734155201ae2

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2016-03-12T20:07:17.102579136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
hacce
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c6b3af3c-732f-423f-ad11-734155201ae2
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dns.kingspy.info
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

hfehfMbZTQWMYLdDJUDMF.cmd

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\McWIOgXFKEieSHaZ.lnk	hfehfMbZTQWMYLdDJUDMF.cmd

Executes dropped EXE 2 IoCs

Processes:

clean.exehfehfMbZTQWMYLdDJUDMF.cmd

pid process

2684 clean.exe
2988 hfehfMbZTQWMYLdDJUDMF.cmd
Loads dropped DLL 1 IoCs

Processes:

clean.exe

pid process

2684 clean.exe

pid	process
2684	clean.exe
2988	hfehfMbZTQWMYLdDJUDMF.cmd

pid	process
2684	clean.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMN UPDATE FIRMWARE = "\"C:\\Users\\Admin\\AppData\\Roaming\\clean.exe\" .."	94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMN UPDATE FIRMWARE = "\"C:\\Users\\Admin\\AppData\\Roaming\\clean.exe\" .."	94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2180-2-0x000000001B330000-0x000000001B49E000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Roaming\clean.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hfehfMbZTQWMYLdDJUDMF.cmd

description pid process target process

PID 2988 set thread context of 2912 2988 hfehfMbZTQWMYLdDJUDMF.cmd RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

2912 RegAsm.exe
2912 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2912 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2912 RegAsm.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

clean.exe

pid process

2684 clean.exe
2684 clean.exe
2684 clean.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

clean.exe

pid process

2684 clean.exe
2684 clean.exe
2684 clean.exe

description	pid	process	target process
PID 2988 set thread context of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe

pid	process
2912	RegAsm.exe
2912	RegAsm.exe

pid	process
2912	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2912	RegAsm.exe

pid	process
2684	clean.exe
2684	clean.exe
2684	clean.exe

pid	process
2684	clean.exe
2684	clean.exe
2684	clean.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.execlean.exehfehfMbZTQWMYLdDJUDMF.cmd

description	pid	process	target process
PID 2180 wrote to memory of 2684	2180	94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe	clean.exe
PID 2180 wrote to memory of 2684	2180	94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe	clean.exe
PID 2180 wrote to memory of 2684	2180	94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe	clean.exe
PID 2180 wrote to memory of 2684	2180	94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe	clean.exe
PID 2684 wrote to memory of 2988	2684	clean.exe	hfehfMbZTQWMYLdDJUDMF.cmd
PID 2684 wrote to memory of 2988	2684	clean.exe	hfehfMbZTQWMYLdDJUDMF.cmd
PID 2684 wrote to memory of 2988	2684	clean.exe	hfehfMbZTQWMYLdDJUDMF.cmd
PID 2684 wrote to memory of 2988	2684	clean.exe	hfehfMbZTQWMYLdDJUDMF.cmd
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe
PID 2988 wrote to memory of 2912	2988	hfehfMbZTQWMYLdDJUDMF.cmd	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\94bdf1b1404a90c7563bee8143c37c40_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Roaming\clean.exe
"C:\Users\Admin\AppData\Roaming\clean.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Roaming\hfehfMbZTQWMYLdDJUDMF.cmd
"C:\Users\Admin\AppData\Roaming\hfehfMbZTQWMYLdDJUDMF.cmd" "C:\Users\Admin\AppData\Roaming\XKIbMLEbRJHLYiIDZOh" "C:\Users\Admin\AppData\Roaming\clean.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- CmdLine Args
4⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\McWIOgXFKEie
Filesize
202KB

MD5
c4b9f734a0aac44489b548c510116773

SHA1
0eabf30b5be6975cc546397f5d6b400dfb6a8ce0

SHA256
63cea54653761b83f1daf5eb279239715917b99769f87cd13ebd2db1d708c57f

SHA512
34a3e80637a92d3714275a10fcf8d18d937ae863dc9f15e8ec38ec4d0a80f3dc0285fbf66c90032f36b4fe4c46b3b34eba705e6bd3609c2a0de5a8fe2fd6510e

Download Submit
C:\Users\Admin\AppData\Roaming\XKIbMLEbRJHLYiIDZOh
Filesize
57KB

MD5
de9ac2bdc7c41dd5bc2c2e0621e4b8ec

SHA1
63fe787dac9b6f8535e9d2465638c8a94f45b149

SHA256
1a4aa2d1c7e7376e94c8a86ad499970e45586a1cf0bebf2bf7d7fcece06a0d3d

SHA512
4212fe1c85e8e61117a8913dfd0227c833b4001c2695120833b21687afffb51f27e548d54fddbf75f408a4dd6ae1c5c41f1104ec03fcecb87f8fad99fd1b186f

Download Submit
C:\Users\Admin\AppData\Roaming\clean.exe
Filesize
1.4MB

MD5
c8df1d0d1d43a265198776ed45cab6ef

SHA1
d39ba7efb1f57dd315afcd0500a8f662e37d744d

SHA256
7f8ad4c1c330344e137e5d48683b1f1e63bd76d96361fb88a2598161181486db

SHA512
b14cfffee104a6faf3167bf5a1eb0d39f6a38e171bc59fc9b453ba2498fc80da0c0557104bc3e1b97aa7158a266eabd27b8924e4463b648f723ffc6cf2b360e0

Download Submit
\Users\Admin\AppData\Roaming\hfehfMbZTQWMYLdDJUDMF.cmd
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/2180-5-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-0-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp

Filesize
4KB

Download
memory/2180-10-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-11-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-3-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-2-0x000000001B330000-0x000000001B49E000-memory.dmp

Filesize
1.4MB

Download
memory/2180-1-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2912-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2912-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2912-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2912-44-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2912-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads