nanocore | 0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd

General

Target

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
Size

397KB
MD5

97cf08e91c6787be06aa7c2dcc36c9af
SHA1

2693040c6aad636f276de00a9695d7ab610b9a0e
SHA256

0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
SHA512

c8efee2366222683a87536c83b59ee0e4bbec63913b2c2ddb107de10cd573c7cb1a046d08dfcb971cb8e61d09a2c0cd6799911b7a003f85cd966ae4f10653b4e
SSDEEP

6144:mZCtBX0jFes6qpbXwmiWW22ZMEo0ZDoW+BkBAeBx3sHif/sTLIT2I:GCtk6mDWieoeBqaaLIa

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

hoanghuyen1527.ddns.net:15279

194.5.97.100:15279

Mutex

f9d63243-7316-4460-bfb3-00887204a706

Attributes

activate_away_mode
true
backup_connection_host
194.5.97.100
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-10T18:16:19.508345736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
15279
default_group
Host
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f9d63243-7316-4460-bfb3-00887204a706
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
hoanghuyen1527.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2580 svhost.exe

pid	process
2580	svhost.exe

Loads dropped DLL 3 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

pid	process
2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe"	svhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

svhost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

description pid process target process

PID 2208 set thread context of 2580 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svhost.exe

description	pid	process	target process
PID 2208 set thread context of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

svhost.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Service\ddpsv.exe	svhost.exe
File opened for modification	C:\Program Files (x86)\DDP Service\ddpsv.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1276 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe

pid	process
1276	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exesvhost.exe

pid	process
2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
2580	svhost.exe
2580	svhost.exe
2580	svhost.exe
2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svhost.exe

pid process

2580 svhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exesvhost.exe

description pid process

Token: SeDebugPrivilege 2208 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
Token: SeDebugPrivilege 2580 svhost.exe

pid	process
2580	svhost.exe

description	pid	process
Token: SeDebugPrivilege	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
Token: SeDebugPrivilege	2580	svhost.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2580	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 2208 wrote to memory of 2408	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2408	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2408	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2408	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2740	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2740	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2740	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2740	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 1804	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 1804	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 1804	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 1804	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2472	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2472	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2472	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2472	2208	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 2472 wrote to memory of 1276	2472	cmd.exe	timeout.exe
PID 2472 wrote to memory of 1276	2472	cmd.exe	timeout.exe
PID 2472 wrote to memory of 1276	2472	cmd.exe	timeout.exe
PID 2472 wrote to memory of 1276	2472	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe" "%appdata%\FolderN\name.exe" /Y
2⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\FolderN\name.exe:Zone.Identifier
2⤵
- NTFS ADS
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "%appdata%\FolderN\name.exe.jpg" name.exe
2⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderN\name.exe
Filesize
397KB

MD5
97cf08e91c6787be06aa7c2dcc36c9af

SHA1
2693040c6aad636f276de00a9695d7ab610b9a0e

SHA256
0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd

SHA512
c8efee2366222683a87536c83b59ee0e4bbec63913b2c2ddb107de10cd573c7cb1a046d08dfcb971cb8e61d09a2c0cd6799911b7a003f85cd966ae4f10653b4e

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
Filesize
201B

MD5
9d9b7b166f447b4f638f68f01373b335

SHA1
a112a069f5f149d325a2e4dbf38f0e89db8247d8

SHA256
7ccae4d2b1dabe635738495e89df4787e113dd99227360b4b10f57b068b6f42d

SHA512
7267fd2257607c9133220c46aeb7c2b7ecfbd8b3bc5b599c2ec085e2e887447062a9a8184087254574bda448e118a92d09f7259518a51a3f039e8ea775864a48

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/2208-1-0x0000000001310000-0x000000000137A000-memory.dmp

Filesize
424KB

Download
memory/2208-2-0x0000000000380000-0x00000000003BA000-memory.dmp

Filesize
232KB

Download
memory/2208-3-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-0-0x000000007433E000-0x000000007433F000-memory.dmp

Filesize
4KB

Download
memory/2208-50-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-9-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2580-10-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2580-26-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2580-28-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-23-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2580-19-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2580-16-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-18-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2580-12-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2580-47-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/2580-48-0x0000000000460000-0x000000000047E000-memory.dmp

Filesize
120KB

Download
memory/2580-49-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2580-14-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2580-51-0x0000000074330000-0x0000000074A1E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads