nanocore | 0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd

General

Target

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
Size

397KB
MD5

97cf08e91c6787be06aa7c2dcc36c9af
SHA1

2693040c6aad636f276de00a9695d7ab610b9a0e
SHA256

0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd
SHA512

c8efee2366222683a87536c83b59ee0e4bbec63913b2c2ddb107de10cd573c7cb1a046d08dfcb971cb8e61d09a2c0cd6799911b7a003f85cd966ae4f10653b4e
SSDEEP

6144:mZCtBX0jFes6qpbXwmiWW22ZMEo0ZDoW+BkBAeBx3sHif/sTLIT2I:GCtk6mDWieoeBqaaLIa

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

hoanghuyen1527.ddns.net:15279

194.5.97.100:15279

Mutex

f9d63243-7316-4460-bfb3-00887204a706

Attributes

activate_away_mode
true
backup_connection_host
194.5.97.100
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-10T18:16:19.508345736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
15279
default_group
Host
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f9d63243-7316-4460-bfb3-00887204a706
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
hoanghuyen1527.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

400 svhost.exe

pid	process
400	svhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe"	svhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

svhost.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

description pid process target process

PID 5000 set thread context of 400 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe svhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svhost.exe

description	pid	process	target process
PID 5000 set thread context of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

svhost.exe

description	ioc	process
File created	C:\Program Files (x86)\DHCP Service\dhcpsv.exe	svhost.exe
File opened for modification	C:\Program Files (x86)\DHCP Service\dhcpsv.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1936 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe

pid	process
1936	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exesvhost.exe

pid	process
5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
400	svhost.exe
400	svhost.exe
400	svhost.exe
5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svhost.exe

pid process

400 svhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exesvhost.exe

description pid process

Token: SeDebugPrivilege 5000 97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
Token: SeDebugPrivilege 400 svhost.exe

pid	process
400	svhost.exe

description	pid	process
Token: SeDebugPrivilege	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
Token: SeDebugPrivilege	400	svhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 5000 wrote to memory of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 5000 wrote to memory of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 5000 wrote to memory of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 5000 wrote to memory of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 5000 wrote to memory of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 5000 wrote to memory of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 5000 wrote to memory of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 5000 wrote to memory of 400	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	svhost.exe
PID 5000 wrote to memory of 3480	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 3480	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 3480	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 4064	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 4064	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 4064	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 4336	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 4336	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 4336	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 1032	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 1032	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 5000 wrote to memory of 1032	5000	97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe	cmd.exe
PID 1032 wrote to memory of 1936	1032	cmd.exe	timeout.exe
PID 1032 wrote to memory of 1936	1032	cmd.exe	timeout.exe
PID 1032 wrote to memory of 1936	1032	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/97cf08e91c6787be06aa7c2dcc36c9af_JaffaCakes118.exe" "%appdata%\FolderN\name.exe" /Y
2⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\FolderN\name.exe:Zone.Identifier
2⤵
- NTFS ADS
PID:4064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "%appdata%\FolderN\name.exe.jpg" name.exe
2⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe
Filesize
397KB

MD5
97cf08e91c6787be06aa7c2dcc36c9af

SHA1
2693040c6aad636f276de00a9695d7ab610b9a0e

SHA256
0e7f94ab4570af441d76c77300a7de21812222c2411086ef709ba35f0dd438cd

SHA512
c8efee2366222683a87536c83b59ee0e4bbec63913b2c2ddb107de10cd573c7cb1a046d08dfcb971cb8e61d09a2c0cd6799911b7a003f85cd966ae4f10653b4e

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat
Filesize
201B

MD5
9d9b7b166f447b4f638f68f01373b335

SHA1
a112a069f5f149d325a2e4dbf38f0e89db8247d8

SHA256
7ccae4d2b1dabe635738495e89df4787e113dd99227360b4b10f57b068b6f42d

SHA512
7267fd2257607c9133220c46aeb7c2b7ecfbd8b3bc5b599c2ec085e2e887447062a9a8184087254574bda448e118a92d09f7259518a51a3f039e8ea775864a48

Download Submit
memory/400-13-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/400-19-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/400-32-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/400-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/400-10-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/400-11-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/400-12-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/400-31-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/400-14-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/400-22-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/400-20-0x0000000005840000-0x000000000585E000-memory.dmp

Filesize
120KB

Download
memory/5000-2-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/5000-4-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5000-1-0x0000000000920000-0x000000000098A000-memory.dmp

Filesize
424KB

Download
memory/5000-30-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5000-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/5000-3-0x00000000052A0000-0x00000000052DA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads