nanocore | 7d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8

General

Target

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
Size

435KB
MD5

9ece6610ad20b25f1c5a5999955cb6bb
SHA1

26e72d838429bf53cb2a243b530cbbdb9be8daeb
SHA256

7d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8
SHA512

c9428e7aba4c410b4068729b4a08bdb5462fbf465acab9a28abf5fbe0b8020a727a4d63646c060ee435270c42545166e1f443bcfb05339b619f2f99165572c52
SSDEEP

12288:84aHAKjIQU74u7mpZIVA8FOsFbPP/czodI75Dj:wctbmnUFO2bPP/E4

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

branderhostx.bid:8821

127.0.0.1:8821

Mutex

23acac4f-e4b4-4039-89b3-6e6eea96dd29

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2017-08-06T18:36:45.745494436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8821
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
23acac4f-e4b4-4039-89b3-6e6eea96dd29
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
branderhostx.bid
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SvchostReader.dpceoihd.lnk	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

SvchostReader.exeSvchostReader.exe

pid process

2512 SvchostReader.exe
1928 SvchostReader.exe
Loads dropped DLL 2 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid process

2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid	process
2512	SvchostReader.exe
1928	SvchostReader.exe

pid	process
2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SvchostReader.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe"	SvchostReader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SvchostReader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SvchostReader.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SvchostReader.exe

description pid process target process

PID 2512 set thread context of 1928 2512 SvchostReader.exe SvchostReader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SvchostReader.exe

description	pid	process	target process
PID 2512 set thread context of 1928	2512	SvchostReader.exe	SvchostReader.exe

Drops file in Program Files directory 2 IoCs

Processes:

SvchostReader.exe

description	ioc	process
File created	C:\Program Files (x86)\DHCP Host\dhcphost.exe	SvchostReader.exe
File opened for modification	C:\Program Files (x86)\DHCP Host\dhcphost.exe	SvchostReader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SvchostReader.exeSvchostReader.exe

pid process

2512 SvchostReader.exe
1928 SvchostReader.exe
1928 SvchostReader.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SvchostReader.exe

pid process

1928 SvchostReader.exe

pid	process
2512	SvchostReader.exe
1928	SvchostReader.exe
1928	SvchostReader.exe

pid	process
1928	SvchostReader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exeSvchostReader.exeSvchostReader.exe

description	pid	process
Token: SeDebugPrivilege	2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
Token: SeDebugPrivilege	2512	SvchostReader.exe
Token: SeDebugPrivilege	1928	SvchostReader.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid process

2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid process

2932 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid	process
2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid	process
2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exeSvchostReader.exe

description	pid	process	target process
PID 2932 wrote to memory of 2512	2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe	SvchostReader.exe
PID 2932 wrote to memory of 2512	2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe	SvchostReader.exe
PID 2932 wrote to memory of 2512	2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe	SvchostReader.exe
PID 2932 wrote to memory of 2512	2932	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe
PID 2512 wrote to memory of 1928	2512	SvchostReader.exe	SvchostReader.exe

C:\Users\Admin\AppData\Local\Temp\9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\SvchostReader.exe
"C:\Users\Admin\AppData\Local\SvchostReader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\SvchostReader.exe
"C:\Users\Admin\AppData\Local\SvchostReader.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\SvchostReader.exe
Filesize
435KB

MD5
9ece6610ad20b25f1c5a5999955cb6bb

SHA1
26e72d838429bf53cb2a243b530cbbdb9be8daeb

SHA256
7d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8

SHA512
c9428e7aba4c410b4068729b4a08bdb5462fbf465acab9a28abf5fbe0b8020a727a4d63646c060ee435270c42545166e1f443bcfb05339b619f2f99165572c52

Download Submit
memory/1928-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1928-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1928-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2512-18-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-27-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-12-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-13-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-14-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-3-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-17-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-4-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-0-0x0000000074B91000-0x0000000074B92000-memory.dmp

Filesize
4KB

Download
memory/2932-2-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-1-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads