nanocore | 7d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8

General

Target

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
Size

435KB
MD5

9ece6610ad20b25f1c5a5999955cb6bb
SHA1

26e72d838429bf53cb2a243b530cbbdb9be8daeb
SHA256

7d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8
SHA512

c9428e7aba4c410b4068729b4a08bdb5462fbf465acab9a28abf5fbe0b8020a727a4d63646c060ee435270c42545166e1f443bcfb05339b619f2f99165572c52
SSDEEP

12288:84aHAKjIQU74u7mpZIVA8FOsFbPP/czodI75Dj:wctbmnUFO2bPP/E4

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SvchostReader.rbvqrmug.lnk	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

SvchostReader.exeSvchostReader.exe

pid process

1288 SvchostReader.exe
4276 SvchostReader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SvchostReader.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe"	SvchostReader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SvchostReader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SvchostReader.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SvchostReader.exe

description pid process target process

PID 1288 set thread context of 4276 1288 SvchostReader.exe SvchostReader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SvchostReader.exe

description	pid	process	target process
PID 1288 set thread context of 4276	1288	SvchostReader.exe	SvchostReader.exe

Drops file in Program Files directory 2 IoCs

Processes:

SvchostReader.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	SvchostReader.exe
File opened for modification	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	SvchostReader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

SvchostReader.exeSvchostReader.exe

pid	process
1288	SvchostReader.exe
1288	SvchostReader.exe
1288	SvchostReader.exe
1288	SvchostReader.exe
4276	SvchostReader.exe
4276	SvchostReader.exe
4276	SvchostReader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SvchostReader.exe

pid process

4276 SvchostReader.exe

pid	process
4276	SvchostReader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exeSvchostReader.exeSvchostReader.exe

description	pid	process
Token: SeDebugPrivilege	1800	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
Token: SeDebugPrivilege	1288	SvchostReader.exe
Token: SeDebugPrivilege	4276	SvchostReader.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid process

1800 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid process

1800 9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid	process
1800	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

pid	process
1800	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exeSvchostReader.exe

description	pid	process	target process
PID 1800 wrote to memory of 1288	1800	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe	SvchostReader.exe
PID 1800 wrote to memory of 1288	1800	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe	SvchostReader.exe
PID 1800 wrote to memory of 1288	1800	9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe	SvchostReader.exe
PID 1288 wrote to memory of 4276	1288	SvchostReader.exe	SvchostReader.exe
PID 1288 wrote to memory of 4276	1288	SvchostReader.exe	SvchostReader.exe
PID 1288 wrote to memory of 4276	1288	SvchostReader.exe	SvchostReader.exe
PID 1288 wrote to memory of 4276	1288	SvchostReader.exe	SvchostReader.exe
PID 1288 wrote to memory of 4276	1288	SvchostReader.exe	SvchostReader.exe
PID 1288 wrote to memory of 4276	1288	SvchostReader.exe	SvchostReader.exe
PID 1288 wrote to memory of 4276	1288	SvchostReader.exe	SvchostReader.exe
PID 1288 wrote to memory of 4276	1288	SvchostReader.exe	SvchostReader.exe

C:\Users\Admin\AppData\Local\Temp\9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ece6610ad20b25f1c5a5999955cb6bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\SvchostReader.exe
"C:\Users\Admin\AppData\Local\SvchostReader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\SvchostReader.exe
"C:\Users\Admin\AppData\Local\SvchostReader.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SvchostReader.exe
Filesize
435KB

MD5
9ece6610ad20b25f1c5a5999955cb6bb

SHA1
26e72d838429bf53cb2a243b530cbbdb9be8daeb

SHA256
7d5ad8b2e3ce5e0f16be74228bbbeb8fbc8563c68bda098148c19874361385c8

SHA512
c9428e7aba4c410b4068729b4a08bdb5462fbf465acab9a28abf5fbe0b8020a727a4d63646c060ee435270c42545166e1f443bcfb05339b619f2f99165572c52

Download Submit
memory/1288-24-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1288-17-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1288-29-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1288-23-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1288-19-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1288-18-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-2-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-1-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-5-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-22-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/1800-4-0x0000000075122000-0x0000000075123000-memory.dmp

Filesize
4KB

Download
memory/1800-0-0x0000000075122000-0x0000000075123000-memory.dmp

Filesize
4KB

Download
memory/1800-3-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/4276-26-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/4276-27-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download
memory/4276-32-0x0000000075120000-0x00000000756D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads