nanocore | 12a061b82ef5bc4becaee8f9069db0375fb461302107dd4d53dc85522df8c8e8

General

Target

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
Size

376KB
MD5

b3cfebdcb947eb0e4535ae55139ed7f7
SHA1

2a9dd3df89ee7fb877023a611471648bcf3c847b
SHA256

12a061b82ef5bc4becaee8f9069db0375fb461302107dd4d53dc85522df8c8e8
SHA512

a8fae75285688c25511daf21f12e623477de7ceec01969492c9d9a271611441c5498e82d72bb51a97d225748fe0c9e5fec6dc022ebfefdcfe33b2a5a5a4aca3d
SSDEEP

6144:Ri5VGE1WVdpej+0qqPnuVUMqmPsxYUeV01gBZzLhGbv2VTBP0wxEOS1:RqJQXwSyv6UuYYFVdXzEr23PPxEd

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

C2

customcheats.ddns.net:9033

Mutex

87faf343-d286-4cbf-ade2-da359eeccc75

Attributes

activate_away_mode
false
backup_connection_host
customcheats.ddns.net
backup_dns_server
buffer_size
65535
build_time
2015-04-18T23:20:32.207091936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
9033
default_group
Team Speak 3
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
87faf343-d286-4cbf-ade2-da359eeccc75
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
customcheats.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.2
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exereg.exeb3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys-win32 = "C:\\Users\\Admin\\Documents\\husLtxWv.exe"	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys-win32 = "C:\\Users\\Admin\\Documents\\husLtxWv.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe"	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	pid	process	target process
PID 2972 set thread context of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\DHCP Host\dhcphost.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DHCP Host\dhcphost.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1920 schtasks.exe
2788 schtasks.exe

pid	process
1920	schtasks.exe
2788	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
Token: SeDebugPrivilege	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.execsc.execmd.exeb3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	pid	process	target process
PID 2972 wrote to memory of 2520	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	csc.exe
PID 2972 wrote to memory of 2520	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	csc.exe
PID 2972 wrote to memory of 2520	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	csc.exe
PID 2972 wrote to memory of 2520	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	csc.exe
PID 2520 wrote to memory of 2720	2520	csc.exe	cvtres.exe
PID 2520 wrote to memory of 2720	2520	csc.exe	cvtres.exe
PID 2520 wrote to memory of 2720	2520	csc.exe	cvtres.exe
PID 2520 wrote to memory of 2720	2520	csc.exe	cvtres.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2436	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 2972 wrote to memory of 2904	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2904	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2904	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	cmd.exe
PID 2972 wrote to memory of 2904	2972	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	cmd.exe
PID 2904 wrote to memory of 1932	2904	cmd.exe	reg.exe
PID 2904 wrote to memory of 1932	2904	cmd.exe	reg.exe
PID 2904 wrote to memory of 1932	2904	cmd.exe	reg.exe
PID 2904 wrote to memory of 1932	2904	cmd.exe	reg.exe
PID 2436 wrote to memory of 1920	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 2436 wrote to memory of 1920	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 2436 wrote to memory of 1920	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 2436 wrote to memory of 1920	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 2436 wrote to memory of 2788	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 2436 wrote to memory of 2788	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 2436 wrote to memory of 2788	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 2436 wrote to memory of 2788	2436	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ihgmqhbb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES148B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC147A.tmp"
3⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1738.tmp"
3⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp17E5.tmp"
3⤵
- Creates scheduled task(s)
PID:2788

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys-win32" /t REG_SZ /d "C:\Users\Admin\Documents\husLtxWv.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys-win32" /t REG_SZ /d "C:\Users\Admin\Documents\husLtxWv.exe
3⤵
- Adds Run key to start application
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES148B.tmp
Filesize
1KB

MD5
eb42624af69f3e061f67ce53c3cef773

SHA1
5e9d30e464c67758d97c198126bad2c51f62c260

SHA256
0420e360c0b714a0e410017cd0ace4d2bc734b9561dc58587cca16f724b47876

SHA512
54f2a5ba42fd45e81c8cd903f12737dccfc31b0a07c86172d9d6a2e09863276a6a9c8ad252cd5832844d19e6cddee101a14852218ded6906558a9037f09b2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihgmqhbb.dll
Filesize
336KB

MD5
ee1d677c5edf5c691d55f6521765688e

SHA1
6f01f9f6d17b4f131bd1b0a15d8d9837574ac895

SHA256
fa3916ff5db2556c053d8f4d3919612c64e147a0fa9742c85a4c3aca4721398e

SHA512
579755361eb760a5d05ea7b6004f656e5ec6456e5ba5e48c525e307ff25034a1fc97a27c79a8dae0ee312b83a6905c0f5dac97959d80a91f713b951f1539f582

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1738.tmp
Filesize
1KB

MD5
42bc0023717e491e02198d0e8623120b

SHA1
dccfa7ee27ec1bcbab72caf9797cdf8573044b5a

SHA256
d5c63bc7fb2c21004ca5abcbfaf9082e5d03897835a0a8b4367f783d370d9b87

SHA512
911fafa162da9b984d075817bb0e00be6369839a260851bcea16b6b615145390558c9635c2f38b64a9ac9503c59fd6beb7b12c35c578173381c2d75299568e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp17E5.tmp
Filesize
1KB

MD5
0479d5f304ef2d7e3c15fb24a99f88c1

SHA1
8edbb1450a656fac5f5e96779ffe440ee8c1aec9

SHA256
112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc

SHA512
537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC147A.tmp
Filesize
652B

MD5
1322f7993537e544b4d20bc42b6cc184

SHA1
216fb57a1a49c36e30aab082b4a10b5976436bd8

SHA256
ad84d36ef3d5424bedce7e7f4e71945bb77192529e7b21655b17629c6004664c

SHA512
418697e21ffce5fe64247208153448550412f72e4f51a5f3850b2a5a03bc3fdff15a7abb0c96e9ae3422c6d4e9dd28d17b2adf4be6f52aaf480b64aad0405d80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ihgmqhbb.cmdline
Filesize
196B

MD5
4d88bf5dc3bd1a8fc5153a1d9f7bf406

SHA1
a170e9c988483e3e26f709907a002339092841ef

SHA256
5493cbda6b711c0ac322ae280d567d5aab33333ced74de9dafe42f64f010677d

SHA512
c068b30c1e24e887f1a6bc542998fe1ed694f9d8983a14ae0784c7de7f2700c0461c206524efb59c3fcdce39999cbba033d500229eb2baa36f4af814dbcbb5c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp13F2.tmp.txt
Filesize
161KB

MD5
6d6a9c939c4fbd3a0a5acf50fddd698a

SHA1
f939adfd1bf55acaa78183ce6a1a564038c1bf18

SHA256
43f3e409c96f4bc9da682ea2aad22d9b6620801be756bbca9c21461334e9f08b

SHA512
a29879fa44e672243fc87f3c85c304a50e5b295279b93ea746db3be1212f621657d50ca4bbb1c648190ebc073d106fb63ec9ffc991073333d6d98a90533f66e7

Download Submit
memory/2436-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2436-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-62-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-53-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2520-28-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-32-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2972-0-0x0000000074D51000-0x0000000074D52000-memory.dmp

Filesize
4KB

Download
memory/2972-1-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2972-61-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads