nanocore | 12a061b82ef5bc4becaee8f9069db0375fb461302107dd4d53dc85522df8c8e8

General

Target

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
Size

376KB
MD5

b3cfebdcb947eb0e4535ae55139ed7f7
SHA1

2a9dd3df89ee7fb877023a611471648bcf3c847b
SHA256

12a061b82ef5bc4becaee8f9069db0375fb461302107dd4d53dc85522df8c8e8
SHA512

a8fae75285688c25511daf21f12e623477de7ceec01969492c9d9a271611441c5498e82d72bb51a97d225748fe0c9e5fec6dc022ebfefdcfe33b2a5a5a4aca3d
SSDEEP

6144:Ri5VGE1WVdpej+0qqPnuVUMqmPsxYUeV01gBZzLhGbv2VTBP0wxEOS1:RqJQXwSyv6UuYYFVdXzEr23PPxEd

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

C2

customcheats.ddns.net:9033

Mutex

87faf343-d286-4cbf-ade2-da359eeccc75

Attributes

activate_away_mode
false
backup_connection_host
customcheats.ddns.net
backup_dns_server
buffer_size
65535
build_time
2015-04-18T23:20:32.207091936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
9033
default_group
Team Speak 3
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
87faf343-d286-4cbf-ade2-da359eeccc75
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
customcheats.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.2
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exereg.exeb3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys-win32 = "C:\\Users\\Admin\\Documents\\Jvtiucby.exe"	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys-win32 = "C:\\Users\\Admin\\Documents\\Jvtiucby.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe"	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	pid	process	target process
PID 380 set thread context of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1340 schtasks.exe
1524 schtasks.exe

pid	process
1340	schtasks.exe
1524	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3236	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
Token: SeDebugPrivilege	3236	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.execsc.execmd.exeb3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe

description	pid	process	target process
PID 380 wrote to memory of 4936	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	csc.exe
PID 380 wrote to memory of 4936	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	csc.exe
PID 380 wrote to memory of 4936	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	csc.exe
PID 4936 wrote to memory of 4296	4936	csc.exe	cvtres.exe
PID 4936 wrote to memory of 4296	4936	csc.exe	cvtres.exe
PID 4936 wrote to memory of 4296	4936	csc.exe	cvtres.exe
PID 380 wrote to memory of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 380 wrote to memory of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 380 wrote to memory of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 380 wrote to memory of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 380 wrote to memory of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 380 wrote to memory of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 380 wrote to memory of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 380 wrote to memory of 3236	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
PID 380 wrote to memory of 2140	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	cmd.exe
PID 380 wrote to memory of 2140	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	cmd.exe
PID 380 wrote to memory of 2140	380	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	cmd.exe
PID 2140 wrote to memory of 532	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 532	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 532	2140	cmd.exe	reg.exe
PID 3236 wrote to memory of 1340	3236	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 3236 wrote to memory of 1340	3236	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 3236 wrote to memory of 1340	3236	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 3236 wrote to memory of 1524	3236	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 3236 wrote to memory of 1524	3236	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe
PID 3236 wrote to memory of 1524	3236	b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\saxynhyy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9BF.tmp"
3⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3cfebdcb947eb0e4535ae55139ed7f7_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp"
3⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp122C.tmp"
3⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys-win32" /t REG_SZ /d "C:\Users\Admin\Documents\Jvtiucby.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "sys-win32" /t REG_SZ /d "C:\Users\Admin\Documents\Jvtiucby.exe
3⤵
- Adds Run key to start application
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9C0.tmp
Filesize
1KB

MD5
e972dee36cb45b6d909b8b7f610b53f2

SHA1
06fb7f5bb454522688c0b03f4dc5c84a569b5b67

SHA256
41f53976a7e671bc3a33b988d4818d91b70ba07aced4c76b5968a67e155a2557

SHA512
013912317416439edd34b5991be772b6d256cfbe1cfdbb0df41019c50032ea824c43452599f0ced88254a51ada21e356aa096ff65a8557c80413503596dc9ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\saxynhyy.dll
Filesize
336KB

MD5
655794ea5757b5de139ec1e6b4a52ff8

SHA1
47522834b92686ce49eabc9d7f46bc7dd9017168

SHA256
22782ac885f35cffdbee970b13848edc1ea6ba6c6fec5842e59f5f185d43fc90

SHA512
090226e28565ad9164e6f9026e62f48bebbe486349d3247d3dd4e45dee175cc959b14be830cad3a11da8a22ff2f1dba8e2c19f538d1d117eda8719d2a75fe312

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp
Filesize
1KB

MD5
42bc0023717e491e02198d0e8623120b

SHA1
dccfa7ee27ec1bcbab72caf9797cdf8573044b5a

SHA256
d5c63bc7fb2c21004ca5abcbfaf9082e5d03897835a0a8b4367f783d370d9b87

SHA512
911fafa162da9b984d075817bb0e00be6369839a260851bcea16b6b615145390558c9635c2f38b64a9ac9503c59fd6beb7b12c35c578173381c2d75299568e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp122C.tmp
Filesize
1KB

MD5
0339b45ef206f4becc88be0d65e24b9e

SHA1
6503a1851f4ccd8c80a31f96bd7ae40d962c9fad

SHA256
3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83

SHA512
c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9BF.tmp
Filesize
652B

MD5
1161ad963640292238f67a27844e4a7c

SHA1
70743adfacd3bb2cbf0f1f7df460dd4c785838bd

SHA256
d536620bb4a130b27b8810cc631b5878ffec8b32029c5ab031d9acc1ec275578

SHA512
6d2991758936f5075496a555663f57099ef8723ee360c7ff78dd9346a1b2975a117de3f16024a7b3c5ae966105d1b84a581b646f4e2a110440cf0b919750c493

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\saxynhyy.cmdline
Filesize
195B

MD5
5ba5431548d75afa20217cff80f6af7c

SHA1
22c571966e3b9046a989d2240af9024939489b5d

SHA256
242a586b88404e8a3ba3d652f9943be34d5ba19324266cd5c2d311330f0cc4c8

SHA512
a254dc152ff314150a28ec567e8c4b3fb2e2bbcb5cce53532556adc83c497acf4719d4065540e6140eebfbe83bc2855711cc847c172100e7b3aac3334d558ad6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmp589.tmp.txt
Filesize
161KB

MD5
6d6a9c939c4fbd3a0a5acf50fddd698a

SHA1
f939adfd1bf55acaa78183ce6a1a564038c1bf18

SHA256
43f3e409c96f4bc9da682ea2aad22d9b6620801be756bbca9c21461334e9f08b

SHA512
a29879fa44e672243fc87f3c85c304a50e5b295279b93ea746db3be1212f621657d50ca4bbb1c648190ebc073d106fb63ec9ffc991073333d6d98a90533f66e7

Download Submit
memory/380-39-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/380-38-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/380-2-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/380-0-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/380-37-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/380-1-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/3236-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3236-29-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/3236-28-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/3236-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3236-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3236-40-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4936-20-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4936-13-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads