nanocore | 13a09fcb282fa9b82b403819042280cb2b676260d0ea092899be06fe8fa69612

General

Target

b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe
Size

484KB
MD5

b7bfbe5327957e4d9d3d6d8b224eab37
SHA1

49699c7aabb20f9a524a6e24a961cad666d74cb1
SHA256

13a09fcb282fa9b82b403819042280cb2b676260d0ea092899be06fe8fa69612
SHA512

73cbde5fa1bf2573fd49f378db352c45e509b38c67895a18bfd55ee695ed98dab5dee90b42ff1cdf502c57ba478cacebe4232d4898d5ec115666727b14bb594b
SSDEEP

6144:TlchQntF4DYvKj5NwFZ5UNmL/CD42coG4c2tS6DvxbU:TKin0Ev9a8TCwo58qvxI

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

anyi.ddns.net:1991

Mutex

ef4f1edc-e607-491e-af8a-8e481f6d0505

Attributes

activate_away_mode
true
backup_connection_host
anyi.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-29T10:10:37.812211236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1991
default_group
EXCEL
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ef4f1edc-e607-491e-af8a-8e481f6d0505
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
anyi.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

app.exeapp.exe

pid process

2524 app.exe
1864 app.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

3028 cmd.exe

pid	process
2524	app.exe
1864	app.exe

pid	process
3028	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

app.exeapp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\app.exe -boot"	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	app.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

app.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA app.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 2524 set thread context of 1864 2524 app.exe app.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	app.exe

description	pid	process	target process
PID 2524 set thread context of 1864	2524	app.exe	app.exe

Drops file in Program Files directory 2 IoCs

Processes:

app.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	app.exe
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	app.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

108 schtasks.exe
856 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

app.exe

pid process

1864 app.exe
1864 app.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

app.exe

pid process

1864 app.exe

pid	process
108	schtasks.exe
856	schtasks.exe

pid	process
1864	app.exe
1864	app.exe

pid	process
1864	app.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exeapp.exeapp.exe

description	pid	process
Token: SeDebugPrivilege	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe
Token: SeDebugPrivilege	2524	app.exe
Token: SeDebugPrivilege	1864	app.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.execmd.exeapp.exeapp.exe

description	pid	process	target process
PID 3016 wrote to memory of 2608	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe	cmd.exe
PID 3016 wrote to memory of 2608	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe	cmd.exe
PID 3016 wrote to memory of 2608	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe	cmd.exe
PID 3016 wrote to memory of 2608	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe	cmd.exe
PID 3016 wrote to memory of 3028	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe	cmd.exe
PID 3016 wrote to memory of 3028	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe	cmd.exe
PID 3016 wrote to memory of 3028	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe	cmd.exe
PID 3016 wrote to memory of 3028	3016	b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe	cmd.exe
PID 3028 wrote to memory of 2524	3028	cmd.exe	app.exe
PID 3028 wrote to memory of 2524	3028	cmd.exe	app.exe
PID 3028 wrote to memory of 2524	3028	cmd.exe	app.exe
PID 3028 wrote to memory of 2524	3028	cmd.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 2524 wrote to memory of 1864	2524	app.exe	app.exe
PID 1864 wrote to memory of 108	1864	app.exe	schtasks.exe
PID 1864 wrote to memory of 108	1864	app.exe	schtasks.exe
PID 1864 wrote to memory of 108	1864	app.exe	schtasks.exe
PID 1864 wrote to memory of 108	1864	app.exe	schtasks.exe
PID 1864 wrote to memory of 856	1864	app.exe	schtasks.exe
PID 1864 wrote to memory of 856	1864	app.exe	schtasks.exe
PID 1864 wrote to memory of 856	1864	app.exe	schtasks.exe
PID 1864 wrote to memory of 856	1864	app.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b7bfbe5327957e4d9d3d6d8b224eab37_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\app.exe"
2⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\app.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\app.exe
"C:\Users\Admin\AppData\Local\app.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\app.exe
"C:\Users\Admin\AppData\Local\app.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp"
5⤵
- Creates scheduled task(s)
PID:108

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp652A.tmp"
5⤵
- Creates scheduled task(s)
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp
Filesize
1KB

MD5
db38cdeb3601508a120b6723d0a376ad

SHA1
72eefd94955dc045fc48a38cdec6635330fa6f6e

SHA256
3fcbc7c0f18bd41d5f3e82642c82b5418fd78567a65996bf9972ea055caaf5ad

SHA512
2082a6175e081ac5f89ebd30d0e94350b5d6ad0732124606651f41a22ddb203a2ceb704537da96c14012c2545cafb1d8cbfd671802c6daac3dd95cff2292b9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp652A.tmp
Filesize
1KB

MD5
981e126601526eaa5b0ad45c496c4465

SHA1
d610d6a21a8420cc73fcd3e54ddae75a5897b28b

SHA256
11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527

SHA512
a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

Download Submit
C:\Users\Admin\AppData\Local\app.exe
Filesize
484KB

MD5
b7bfbe5327957e4d9d3d6d8b224eab37

SHA1
49699c7aabb20f9a524a6e24a961cad666d74cb1

SHA256
13a09fcb282fa9b82b403819042280cb2b676260d0ea092899be06fe8fa69612

SHA512
73cbde5fa1bf2573fd49f378db352c45e509b38c67895a18bfd55ee695ed98dab5dee90b42ff1cdf502c57ba478cacebe4232d4898d5ec115666727b14bb594b

Download Submit
memory/1864-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1864-26-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/1864-25-0x0000000000B30000-0x0000000000B4E000-memory.dmp

Filesize
120KB

Download
memory/1864-24-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1864-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1864-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2524-11-0x0000000001100000-0x0000000001182000-memory.dmp

Filesize
520KB

Download
memory/3016-0-0x00000000740FE000-0x00000000740FF000-memory.dmp

Filesize
4KB

Download
memory/3016-12-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/3016-7-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/3016-6-0x00000000740FE000-0x00000000740FF000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/3016-2-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/3016-1-0x0000000000DF0000-0x0000000000E72000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads