nanocore | 6e31d3c7f81d01c9c84a625addf6c20d8ceaeda797564021e8ffb0038a47bfda

General

Target

2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
Size

1.3MB
MD5

2261fa3658c9ff2e8c6a47728303afda
SHA1

e9d2ead2ad2f69fe7354121213e6bac2759b7ebf
SHA256

6e31d3c7f81d01c9c84a625addf6c20d8ceaeda797564021e8ffb0038a47bfda
SHA512

592758f325777ab3459783efbfab44c517665892ffad2ff6fe3b18d51155847222954d68b69c898e18c228172d7b1ac89f7152e533a6718b922f6bfa91271329
SSDEEP

24576:2AHnh+eWsN3skA4RV1Hom2KXFmIaF9ClJTEMW5HLAUUeSWK/pLQQvZsTY5:Rh+ZkldoPK1Xavyi3OWOpLxq6

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ganif.ddns.net:9017

Mutex

eaacbb4e-3e02-49b6-9c26-484c86fcb9d5

Attributes

activate_away_mode
true
backup_connection_host
ganif.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-11-18T09:31:56.362203336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9017
default_group
Lifted
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
eaacbb4e-3e02-49b6-9c26-484c86fcb9d5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ganif.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

description pid process target process

PID 2884 set thread context of 2828 2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe RegSvcs.exe

description	pid	process	target process
PID 2884 set thread context of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\DHCP Host\dhcphost.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\DHCP Host\dhcphost.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RegSvcs.exe2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

pid	process
2828	RegSvcs.exe
2828	RegSvcs.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

2828 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

pid process

2884 2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2828 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2828	RegSvcs.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

pid	process
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

pid	process
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe

description	pid	process	target process
PID 2884 wrote to memory of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe
PID 2884 wrote to memory of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe
PID 2884 wrote to memory of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe
PID 2884 wrote to memory of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe
PID 2884 wrote to memory of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe
PID 2884 wrote to memory of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe
PID 2884 wrote to memory of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe
PID 2884 wrote to memory of 2828	2884	2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2261fa3658c9ff2e8c6a47728303afda_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2828-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2828-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2828-4-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2828-7-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/2828-8-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-9-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-12-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-13-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-14-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-1-0x0000000000280000-0x0000000000283000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads