nanocore | 5b5a0f32647df552d3337225f9cb3467844987d1ffaeddcf190f524b097abc13 | Triage

Sharing

General

Target

3d248944ca3304d6c97ab8b934c869d2_JaffaCakes118
Size

315KB
Sample

240712-nbv52a1ckq
MD5

3d248944ca3304d6c97ab8b934c869d2
SHA1

04b032186ecd5b3099c54bd2eec6e8c7a5fdffff
SHA256

5b5a0f32647df552d3337225f9cb3467844987d1ffaeddcf190f524b097abc13
SHA512

8d556ada681e26418a06214725ebf5647035253b9085f1a3186171e162d8dd10d11d75c3cc943a562de526739556ff5ce83fdffb5017dd2261a83710ccd3342c
SSDEEP

6144:gf5yfbYDms7zY0U5T1tiXt7Mey/oRbw5o07L26:45dDmj55T1gZy/N5o0XJ

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

wumpwifi.onthewifi.com:2017

185.56.90.77:2017

Mutex

023952f5-9a94-49ae-b9eb-3069891b2f3b

Attributes

activate_away_mode
true
backup_connection_host
185.56.90.77
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-01-28T00:48:54.002261736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2017
default_group
Thai Beverage
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
023952f5-9a94-49ae-b9eb-3069891b2f3b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
wumpwifi.onthewifi.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  3d248944ca3304d6c97ab8b934c869d2_JaffaCakes118
- Size
  
  315KB
- MD5
  
  3d248944ca3304d6c97ab8b934c869d2
- SHA1
  
  04b032186ecd5b3099c54bd2eec6e8c7a5fdffff
- SHA256
  
  5b5a0f32647df552d3337225f9cb3467844987d1ffaeddcf190f524b097abc13
- SHA512
  
  8d556ada681e26418a06214725ebf5647035253b9085f1a3186171e162d8dd10d11d75c3cc943a562de526739556ff5ce83fdffb5017dd2261a83710ccd3342c
- SSDEEP
  
  6144:gf5yfbYDms7zY0U5T1tiXt7Mey/oRbw5o07L26:45dDmj55T1gZy/N5o0XJ
Score

10^/10

nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocoreevasionkeyloggerspywarestealertrojan

behavioral2

nanocoreevasionkeyloggerspywarestealertrojan