nanocore | 9d3ec7f8db9d701a1bd73a7363b1aed1dc87ee60c321e50c96d971b37f84ee25

General

Target

0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
Size

516KB
MD5

0b675aaaf9a7d9d36bc19786db21b61d
SHA1

bfd0699316dfd6358abfd70d642556b197927f93
SHA256

9d3ec7f8db9d701a1bd73a7363b1aed1dc87ee60c321e50c96d971b37f84ee25
SHA512

71689ed36985960a185e7905b86e59343d11c0a601083a2ab3b22a6340dce93a495705e36e96c04e0d3263ba752b7d122e1d04bbcb6d76d6a8c92ebbbb6d1c51
SSDEEP

12288:FQ58Gd2jEp9Sksk/zuwBU/rwT8l/KHXCIB:FO1p9SksE8r5/KHXL

Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

skodrf.casacam.net:2018

malkisod.casacam.net:2018

Mutex

6ccf001e-e66c-46e4-94a7-c5e28220d412

Attributes

activate_away_mode
false
backup_connection_host
malkisod.casacam.net
backup_dns_server
buffer_size
65535
build_time
2019-12-19T14:57:57.247146636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
2018
default_group
france002
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6ccf001e-e66c-46e4-94a7-c5e28220d412
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
skodrf.casacam.net
primary_dns_server
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Manager = "C:\\Program Files (x86)\\IMAP Manager\\imapmgr.exe"	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe

description pid process target process

PID 1064 set thread context of 1008 1064 0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe InstallUtil.exe

description	pid	process	target process
PID 1064 set thread context of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe

Drops file in Program Files directory 2 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\IMAP Manager\imapmgr.exe	InstallUtil.exe
File opened for modification	C:\Program Files (x86)\IMAP Manager\imapmgr.exe	InstallUtil.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exeInstallUtil.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1448 schtasks.exe
3256 schtasks.exe

pid	process
1448	schtasks.exe
3256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exeInstallUtil.exe

pid	process
1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
1008	InstallUtil.exe
1008	InstallUtil.exe
1008	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

1008 InstallUtil.exe

pid	process
1008	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
Token: SeDebugPrivilege	1008	InstallUtil.exe
Token: SeDebugPrivilege	1008	InstallUtil.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exeInstallUtil.exe

description	pid	process	target process
PID 1064 wrote to memory of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe
PID 1064 wrote to memory of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe
PID 1064 wrote to memory of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe
PID 1064 wrote to memory of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe
PID 1064 wrote to memory of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe
PID 1064 wrote to memory of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe
PID 1064 wrote to memory of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe
PID 1064 wrote to memory of 1008	1064	0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe	InstallUtil.exe
PID 1008 wrote to memory of 1448	1008	InstallUtil.exe	schtasks.exe
PID 1008 wrote to memory of 1448	1008	InstallUtil.exe	schtasks.exe
PID 1008 wrote to memory of 1448	1008	InstallUtil.exe	schtasks.exe
PID 1008 wrote to memory of 3256	1008	InstallUtil.exe	schtasks.exe
PID 1008 wrote to memory of 3256	1008	InstallUtil.exe	schtasks.exe
PID 1008 wrote to memory of 3256	1008	InstallUtil.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b675aaaf9a7d9d36bc19786db21b61d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "IMAP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp850A.tmp"
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "IMAP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8559.tmp"
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp850A.tmp
Filesize
1KB

MD5
576bbaf398045c3843d452ec83208236

SHA1
8ed5b2500ae7a40cbfa6e9018a1d1f1e70cb1374

SHA256
33c0c2d72fa383e5988ce640febc5ac6a2bd71d4ae660b99e52234952e17467b

SHA512
e7cc0ea0b351c6a8618e14f03c00e88ef83e2f169e0b4d66513f580f0a9352fbfe429e57186362b69407150d566bbdadca2f7b574fc748cc140b3249be67f96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8559.tmp
Filesize
1KB

MD5
dd2c3e7842e2c2566e7b4874d229db71

SHA1
b9c57b0baa1ffea5baf957a7072a347bcddf6c6f

SHA256
a9df5dc5b3462bdfeaedb8b1bb3733fab886d77805b004adaaa4a5fba7f2c404

SHA512
9b30f36a75ed164696c0ca59617c0c4fb3c18e9c162ef4b50ea7f1c65d787740e18efa2b48ba7f8eae81fbc8e3f6e09de33760940e82cd8e3afc53966e0db91d

Download Submit
memory/1008-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1008-32-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1008-31-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1008-30-0x00000000065B0000-0x00000000065BA000-memory.dmp

Filesize
40KB

Download
memory/1008-29-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/1008-28-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/1008-19-0x00000000054D0000-0x00000000054DA000-memory.dmp

Filesize
40KB

Download
memory/1008-20-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1008-18-0x00000000055C0000-0x000000000565C000-memory.dmp

Filesize
624KB

Download
memory/1008-16-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1064-6-0x0000000004EA0000-0x0000000005062000-memory.dmp

Filesize
1.8MB

Download
memory/1064-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1064-12-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/1064-11-0x00000000062A0000-0x00000000062E4000-memory.dmp

Filesize
272KB

Download
memory/1064-17-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1064-10-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1064-9-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/1064-13-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1064-7-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/1064-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/1064-5-0x0000000004B20000-0x0000000004B42000-memory.dmp

Filesize
136KB

Download
memory/1064-4-0x0000000004C60000-0x0000000004CC6000-memory.dmp

Filesize
408KB

Download
memory/1064-3-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/1064-2-0x0000000000CA0000-0x0000000000CC4000-memory.dmp

Filesize
144KB

Download
memory/1064-1-0x0000000000160000-0x00000000001E6000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads