nanocore | 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe
Size

1.3MB
MD5

a11ab784e6d3546992d20dd689053590
SHA1

efb53ba66291154d758e033d24ad19a1567918db
SHA256

78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34
SHA512

73b093e8fcf0c9c8b4d8bf83f1b210b10ced13b093482f63f771a41774a72e3bbfe0e617255f869be54cecdd0d356856af000e61cdd02a890f89e798c49091a2
SSDEEP

24576:3u6J33O0c+JY5UZ+XC0kGso6FaUngm/MmiTv5WYk:Ru0c++OCvkGs9FaoiTMYk

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

microsoft.btc-crypto-rewards.cash:3020

91.192.100.7:3020

Mutex

8f96fcee-6a12-4372-9c82-ebf284f80be1

Attributes

activate_away_mode
true
backup_connection_host
91.192.100.7
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-12-17T05:15:58.097142536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3020
default_group
macro doc pop up
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8f96fcee-6a12-4372-9c82-ebf284f80be1
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
microsoft.btc-crypto-rewards.cash
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 3 IoCs

pid	Process
2700	qprocess.exe
2900	qprocess.exe
680	qprocess.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000194db-15.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2700 set thread context of 3060	2700	qprocess.exe	34
PID 2900 set thread context of 396	2900	qprocess.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
1028	schtasks.exe
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2336	RegAsm.exe
2336	RegAsm.exe
2336	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	RegAsm.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2336	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2772	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2772	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2772	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2772	2524	a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2700	2752	taskeng.exe	33
PID 2752 wrote to memory of 2700	2752	taskeng.exe	33
PID 2752 wrote to memory of 2700	2752	taskeng.exe	33
PID 2752 wrote to memory of 2700	2752	taskeng.exe	33
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 3060	2700	qprocess.exe	34
PID 2700 wrote to memory of 1028	2700	qprocess.exe	35
PID 2700 wrote to memory of 1028	2700	qprocess.exe	35
PID 2700 wrote to memory of 1028	2700	qprocess.exe	35
PID 2700 wrote to memory of 1028	2700	qprocess.exe	35
PID 2752 wrote to memory of 2900	2752	taskeng.exe	37
PID 2752 wrote to memory of 2900	2752	taskeng.exe	37
PID 2752 wrote to memory of 2900	2752	taskeng.exe	37
PID 2752 wrote to memory of 2900	2752	taskeng.exe	37
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 396	2900	qprocess.exe	38
PID 2900 wrote to memory of 2432	2900	qprocess.exe	39
PID 2900 wrote to memory of 2432	2900	qprocess.exe	39
PID 2900 wrote to memory of 2432	2900	qprocess.exe	39
PID 2900 wrote to memory of 2432	2900	qprocess.exe	39
PID 2752 wrote to memory of 680	2752	taskeng.exe	41
PID 2752 wrote to memory of 680	2752	taskeng.exe	41
PID 2752 wrote to memory of 680	2752	taskeng.exe	41
PID 2752 wrote to memory of 680	2752	taskeng.exe	41

C:\Users\Admin\AppData\Local\Temp\a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a11ab784e6d3546992d20dd689053590_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WUDFHost /tr "C:\Users\Admin\AuthHostProxy\qprocess.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2772

C:\Windows\system32\taskeng.exe
taskeng.exe {61E8CC8F-F9DF-4A4D-B5F1-DC3881010AED} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AuthHostProxy\qprocess.exe
  C:\Users\Admin\AuthHostProxy\qprocess.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn WUDFHost /tr "C:\Users\Admin\AuthHostProxy\qprocess.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1028
- C:\Users\Admin\AuthHostProxy\qprocess.exe
  C:\Users\Admin\AuthHostProxy\qprocess.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:396
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn WUDFHost /tr "C:\Users\Admin\AuthHostProxy\qprocess.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2432
- C:\Users\Admin\AuthHostProxy\qprocess.exe
  C:\Users\Admin\AuthHostProxy\qprocess.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AuthHostProxy\qprocess.exe

Filesize
1.3MB

MD5
59c1add1905ae3b364264d1ff4ae35d3

SHA1
d070174287c4a800327f497d21431ff10c2fee26

SHA256
a2171ac635e6f37fb4eefbb2710c73f967fee807234fc9a8556548048da98dd6

SHA512
9c4ef19a0db549957e63d796b3493af04d9de68f64e38f283953c4d2a7c898503205623b0149ead345a9f48acffe53d62658f9dd23c2648fed791afb3317fe68

Download Submit
memory/2336-1-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2336-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2336-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2336-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2336-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2336-10-0x00000000746C2000-0x00000000746C4000-memory.dmp

Filesize
8KB

Download
memory/2336-12-0x00000000746C2000-0x00000000746C4000-memory.dmp

Filesize
8KB

Download
memory/2524-0-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download