nanocore | def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe
Size

1.2MB
MD5

ab97523c0c284868c08c9120d921ba06
SHA1

0c79283dff6d22f7cf85561f33ff8f2753de880a
SHA256

def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27
SHA512

06c09f00cc60e682453b5317f23f9c1d36a1535b0f5de10e491dc587953d43345e41dd50acfc7019487180f48e504cd8a6d4b10029c1508b367ba9609e96f554
SSDEEP

24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHa+erpr3rzzF5:gh+ZkldoPK8Ya+WL

Score

10^/10

nanocore discovery evasion keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.162.88.16:2359

dish123newpro.publicvm.com:2359

Mutex

c253fe26-7f15-444b-bcbf-bdaaa6a4fb19

Attributes

activate_away_mode
true
backup_connection_host
dish123newpro.publicvm.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-12-27T16:33:42.242053636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2359
default_group
NANO17032019
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c253fe26-7f15-444b-bcbf-bdaaa6a4fb19
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.162.88.16
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
2652	osk.exe
3016	osk.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000016610-14.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 304 set thread context of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 2652 set thread context of 2728	2652	osk.exe	36
PID 3016 set thread context of 3044	3016	osk.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1796	schtasks.exe
2508	schtasks.exe
548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2684	RegAsm.exe
2684	RegAsm.exe
2684	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	RegAsm.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 2684	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	30
PID 304 wrote to memory of 1796	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	31
PID 304 wrote to memory of 1796	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	31
PID 304 wrote to memory of 1796	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	31
PID 304 wrote to memory of 1796	304	ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2652	2820	taskeng.exe	35
PID 2820 wrote to memory of 2652	2820	taskeng.exe	35
PID 2820 wrote to memory of 2652	2820	taskeng.exe	35
PID 2820 wrote to memory of 2652	2820	taskeng.exe	35
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2728	2652	osk.exe	36
PID 2652 wrote to memory of 2508	2652	osk.exe	37
PID 2652 wrote to memory of 2508	2652	osk.exe	37
PID 2652 wrote to memory of 2508	2652	osk.exe	37
PID 2652 wrote to memory of 2508	2652	osk.exe	37
PID 2820 wrote to memory of 3016	2820	taskeng.exe	39
PID 2820 wrote to memory of 3016	2820	taskeng.exe	39
PID 2820 wrote to memory of 3016	2820	taskeng.exe	39
PID 2820 wrote to memory of 3016	2820	taskeng.exe	39
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 3044	3016	osk.exe	40
PID 3016 wrote to memory of 548	3016	osk.exe	41
PID 3016 wrote to memory of 548	3016	osk.exe	41
PID 3016 wrote to memory of 548	3016	osk.exe	41
PID 3016 wrote to memory of 548	3016	osk.exe	41

C:\Users\Admin\AppData\Local\Temp\ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab97523c0c284868c08c9120d921ba06_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemPropertiesHardware /tr "C:\Users\Admin\authfwcfg\osk.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1796

C:\Windows\system32\taskeng.exe
taskeng.exe {2717D000-F83D-4EEA-B3B0-F8E1F592F0D7} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\authfwcfg\osk.exe
  C:\Users\Admin\authfwcfg\osk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemPropertiesHardware /tr "C:\Users\Admin\authfwcfg\osk.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2508
- C:\Users\Admin\authfwcfg\osk.exe
  C:\Users\Admin\authfwcfg\osk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemPropertiesHardware /tr "C:\Users\Admin\authfwcfg\osk.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\authfwcfg\osk.exe

Filesize
1.2MB

MD5
3eda05f326d06944b378183dd3a8375e

SHA1
b7992263011014f0592a3659e272ee9f3a372851

SHA256
690c2ea53c3f4a1e2b498e1c98e0f08e83ff675e2d14a52152053b96ea0cc57c

SHA512
5c1c0cc0655ee96f3845d3381ce3dec5e3f09d17c3ea878cb82f6cb1003cc466005f358a37842897739bdc53d658da77e271c3f5e0c8514c25f4d63a2c2c45d3

Download Submit
memory/304-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2684-1-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2684-11-0x00000000740D2000-0x00000000740D4000-memory.dmp

Filesize
8KB

Download
memory/2684-13-0x00000000740D2000-0x00000000740D4000-memory.dmp

Filesize
8KB

Download
memory/2728-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download