nanocore | 10eb16cc07efcedd4460b858a81ae14e678f06d89e3f94614ff399c5666607f3 | Triage

Sharing

General

Target

b0f1185e163b3c0da465f3cb4a00e96e_JaffaCakes118
Size

364KB
Sample

240820-1jk19aydjj
MD5

b0f1185e163b3c0da465f3cb4a00e96e
SHA1

b1bc09daf20c93fde19943be105af8dd2a03273c
SHA256

10eb16cc07efcedd4460b858a81ae14e678f06d89e3f94614ff399c5666607f3
SHA512

c51dcf52009c55f6bfe4992b6f3ec54a94ea0c13886cd181b8ed5b0c13966459fc2e0409508b7ab79817d10dfac83089060975a10d892c22a57cd88dad942fea
SSDEEP

6144:O3yEAHhhFnZAxwPkLsGMAjduKFwpR+5YluD3BHftm4veoPk3CgRPtQw3B3lHRDqy:GyjCWkLWuFwpRSYluIocJRmGlTArO

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.70.185.161:4048

nappy45.punkdns.vip:4048

Mutex

82a81ef3-32c8-4848-9caf-a307c6860c35

Attributes

activate_away_mode
true
backup_connection_host
nappy45.punkdns.vip
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2017-04-17T01:09:13.945043236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
4048
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
82a81ef3-32c8-4848-9caf-a307c6860c35
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.70.185.161
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  INV-20170806-0092795243900-29178.exe
- Size
  
  898KB
- MD5
  
  f529fe5474bd401997196d6ff238bc2f
- SHA1
  
  60d045b2d29ae67545c784c71d053018d7e7a6ae
- SHA256
  
  fda36d8d713d109a05551754a23ca383030b0d9fd9f1cde3658eaf51689ffa53
- SHA512
  
  350ba9446c5a26f983093446d65aa2eef03b7905bfde0ea9be770dc98519eba9b88b25b80959aa565f0f80c33f4541e7b21d03ed4de0d01bb6aab4e024d5a838
- SSDEEP
  
  12288:reCCOALwRZGwIPRHTQI/rnP/7e807tcTuT62ZpQkfO5NI75tiqrUWJ:rLALqZtUjC80iY9B3
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan