nanocore | 87e895e60cc5b87ac5f59bfc6546449bff6b6dab0d5bf835956d49cbe8cef31b

General

Target

c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
Size

641KB
MD5

c961820d87a64fd7cb0c41884bce694d
SHA1

3e1618437a9751bbfb236a8fb0e8037849211a1a
SHA256

87e895e60cc5b87ac5f59bfc6546449bff6b6dab0d5bf835956d49cbe8cef31b
SHA512

9a9f697d63a09f3c6f4114ca3c7bc379389d64e04e1550a5ed83ca175140f833b87b81ccfb4dffd3c0b11d81eb8495e07156875cae2ab70c5395a97f8ea1b616
SSDEEP

12288:ecyoMr4LxRh41hrbDQZxYCLhy4/I82vkLnfOOimL9vsHre:eXVPUZxPL2vk1ikuHq

Score

10^/10

nanocore agilenet discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

gifted.gleeze.com:55623

phill.onmypc.us:55623

Mutex

5a8742ff-0185-4032-9522-375e8e036567

Attributes

activate_away_mode
true
backup_connection_host
phill.onmypc.us
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-05-11T03:10:19.770910536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
55623
default_group
STUB
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5a8742ff-0185-4032-9522-375e8e036567
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
gifted.gleeze.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gmappps.lnk	gmappps.exe

Executes dropped EXE 3 IoCs

pid	Process
2564	gmappps.exe
2824	gmappps.exe
588	gmappps.exe

Loads dropped DLL 1 IoCs

pid	Process
2564	gmappps.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1928-2-0x0000000000600000-0x0000000000628000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Monitor = "C:\\Program Files (x86)\\SMTP Monitor\\smtpmon.exe"	gmappps.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gmappps.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 588	2564	gmappps.exe	36

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SMTP Monitor\smtpmon.exe	gmappps.exe
File opened for modification	C:\Program Files (x86)\SMTP Monitor\smtpmon.exe	gmappps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmappps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmappps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmappps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2564	gmappps.exe
2564	gmappps.exe
2564	gmappps.exe
2564	gmappps.exe
588	gmappps.exe
588	gmappps.exe
588	gmappps.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
588	gmappps.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
Token: SeDebugPrivilege	2564	gmappps.exe
Token: SeDebugPrivilege	2824	gmappps.exe
Token: SeDebugPrivilege	588	gmappps.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2708	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2708	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2708	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2708	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2188	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	32
PID 1928 wrote to memory of 2188	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	32
PID 1928 wrote to memory of 2188	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	32
PID 1928 wrote to memory of 2188	1928	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2564	2500	explorer.exe	34
PID 2500 wrote to memory of 2564	2500	explorer.exe	34
PID 2500 wrote to memory of 2564	2500	explorer.exe	34
PID 2500 wrote to memory of 2564	2500	explorer.exe	34
PID 2564 wrote to memory of 2824	2564	gmappps.exe	35
PID 2564 wrote to memory of 2824	2564	gmappps.exe	35
PID 2564 wrote to memory of 2824	2564	gmappps.exe	35
PID 2564 wrote to memory of 2824	2564	gmappps.exe	35
PID 2564 wrote to memory of 588	2564	gmappps.exe	36
PID 2564 wrote to memory of 588	2564	gmappps.exe	36
PID 2564 wrote to memory of 588	2564	gmappps.exe	36
PID 2564 wrote to memory of 588	2564	gmappps.exe	36
PID 2564 wrote to memory of 588	2564	gmappps.exe	36
PID 2564 wrote to memory of 588	2564	gmappps.exe	36
PID 2564 wrote to memory of 588	2564	gmappps.exe	36
PID 2564 wrote to memory of 588	2564	gmappps.exe	36
PID 2564 wrote to memory of 588	2564	gmappps.exe	36

C:\Users\Admin\AppData\Local\Temp\c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\gmappps.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\gmappps.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\gmappps.exe
  "C:\Users\Admin\AppData\Local\gmappps.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\gmappps.exe
    "C:\Users\Admin\AppData\Local\gmappps.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Users\Admin\AppData\Local\gmappps.exe
    "C:\Users\Admin\AppData\Local\gmappps.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gmappps.exe

Filesize
641KB

MD5
c961820d87a64fd7cb0c41884bce694d

SHA1
3e1618437a9751bbfb236a8fb0e8037849211a1a

SHA256
87e895e60cc5b87ac5f59bfc6546449bff6b6dab0d5bf835956d49cbe8cef31b

SHA512
9a9f697d63a09f3c6f4114ca3c7bc379389d64e04e1550a5ed83ca175140f833b87b81ccfb4dffd3c0b11d81eb8495e07156875cae2ab70c5395a97f8ea1b616

Download Submit
memory/588-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/588-32-0x0000000000460000-0x000000000047E000-memory.dmp

Filesize
120KB

Download
memory/588-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-33-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/588-31-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/588-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1928-1-0x0000000000270000-0x0000000000314000-memory.dmp

Filesize
656KB

Download
memory/1928-9-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/1928-2-0x0000000000600000-0x0000000000628000-memory.dmp

Filesize
160KB

Download
memory/1928-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1928-6-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/1928-5-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1928-4-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/1928-3-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-12-0x0000000001090000-0x0000000001134000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads