nanocore | 87e895e60cc5b87ac5f59bfc6546449bff6b6dab0d5bf835956d49cbe8cef31b

General

Target

c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
Size

641KB
MD5

c961820d87a64fd7cb0c41884bce694d
SHA1

3e1618437a9751bbfb236a8fb0e8037849211a1a
SHA256

87e895e60cc5b87ac5f59bfc6546449bff6b6dab0d5bf835956d49cbe8cef31b
SHA512

9a9f697d63a09f3c6f4114ca3c7bc379389d64e04e1550a5ed83ca175140f833b87b81ccfb4dffd3c0b11d81eb8495e07156875cae2ab70c5395a97f8ea1b616
SSDEEP

12288:ecyoMr4LxRh41hrbDQZxYCLhy4/I82vkLnfOOimL9vsHre:eXVPUZxPL2vk1ikuHq

Score

10^/10

nanocore agilenet discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

gifted.gleeze.com:55623

phill.onmypc.us:55623

Mutex

5a8742ff-0185-4032-9522-375e8e036567

Attributes

activate_away_mode
true
backup_connection_host
phill.onmypc.us
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-05-11T03:10:19.770910536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
55623
default_group
STUB
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5a8742ff-0185-4032-9522-375e8e036567
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
gifted.gleeze.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	gmappps.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gmappps.lnk	gmappps.exe

Executes dropped EXE 3 IoCs

pid	Process
4068	gmappps.exe
740	gmappps.exe
4508	gmappps.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3536-2-0x0000000005060000-0x0000000005088000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe"	gmappps.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gmappps.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4068 set thread context of 4508	4068	gmappps.exe	114

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DPI Service\dpisv.exe	gmappps.exe
File created	C:\Program Files (x86)\DPI Service\dpisv.exe	gmappps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmappps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmappps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmappps.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4068	gmappps.exe
4068	gmappps.exe
4068	gmappps.exe
4068	gmappps.exe
4508	gmappps.exe
4508	gmappps.exe
4508	gmappps.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4508	gmappps.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
Token: SeDebugPrivilege	4068	gmappps.exe
Token: SeDebugPrivilege	740	gmappps.exe
Token: SeDebugPrivilege	4508	gmappps.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 452	3536	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	95
PID 3536 wrote to memory of 452	3536	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	95
PID 3536 wrote to memory of 452	3536	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	95
PID 3536 wrote to memory of 4280	3536	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	100
PID 3536 wrote to memory of 4280	3536	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	100
PID 3536 wrote to memory of 4280	3536	c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe	100
PID 4852 wrote to memory of 4068	4852	explorer.exe	102
PID 4852 wrote to memory of 4068	4852	explorer.exe	102
PID 4852 wrote to memory of 4068	4852	explorer.exe	102
PID 4068 wrote to memory of 740	4068	gmappps.exe	105
PID 4068 wrote to memory of 740	4068	gmappps.exe	105
PID 4068 wrote to memory of 740	4068	gmappps.exe	105
PID 4068 wrote to memory of 4508	4068	gmappps.exe	114
PID 4068 wrote to memory of 4508	4068	gmappps.exe	114
PID 4068 wrote to memory of 4508	4068	gmappps.exe	114
PID 4068 wrote to memory of 4508	4068	gmappps.exe	114
PID 4068 wrote to memory of 4508	4068	gmappps.exe	114
PID 4068 wrote to memory of 4508	4068	gmappps.exe	114
PID 4068 wrote to memory of 4508	4068	gmappps.exe	114
PID 4068 wrote to memory of 4508	4068	gmappps.exe	114

C:\Users\Admin\AppData\Local\Temp\c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c961820d87a64fd7cb0c41884bce694d_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\gmappps.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\gmappps.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\gmappps.exe
  "C:\Users\Admin\AppData\Local\gmappps.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\gmappps.exe
    "C:\Users\Admin\AppData\Local\gmappps.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Users\Admin\AppData\Local\gmappps.exe
    "C:\Users\Admin\AppData\Local\gmappps.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gmappps.exe

Filesize
641KB

MD5
c961820d87a64fd7cb0c41884bce694d

SHA1
3e1618437a9751bbfb236a8fb0e8037849211a1a

SHA256
87e895e60cc5b87ac5f59bfc6546449bff6b6dab0d5bf835956d49cbe8cef31b

SHA512
9a9f697d63a09f3c6f4114ca3c7bc379389d64e04e1550a5ed83ca175140f833b87b81ccfb4dffd3c0b11d81eb8495e07156875cae2ab70c5395a97f8ea1b616

Download Submit
memory/3536-11-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3536-1-0x00000000006B0000-0x0000000000754000-memory.dmp

Filesize
656KB

Download
memory/3536-3-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/3536-4-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/3536-5-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3536-6-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3536-2-0x0000000005060000-0x0000000005088000-memory.dmp

Filesize
160KB

Download
memory/3536-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3536-7-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4068-16-0x0000000006690000-0x000000000672C000-memory.dmp

Filesize
624KB

Download
memory/4508-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4508-19-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/4508-22-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/4508-23-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/4508-24-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads