nanocore | 80046dce8235118443aa0359296e5f866259b49928782ba82d156af8d9fc301b | Triage

Sharing

General

Target

cb150e105e05cee69ee165ac0ddbb580_JaffaCakes118
Size

360KB
Sample

240830-sj455a1fkr
MD5

cb150e105e05cee69ee165ac0ddbb580
SHA1

0059b09d049cb5f18d880381e82cbefba3cae672
SHA256

80046dce8235118443aa0359296e5f866259b49928782ba82d156af8d9fc301b
SHA512

713bc728765451441e752a1a26713ca372320aaf73e5a5fc3d4cdcd054488da5a2754bebdc0e0acea53b82cb753c8b8b47972a36b9a8781770fef5b77cdfa369
SSDEEP

6144:WWeYfEJRHR2GdBul3Mhw+VTaP48LRLB10DsaiRjgPdT8FPitFGS1g0s3un53tjo7:ZBEJRHRJru0+QIRAeRMPdAFPA8w3o4tM

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.217.1.176:717

127.0.0.1:717

Mutex

3875e7a7-6140-4c03-8417-1e63250aef30

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-02-18T00:42:25.752401736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
717
default_group
Money
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3875e7a7-6140-4c03-8417-1e63250aef30
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.217.1.176
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  invoice.exe
- Size
  
  382KB
- MD5
  
  8c7ab1ecf0dc43b1b575a4eda1f810bd
- SHA1
  
  d6a110fefe9413a7cad3b2e05a50000b194d15ff
- SHA256
  
  f85dc20c8f5191b83ebe3d2d8d7e0feb175cedbf7c9bfbb44b67a7794ceef7ba
- SHA512
  
  dbbf797ca887a7334eb00cbc5aac9d49196902f33f76b0c61079ac9e25c0281cd61ae6760c39ec68d93d8581f7f64cc4af0c9abb4ba99b2ae7e145f2db7187ca
- SSDEEP
  
  6144:+IRoC1CkzrOv/3Mhw+VkaPaLRL61pDsaiRjgPdY8FPitFG/12033Fn5Wh7rZDbBz:fotWFZ6ReeRMPdnFPA8dpHsvR+jY
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan