nanocore | 78cbb279ba688ed0771ff554c496b8addd85f61206aaa6ae62899328f836b876

General

Target

dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
Size

918KB
MD5

dc1a3460bcf7b523e6c86f5e9b30f748
SHA1

0aa1b01e28b2f5ca08519542cbe31a9bb43ebc27
SHA256

78cbb279ba688ed0771ff554c496b8addd85f61206aaa6ae62899328f836b876
SHA512

ecee81757d87a17245ddcc6267154e3a8915c268821c87831619b5a3beacf475f2f3c3aff13623f68f687d2b353880119f2fc92568e49a090f4d9e40260166a5
SSDEEP

6144:uWzFzx9BbYV5L1hYn2Jdd+Ph27DpC7JjC7X1/AEvBHFy/y/QLHpbBcN9vBKrRMY+:uWvX8/t5poGiQMwsVKAcp4qs2RxJ5J

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

klonnygermanip.ddns.net:3935

klonnygermanip1.ddns.net:3935

Mutex

380faa9d-26a4-4df1-b106-95f71ef6df28

Attributes

activate_away_mode
true
backup_connection_host
klonnygermanip1.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-27T13:30:48.757645436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3935
default_group
RAW CASH
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
380faa9d-26a4-4df1-b106-95f71ef6df28
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
klonnygermanip.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.url	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 972 set thread context of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2428	schtasks.exe
2012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
2516	RegAsm.exe
2516	RegAsm.exe
2516	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2516	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
Token: SeDebugPrivilege	2516	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 4904	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	85
PID 972 wrote to memory of 4904	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	85
PID 972 wrote to memory of 4904	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	85
PID 972 wrote to memory of 2428	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	88
PID 972 wrote to memory of 2428	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	88
PID 972 wrote to memory of 2428	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	88
PID 972 wrote to memory of 3128	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	90
PID 972 wrote to memory of 3128	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	90
PID 972 wrote to memory of 3128	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	90
PID 972 wrote to memory of 4860	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	91
PID 972 wrote to memory of 4860	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	91
PID 972 wrote to memory of 4860	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	91
PID 972 wrote to memory of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92
PID 972 wrote to memory of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92
PID 972 wrote to memory of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92
PID 972 wrote to memory of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92
PID 972 wrote to memory of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92
PID 972 wrote to memory of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92
PID 972 wrote to memory of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92
PID 972 wrote to memory of 2516	972	dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe	92
PID 2516 wrote to memory of 2012	2516	RegAsm.exe	93
PID 2516 wrote to memory of 2012	2516	RegAsm.exe	93
PID 2516 wrote to memory of 2012	2516	RegAsm.exe	93

C:\Users\Admin\AppData\Local\Temp\dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc1a3460bcf7b523e6c86f5e9b30f748_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /query
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /sc MINUTE /tn svhost /MO 1 /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe\
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:3128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4860
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DNS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp88E7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp88E7.tmp

Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
memory/972-1-0x0000000000C20000-0x0000000000CF4000-memory.dmp

Filesize
848KB

Download
memory/972-2-0x00000000055E0000-0x0000000005624000-memory.dmp

Filesize
272KB

Download
memory/972-3-0x0000000001770000-0x000000000177C000-memory.dmp

Filesize
48KB

Download
memory/972-6-0x0000000005620000-0x0000000005658000-memory.dmp

Filesize
224KB

Download
memory/972-7-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/972-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/2516-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2516-11-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/2516-12-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/2516-10-0x0000000074E62000-0x0000000074E63000-memory.dmp

Filesize
4KB

Download
memory/2516-17-0x0000000074E62000-0x0000000074E63000-memory.dmp

Filesize
4KB

Download
memory/2516-18-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/2516-19-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads