nanocore | 6da9cd489fdad00ba5bece2724bdc970da031c31920a1650e27379c3a1768c87

General

Target

e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
Size

248KB
MD5

e9792b0c520cbd894dc0192064c1041a
SHA1

d336e69b5a1ff25080d71ed1b79a5d581ede6402
SHA256

6da9cd489fdad00ba5bece2724bdc970da031c31920a1650e27379c3a1768c87
SHA512

c39bbab8b9292f215df46913efd410cc72e8fc9d95ba4ba50c2ae954336bedca139e8601b485ccddf92c2c2667fabdc91263688146f0a5c858a09e887b16f30d
SSDEEP

6144:jjBwnYr13Wg8YHG4U6brnsdQFkD8g9ZxcsV0g:jjeM3LrTsqNgF/

Score

10^/10

nanocore defense_evasion discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dedonblazzo.linkpc.net:25125

longjohn.linkpc.net:25125

Mutex

d2c8ebb8-fa90-40e6-adac-bdeef76e2492

Attributes

activate_away_mode
true
backup_connection_host
longjohn.linkpc.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-03-02T16:28:47.975633736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
25125
default_group
Salesmen
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d2c8ebb8-fa90-40e6-adac-bdeef76e2492
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dedonblazzo.linkpc.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 1 IoCs

pid	Process
756	svhost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3552 set thread context of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Inkstag\Inkstag.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Inkstag\Inkstag.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
756	svhost.exe
756	svhost.exe
756	svhost.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
756	svhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
Token: 33	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
Token: SeDebugPrivilege	756	svhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 2356	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	91
PID 3552 wrote to memory of 2356	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	91
PID 3552 wrote to memory of 2356	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	91
PID 2356 wrote to memory of 4532	2356	cmd.exe	93
PID 2356 wrote to memory of 4532	2356	cmd.exe	93
PID 2356 wrote to memory of 4532	2356	cmd.exe	93
PID 3552 wrote to memory of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94
PID 3552 wrote to memory of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94
PID 3552 wrote to memory of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94
PID 3552 wrote to memory of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94
PID 3552 wrote to memory of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94
PID 3552 wrote to memory of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94
PID 3552 wrote to memory of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94
PID 3552 wrote to memory of 756	3552	e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9792b0c520cbd894dc0192064c1041a_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Inkstag\Inkstag.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Inkstag\Inkstag.exe

Filesize
248KB

MD5
e9792b0c520cbd894dc0192064c1041a

SHA1
d336e69b5a1ff25080d71ed1b79a5d581ede6402

SHA256
6da9cd489fdad00ba5bece2724bdc970da031c31920a1650e27379c3a1768c87

SHA512
c39bbab8b9292f215df46913efd410cc72e8fc9d95ba4ba50c2ae954336bedca139e8601b485ccddf92c2c2667fabdc91263688146f0a5c858a09e887b16f30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/756-22-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/756-21-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/756-27-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/756-24-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/756-23-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/756-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/756-17-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/756-19-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/756-18-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3552-1-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3552-0-0x0000000074782000-0x0000000074783000-memory.dmp

Filesize
4KB

Download
memory/3552-3-0x0000000074782000-0x0000000074783000-memory.dmp

Filesize
4KB

Download
memory/3552-2-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3552-26-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3552-4-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing