nanocore | dd80ea0d7cab57580251088c44c6fe5759ef696eb1577f8fd21cd9310b5afa1c

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
Size

476KB
MD5

f61a0991e1a2591c39629f8f51954079
SHA1

2081e35f0cdd2411bb7c53b7833e1eb21221bec3
SHA256

dd80ea0d7cab57580251088c44c6fe5759ef696eb1577f8fd21cd9310b5afa1c
SHA512

bac1e6e1621811410d17c915fa92500b6d7926fea95fa4c5db54dbe0dfe743da38851cafbc900b4d51d5cf9ce864ab012f74f7caf055c8876f88a151e16917d1
SSDEEP

12288:M3nZMhJ+ubNZ7dCtvFjwdr3F9FWuxU+PSkJBYDIl+OqJ+hOye:M3nZqfbxCtvyx3FvWoUiJOIHVh+

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan upx

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
2516	file.exe
2784	91sfk.exe

Loads dropped DLL 7 IoCs

pid	Process
2152	WScript.exe
2152	WScript.exe
2152	WScript.exe
2516	file.exe
2516	file.exe
2516	file.exe
2516	file.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2800	2784	91sfk.exe	33
PID 2800 set thread context of 2936	2800	csc.exe	34

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2800-35-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-33-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-38-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-39-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-42-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-41-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-40-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-60-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-61-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-62-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-63-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-64-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-65-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-66-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-67-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-68-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-69-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-70-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-71-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-72-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-73-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-74-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91sfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe
2800	csc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2152	1944	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2152	1944	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2152	1944	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2152	1944	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2152	1944	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2152	1944	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	30
PID 1944 wrote to memory of 2152	1944	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	30
PID 2152 wrote to memory of 2516	2152	WScript.exe	31
PID 2152 wrote to memory of 2516	2152	WScript.exe	31
PID 2152 wrote to memory of 2516	2152	WScript.exe	31
PID 2152 wrote to memory of 2516	2152	WScript.exe	31
PID 2152 wrote to memory of 2516	2152	WScript.exe	31
PID 2152 wrote to memory of 2516	2152	WScript.exe	31
PID 2152 wrote to memory of 2516	2152	WScript.exe	31
PID 2516 wrote to memory of 2784	2516	file.exe	32
PID 2516 wrote to memory of 2784	2516	file.exe	32
PID 2516 wrote to memory of 2784	2516	file.exe	32
PID 2516 wrote to memory of 2784	2516	file.exe	32
PID 2516 wrote to memory of 2784	2516	file.exe	32
PID 2516 wrote to memory of 2784	2516	file.exe	32
PID 2516 wrote to memory of 2784	2516	file.exe	32
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2784 wrote to memory of 2800	2784	91sfk.exe	33
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2800 wrote to memory of 2936	2800	csc.exe	34
PID 2936 wrote to memory of 2708	2936	RegAsm.exe	35
PID 2936 wrote to memory of 2708	2936	RegAsm.exe	35
PID 2936 wrote to memory of 2708	2936	RegAsm.exe	35
PID 2936 wrote to memory of 2708	2936	RegAsm.exe	35
PID 2936 wrote to memory of 2708	2936	RegAsm.exe	35
PID 2936 wrote to memory of 2708	2936	RegAsm.exe	35
PID 2936 wrote to memory of 2708	2936	RegAsm.exe	35

C:\Users\Admin\AppData\Local\Temp\f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\6mmqw\88g4m.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\6mmqw\file.exe
    "C:\Users\Admin\6mmqw\file.exe" -p1234
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\6mmqw\91sfk.exe
      "C:\Users\Admin\AppData\Roaming\6mmqw\91sfk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        6⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\6mmqw\88g4m.vbs

Filesize
90B

MD5
4005c5add74a635ebcd654ba7cf51ac9

SHA1
e84a7d72f080e032a55b3ccd61603bac82e8fb73

SHA256
af03f80def60fe776c9267a192e662da9716b59469e830f7698651e52cf0fd53

SHA512
0f554ff22bcfba2336e5bf809aec1607e628767c72e1ae81001e5b80351bfab8fc86b85bb2e8063e1f5d955c3e18e3f51cf21875760de57a68db88e926f86030

Download Submit
C:\Users\Admin\6mmqw\file.exe

Filesize
318KB

MD5
8b03e059b46c6ef0bc30a4a9d7eda131

SHA1
8d51e49dd267b5cf004db0fcd7ffe0f947fe4402

SHA256
6560160f4dec287992891ae93a91313085cf088364c844ffb8b53a0b5e63ade0

SHA512
33a637a240e438b1f7951946687a769bb09e35db10084708125184a5556c5ce4b1515e9618eb1a152ec48cfd9a590585080f220e3dc3ef79a2f61552a4aec9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp

Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Roaming\6mmqw\x

Filesize
618KB

MD5
2f29a20e1bdeb519c5247108baade53e

SHA1
80557ca8b51b252d6aa3fcbe03154df70a3e8b92

SHA256
6cc01ffcf664ac1552487f7287e87a2637ae196f36c30aa0b23192f22e572214

SHA512
8cb242314b6c36bb5455e1db7ec9590f0f47bda087eaa704bbdc16fa09d1ac91880a6126eb2b3fff1f115759299e8ca7f6ba367c72b915b5076b9d014c5a5551

Download Submit
\Users\Admin\AppData\Roaming\6mmqw\91sfk.exe

Filesize
42KB

MD5
ea91e005c6920683a4526839f7745482

SHA1
432058655709f00958f287b6413ed5750ff69577

SHA256
8be60bfbca8d12da042e25fb2254bd7aa3e13516a3df62faf3b1ed9c3340e449

SHA512
971903238c0272ee5a540a34807f0d6b44ecb582e3e0d216b9e8579a2f37e934dde86109815353d62f66373575f3a788166d7d8798b3fb2b5df07fb60c1c16bc

Download Submit
memory/2784-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2800-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-72-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-71-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2936-53-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2936-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2936-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-52-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2936-49-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download