nanocore | dd80ea0d7cab57580251088c44c6fe5759ef696eb1577f8fd21cd9310b5afa1c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
Size

476KB
MD5

f61a0991e1a2591c39629f8f51954079
SHA1

2081e35f0cdd2411bb7c53b7833e1eb21221bec3
SHA256

dd80ea0d7cab57580251088c44c6fe5759ef696eb1577f8fd21cd9310b5afa1c
SHA512

bac1e6e1621811410d17c915fa92500b6d7926fea95fa4c5db54dbe0dfe743da38851cafbc900b4d51d5cf9ce864ab012f74f7caf055c8876f88a151e16917d1
SSDEEP

12288:M3nZMhJ+ubNZ7dCtvFjwdr3F9FWuxU+PSkJBYDIl+OqJ+hOye:M3nZqfbxCtvyx3FvWoUiJOIHVh+

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan upx

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4124	file.exe
3944	91sfk.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3944 set thread context of 4856	3944	91sfk.exe	86
PID 4856 set thread context of 2792	4856	csc.exe	93

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4856-21-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-22-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-23-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-35-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-36-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-37-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-38-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-39-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-40-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-41-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-42-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-43-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-44-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-45-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-46-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-47-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-48-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4856-49-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91sfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe
4856	csc.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 912	3652	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	82
PID 3652 wrote to memory of 912	3652	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	82
PID 3652 wrote to memory of 912	3652	f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe	82
PID 912 wrote to memory of 4124	912	WScript.exe	83
PID 912 wrote to memory of 4124	912	WScript.exe	83
PID 912 wrote to memory of 4124	912	WScript.exe	83
PID 4124 wrote to memory of 3944	4124	file.exe	85
PID 4124 wrote to memory of 3944	4124	file.exe	85
PID 4124 wrote to memory of 3944	4124	file.exe	85
PID 3944 wrote to memory of 4856	3944	91sfk.exe	86
PID 3944 wrote to memory of 4856	3944	91sfk.exe	86
PID 3944 wrote to memory of 4856	3944	91sfk.exe	86
PID 3944 wrote to memory of 4856	3944	91sfk.exe	86
PID 3944 wrote to memory of 4856	3944	91sfk.exe	86
PID 3944 wrote to memory of 4856	3944	91sfk.exe	86
PID 3944 wrote to memory of 4856	3944	91sfk.exe	86
PID 3944 wrote to memory of 4856	3944	91sfk.exe	86
PID 4856 wrote to memory of 4692	4856	csc.exe	91
PID 4856 wrote to memory of 4692	4856	csc.exe	91
PID 4856 wrote to memory of 4692	4856	csc.exe	91
PID 4856 wrote to memory of 3152	4856	csc.exe	92
PID 4856 wrote to memory of 3152	4856	csc.exe	92
PID 4856 wrote to memory of 3152	4856	csc.exe	92
PID 4856 wrote to memory of 2792	4856	csc.exe	93
PID 4856 wrote to memory of 2792	4856	csc.exe	93
PID 4856 wrote to memory of 2792	4856	csc.exe	93
PID 4856 wrote to memory of 2792	4856	csc.exe	93
PID 4856 wrote to memory of 2792	4856	csc.exe	93
PID 2792 wrote to memory of 1996	2792	RegAsm.exe	94
PID 2792 wrote to memory of 1996	2792	RegAsm.exe	94
PID 2792 wrote to memory of 1996	2792	RegAsm.exe	94

C:\Users\Admin\AppData\Local\Temp\f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\6mmqw\88g4m.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\6mmqw\file.exe
    "C:\Users\Admin\6mmqw\file.exe" -p1234
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Users\Admin\AppData\Roaming\6mmqw\91sfk.exe
      "C:\Users\Admin\AppData\Roaming\6mmqw\91sfk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        6⤵
        
        PID:4692
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        6⤵
        
        PID:3152
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        6⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DNS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD32E.tmp"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\6mmqw\88g4m.vbs

Filesize
90B

MD5
4005c5add74a635ebcd654ba7cf51ac9

SHA1
e84a7d72f080e032a55b3ccd61603bac82e8fb73

SHA256
af03f80def60fe776c9267a192e662da9716b59469e830f7698651e52cf0fd53

SHA512
0f554ff22bcfba2336e5bf809aec1607e628767c72e1ae81001e5b80351bfab8fc86b85bb2e8063e1f5d955c3e18e3f51cf21875760de57a68db88e926f86030

Download Submit
C:\Users\Admin\6mmqw\file.exe

Filesize
318KB

MD5
8b03e059b46c6ef0bc30a4a9d7eda131

SHA1
8d51e49dd267b5cf004db0fcd7ffe0f947fe4402

SHA256
6560160f4dec287992891ae93a91313085cf088364c844ffb8b53a0b5e63ade0

SHA512
33a637a240e438b1f7951946687a769bb09e35db10084708125184a5556c5ce4b1515e9618eb1a152ec48cfd9a590585080f220e3dc3ef79a2f61552a4aec9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD32E.tmp

Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Roaming\6mmqw\91sfk.exe

Filesize
42KB

MD5
ea91e005c6920683a4526839f7745482

SHA1
432058655709f00958f287b6413ed5750ff69577

SHA256
8be60bfbca8d12da042e25fb2254bd7aa3e13516a3df62faf3b1ed9c3340e449

SHA512
971903238c0272ee5a540a34807f0d6b44ecb582e3e0d216b9e8579a2f37e934dde86109815353d62f66373575f3a788166d7d8798b3fb2b5df07fb60c1c16bc

Download Submit
C:\Users\Admin\AppData\Roaming\6mmqw\x

Filesize
618KB

MD5
2f29a20e1bdeb519c5247108baade53e

SHA1
80557ca8b51b252d6aa3fcbe03154df70a3e8b92

SHA256
6cc01ffcf664ac1552487f7287e87a2637ae196f36c30aa0b23192f22e572214

SHA512
8cb242314b6c36bb5455e1db7ec9590f0f47bda087eaa704bbdc16fa09d1ac91880a6126eb2b3fff1f115759299e8ca7f6ba367c72b915b5076b9d014c5a5551

Download Submit
memory/2792-29-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3944-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4856-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4856-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download