nanocore | 155f0bd1a6d92bf811c5157707eec4780d4b17cf6fb1166200a9d1ab9b93da48 | Triage

Sharing

General

Target

fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118
Size

291KB
Sample

240929-txkjba1eqn
MD5

fee9cf8ec3de16009f0ffecdb2a8a831
SHA1

93af1af6f4d7ba623f03892032a805a099e2ab3c
SHA256

155f0bd1a6d92bf811c5157707eec4780d4b17cf6fb1166200a9d1ab9b93da48
SHA512

70e7e5b0810df304774d547d14546b13dfea0e4a69775589ec1d9727868e0dba9db76948749274ebfd11551465ec6a432edc77ead4111f713abc10fb713f6e66
SSDEEP

6144:/FVFmmoBy8TCukZw8db2cETk0MmsN6798y89xih5Mp:9mhy8TCukZJ2cETkAs2jU

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

netserv.serveftp.com:55128

176.31.174.37:55128

Mutex

4b736bf9-5142-40fe-ab51-5c64053db0ff

Attributes

activate_away_mode
true
backup_connection_host
176.31.174.37
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2015-04-03T18:30:02.293302936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
55128
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4b736bf9-5142-40fe-ab51-5c64053db0ff
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
netserv.serveftp.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  fee9cf8ec3de16009f0ffecdb2a8a831_JaffaCakes118
- Size
  
  291KB
- MD5
  
  fee9cf8ec3de16009f0ffecdb2a8a831
- SHA1
  
  93af1af6f4d7ba623f03892032a805a099e2ab3c
- SHA256
  
  155f0bd1a6d92bf811c5157707eec4780d4b17cf6fb1166200a9d1ab9b93da48
- SHA512
  
  70e7e5b0810df304774d547d14546b13dfea0e4a69775589ec1d9727868e0dba9db76948749274ebfd11551465ec6a432edc77ead4111f713abc10fb713f6e66
- SSDEEP
  
  6144:/FVFmmoBy8TCukZw8db2cETk0MmsN6798y89xih5Mp:9mhy8TCukZJ2cETkAs2jU
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

behavioral2