nanocore | 2b4aa9d2057b4b7e67bbc3f30911d4aad35f8af5e10d4c587b4254555bf4a695

General

Target

20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe
Size

699KB
MD5

20fc4905deec49b284490fdc03ecb1c5
SHA1

fdedc862bc7ac7324f96ff00aeba75ef6f6b6967
SHA256

2b4aa9d2057b4b7e67bbc3f30911d4aad35f8af5e10d4c587b4254555bf4a695
SHA512

53e52602ab71ac698eb2f39378129af533cf9242f527fd0ef9e60017c42898fd88f521a0edcce5237c2056aebf5cdc96a3e8afb994cf0e43ccd01a3d03b3262f
SSDEEP

12288:lYp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXMeJXfXUyh8F:ke3rLDQVteqvxeojT0Ggp8

Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ucrexz.hopto.org:2021

127.0.0.1:2021

Mutex

3ca05887-ada0-4215-877e-306409ecf9a3

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-05-03T01:32:02.880544436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2021
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3ca05887-ada0-4215-877e-306409ecf9a3
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ucrexz.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Monitor = "C:\\Program Files (x86)\\SCSI Monitor\\scsimon.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3760 set thread context of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	Process
File created	C:\Program Files (x86)\SCSI Monitor\scsimon.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\SCSI Monitor\scsimon.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exeschtasks.exeRegSvcs.exeschtasks.exeschtasks.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
3896	schtasks.exe
372	schtasks.exe
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exeRegSvcs.exe

pid	Process
3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe
3716	RegSvcs.exe
3716	RegSvcs.exe
3716	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid	Process
3716	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exeRegSvcs.exe

description	pid	Process
Token: SeDebugPrivilege	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe
Token: SeDebugPrivilege	3716	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exeRegSvcs.exe

description	pid	Process	procid_target
PID 3760 wrote to memory of 3896	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	90
PID 3760 wrote to memory of 3896	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	90
PID 3760 wrote to memory of 3896	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	90
PID 3760 wrote to memory of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92
PID 3760 wrote to memory of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92
PID 3760 wrote to memory of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92
PID 3760 wrote to memory of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92
PID 3760 wrote to memory of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92
PID 3760 wrote to memory of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92
PID 3760 wrote to memory of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92
PID 3760 wrote to memory of 3716	3760	20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe	92
PID 3716 wrote to memory of 372	3716	RegSvcs.exe	93
PID 3716 wrote to memory of 372	3716	RegSvcs.exe	93
PID 3716 wrote to memory of 372	3716	RegSvcs.exe	93
PID 3716 wrote to memory of 2472	3716	RegSvcs.exe	95
PID 3716 wrote to memory of 2472	3716	RegSvcs.exe	95
PID 3716 wrote to memory of 2472	3716	RegSvcs.exe	95

C:\Users\Admin\AppData\Local\Temp\20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20fc4905deec49b284490fdc03ecb1c5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RGogVnNWGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp119F.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1642.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:372
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp16C0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp119F.tmp

Filesize
1KB

MD5
beb09c2445dbd928fbfda9933808d765

SHA1
f0996a6733a3dc706dbee653761e8e0311c7298e

SHA256
42f71c2cef1f24a34e6e88e028ed69415dd555c3e63f4b1340d9188c3b9d2291

SHA512
cacf06885e0439578788fdb4dd4c298bb58472a00c585eda2912331bbf95c1c78f85964ffacb997bdbc0dbb9891133881314a9503ad745c3a4408fee17d3bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1642.tmp

Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16C0.tmp

Filesize
1KB

MD5
2862e61d09852ea2886c036af0465051

SHA1
45e30b14543868213f7f1cba0a1e0cc840fb2cd2

SHA256
d4ba6219d0aff5a36d129a8475cf35b00043d205f751f63ddd56a5c7d4a03ff3

SHA512
33dfd9d12adaa19dd3d4dd7013930e233dd3ff1d114e1e86e50d20ffa848a27582eebdffc09ab974b8de86316c01da6f6254f349992ad507d0f8b13cf0e36579

Download Submit
memory/3716-31-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3716-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3716-30-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3716-29-0x0000000006AD0000-0x0000000006ADA000-memory.dmp

Filesize
40KB

Download
memory/3716-28-0x0000000005960000-0x000000000597E000-memory.dmp

Filesize
120KB

Download
memory/3716-27-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/3716-19-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3716-18-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3760-4-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/3760-11-0x000000000C880000-0x000000000C8D2000-memory.dmp

Filesize
328KB

Download
memory/3760-3-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/3760-10-0x0000000009F90000-0x000000000A034000-memory.dmp

Filesize
656KB

Download
memory/3760-17-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3760-9-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3760-1-0x0000000000860000-0x0000000000916000-memory.dmp

Filesize
728KB

Download
memory/3760-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3760-8-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3760-7-0x0000000006420000-0x00000000064BC000-memory.dmp

Filesize
624KB

Download
memory/3760-6-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/3760-5-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3760-2-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads