nanocore | 14d22c4a8a36f02fd6a2869f04d908f3d70de075d81dd576914d33019a6de214

General

Target

248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
Size

646KB
MD5

248bc96665bee5eb0d4ab15b7ba9f415
SHA1

a2eb99044b82889546dd21adb441c27130dc9bcc
SHA256

14d22c4a8a36f02fd6a2869f04d908f3d70de075d81dd576914d33019a6de214
SHA512

237c6105722c8a7360a5891d939fed8db5907ff19f5378fa2326052e2cfdc9045f0f17aa6a80d322b389bbb13e3d8aabac02af54719a08a6e191b1426a213ec9
SSDEEP

12288:ra/rmU5El82jSlI/ExacF3EubKHRHHWQpkerei1OOUGqB:rav5UjSlI/EPFQ12QOeKJEqB

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

Welvfcm.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Welvfcm.lnk	Welvfcm.exe

Executes dropped EXE 3 IoCs

Processes:

Welvfcm.exeWelvfcm.exeWelvfcm.exe

pid	Process
2712	Welvfcm.exe
2752	Welvfcm.exe
584	Welvfcm.exe

Loads dropped DLL 5 IoCs

Processes:

248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exeWelvfcm.exeWelvfcm.exe

pid	Process
2188	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
2188	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
2188	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
2712	Welvfcm.exe
2752	Welvfcm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Welvfcm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Welvfcm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Welvfcm.exe

description	pid	Process	procid_target
PID 2752 set thread context of 584	2752	Welvfcm.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exeWelvfcm.execmd.exeWelvfcm.exeWelvfcm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Welvfcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Welvfcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Welvfcm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Welvfcm.exeWelvfcm.exe

pid	Process
2752	Welvfcm.exe
2752	Welvfcm.exe
584	Welvfcm.exe
584	Welvfcm.exe
584	Welvfcm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Welvfcm.exe

pid	Process
584	Welvfcm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Welvfcm.exeWelvfcm.exe

description	pid	Process
Token: SeDebugPrivilege	2752	Welvfcm.exe
Token: SeDebugPrivilege	584	Welvfcm.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exeWelvfcm.exeWelvfcm.exe

description	pid	Process	procid_target
PID 2188 wrote to memory of 2712	2188	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2712	2188	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2712	2188	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2712	2188	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2696	2712	Welvfcm.exe	31
PID 2712 wrote to memory of 2696	2712	Welvfcm.exe	31
PID 2712 wrote to memory of 2696	2712	Welvfcm.exe	31
PID 2712 wrote to memory of 2696	2712	Welvfcm.exe	31
PID 2712 wrote to memory of 2752	2712	Welvfcm.exe	33
PID 2712 wrote to memory of 2752	2712	Welvfcm.exe	33
PID 2712 wrote to memory of 2752	2712	Welvfcm.exe	33
PID 2712 wrote to memory of 2752	2712	Welvfcm.exe	33
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34
PID 2752 wrote to memory of 584	2752	Welvfcm.exe	34

C:\Users\Admin\AppData\Local\Temp\248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Welvfcm.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Welvfcm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Lrttxit" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Users\Admin\AppData\Roaming\Lrttxit\Welvfcm.exe
    "C:\Users\Admin\AppData\Roaming\Lrttxit\Welvfcm.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Roaming\Lrttxit\Welvfcm.exe
      "C:\Users\Admin\AppData\Roaming\Lrttxit\Welvfcm.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gsvxamvenagxehd.bin

Filesize
225KB

MD5
deaa8ec93df2cdaee3dea5bb599c05fc

SHA1
e5218934709ccf1d5d0147d2fcd3bcfbb4de3dc2

SHA256
fc14f3c43da68530911150540d4ba54794c7a9587b6ce7659bff64082cf8edfa

SHA512
4e5c5a5bdacb52f5d8c90d5ff0b4a41a3735c25e2a55ad1d3792d41add8f1da41c8f5864f9c1d6ddc803d3efb560441e253bf55779ea606be5a8c8cb4759abcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rigrmkwhrrxoe.bin

Filesize
2.0MB

MD5
f3ead90a3f9398c865a7e3186344602d

SHA1
67f157816d13bf5d8717041f35dbbdd8e987a595

SHA256
b5adfdac1947f4518930b64a55ffde7bbdb7f5a54520d28d70702f4228c50bc1

SHA512
032b4d2b23241cc602ce3c806156a498548a49b089772dab73870372afc37e3b2340e2be6acec7861d90fb733ff5fe0f3e2c33f51ac648c1fa62bc777c0c99be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Welvfcm.exe

Filesize
165KB

MD5
4a798bfc65b28a2bdbf599a5db61c1c2

SHA1
3678c564fd4cd9aff1a466e58b361fbc092cdd27

SHA256
709f3c66506f0c3bb2a595ccd10155a0b3b850f81b652d1172b639c4d942a592

SHA512
61f363204fc5d9f3ff3460d32a5fcee9fbc348e4e97972401242653ed0df5d3a7efb7fcc19f97b2630ca3d5618b0c897a4171d3b7bf93d41f58f7dbd8565fd68

Download Submit
memory/584-46-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/584-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-43-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2712-34-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-18-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2712-20-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-19-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-23-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2712-22-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads