nanocore | 14d22c4a8a36f02fd6a2869f04d908f3d70de075d81dd576914d33019a6de214

General

Target

248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
Size

646KB
MD5

248bc96665bee5eb0d4ab15b7ba9f415
SHA1

a2eb99044b82889546dd21adb441c27130dc9bcc
SHA256

14d22c4a8a36f02fd6a2869f04d908f3d70de075d81dd576914d33019a6de214
SHA512

237c6105722c8a7360a5891d939fed8db5907ff19f5378fa2326052e2cfdc9045f0f17aa6a80d322b389bbb13e3d8aabac02af54719a08a6e191b1426a213ec9
SSDEEP

12288:ra/rmU5El82jSlI/ExacF3EubKHRHHWQpkerei1OOUGqB:rav5UjSlI/EPFQ12QOeKJEqB

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exeWelvfcm.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Welvfcm.exe

Drops startup file 1 IoCs

Processes:

Welvfcm.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Welvfcm.lnk	Welvfcm.exe

Executes dropped EXE 3 IoCs

Processes:

Welvfcm.exeWelvfcm.exeWelvfcm.exe

pid	Process
2088	Welvfcm.exe
1660	Welvfcm.exe
2968	Welvfcm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Welvfcm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Welvfcm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Welvfcm.exe

description	pid	Process	procid_target
PID 1660 set thread context of 2968	1660	Welvfcm.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exeWelvfcm.execmd.exeWelvfcm.exeWelvfcm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Welvfcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Welvfcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Welvfcm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Welvfcm.exeWelvfcm.exe

pid	Process
1660	Welvfcm.exe
1660	Welvfcm.exe
2968	Welvfcm.exe
2968	Welvfcm.exe
2968	Welvfcm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Welvfcm.exe

pid	Process
2968	Welvfcm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Welvfcm.exeWelvfcm.exe

description	pid	Process
Token: SeDebugPrivilege	1660	Welvfcm.exe
Token: SeDebugPrivilege	2968	Welvfcm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exeWelvfcm.exeWelvfcm.exe

description	pid	Process	procid_target
PID 2072 wrote to memory of 2088	2072	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe	86
PID 2072 wrote to memory of 2088	2072	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe	86
PID 2072 wrote to memory of 2088	2072	248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe	86
PID 2088 wrote to memory of 1284	2088	Welvfcm.exe	93
PID 2088 wrote to memory of 1284	2088	Welvfcm.exe	93
PID 2088 wrote to memory of 1284	2088	Welvfcm.exe	93
PID 2088 wrote to memory of 1660	2088	Welvfcm.exe	95
PID 2088 wrote to memory of 1660	2088	Welvfcm.exe	95
PID 2088 wrote to memory of 1660	2088	Welvfcm.exe	95
PID 1660 wrote to memory of 2968	1660	Welvfcm.exe	96
PID 1660 wrote to memory of 2968	1660	Welvfcm.exe	96
PID 1660 wrote to memory of 2968	1660	Welvfcm.exe	96
PID 1660 wrote to memory of 2968	1660	Welvfcm.exe	96
PID 1660 wrote to memory of 2968	1660	Welvfcm.exe	96
PID 1660 wrote to memory of 2968	1660	Welvfcm.exe	96
PID 1660 wrote to memory of 2968	1660	Welvfcm.exe	96
PID 1660 wrote to memory of 2968	1660	Welvfcm.exe	96

C:\Users\Admin\AppData\Local\Temp\248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\248bc96665bee5eb0d4ab15b7ba9f415_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Welvfcm.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Welvfcm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Lrttxit" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1284
- - C:\Users\Admin\AppData\Roaming\Lrttxit\Welvfcm.exe
    "C:\Users\Admin\AppData\Roaming\Lrttxit\Welvfcm.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Roaming\Lrttxit\Welvfcm.exe
      "C:\Users\Admin\AppData\Roaming\Lrttxit\Welvfcm.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Welvfcm.exe.log

Filesize
594B

MD5
fdb26b3b547022b45cfaeee57eafd566

SHA1
11c6798b8a59233f404014c5e79b3363cd564b37

SHA256
2707fc7f074413881b7bafca05079327b188db6005709951e7f69d39a2af97c0

SHA512
44d9bb8c0f0b341690d00eda86e15a50f7f29ce9595925c1a2a7e19ad26202d10049a7a97bea278ecb7d429ad555de8edceeffff664d4b06309a9410a09bb700

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gsvxamvenagxehd.bin

Filesize
225KB

MD5
deaa8ec93df2cdaee3dea5bb599c05fc

SHA1
e5218934709ccf1d5d0147d2fcd3bcfbb4de3dc2

SHA256
fc14f3c43da68530911150540d4ba54794c7a9587b6ce7659bff64082cf8edfa

SHA512
4e5c5a5bdacb52f5d8c90d5ff0b4a41a3735c25e2a55ad1d3792d41add8f1da41c8f5864f9c1d6ddc803d3efb560441e253bf55779ea606be5a8c8cb4759abcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rigrmkwhrrxoe.bin

Filesize
2.0MB

MD5
f3ead90a3f9398c865a7e3186344602d

SHA1
67f157816d13bf5d8717041f35dbbdd8e987a595

SHA256
b5adfdac1947f4518930b64a55ffde7bbdb7f5a54520d28d70702f4228c50bc1

SHA512
032b4d2b23241cc602ce3c806156a498548a49b089772dab73870372afc37e3b2340e2be6acec7861d90fb733ff5fe0f3e2c33f51ac648c1fa62bc777c0c99be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Welvfcm.exe

Filesize
165KB

MD5
4a798bfc65b28a2bdbf599a5db61c1c2

SHA1
3678c564fd4cd9aff1a466e58b361fbc092cdd27

SHA256
709f3c66506f0c3bb2a595ccd10155a0b3b850f81b652d1172b639c4d942a592

SHA512
61f363204fc5d9f3ff3460d32a5fcee9fbc348e4e97972401242653ed0df5d3a7efb7fcc19f97b2630ca3d5618b0c897a4171d3b7bf93d41f58f7dbd8565fd68

Download Submit
memory/1660-34-0x0000000072FA0000-0x0000000073551000-memory.dmp

Filesize
5.7MB

Download
memory/1660-33-0x0000000072FA0000-0x0000000073551000-memory.dmp

Filesize
5.7MB

Download
memory/1660-31-0x0000000072FA0000-0x0000000073551000-memory.dmp

Filesize
5.7MB

Download
memory/2088-15-0x0000000072FA0000-0x0000000073551000-memory.dmp

Filesize
5.7MB

Download
memory/2088-19-0x0000000072FA0000-0x0000000073551000-memory.dmp

Filesize
5.7MB

Download
memory/2088-18-0x0000000072FA2000-0x0000000072FA3000-memory.dmp

Filesize
4KB

Download
memory/2088-16-0x0000000072FA0000-0x0000000073551000-memory.dmp

Filesize
5.7MB

Download
memory/2088-32-0x0000000072FA0000-0x0000000073551000-memory.dmp

Filesize
5.7MB

Download
memory/2088-14-0x0000000072FA0000-0x0000000073551000-memory.dmp

Filesize
5.7MB

Download
memory/2088-13-0x0000000072FA2000-0x0000000072FA3000-memory.dmp

Filesize
4KB

Download
memory/2968-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads