nanocore | b60e40f3eae92cac6a2d803b06586b7fe63d30dcfa37858a5e0e7226307139fb | Triage

Sharing

General

Target

323eb7cfdda6b481d8365875bae6bac7_JaffaCakes118
Size

956KB
Sample

241010-3bfsnsxcmn
MD5

323eb7cfdda6b481d8365875bae6bac7
SHA1

b52d8bf673c8dec9fda605c4def937478ca38e48
SHA256

b60e40f3eae92cac6a2d803b06586b7fe63d30dcfa37858a5e0e7226307139fb
SHA512

5269e0c117206b08831c9f269994c48b823b5765f9d4382a968960718e6741cf3de38a75d161068b8bfcd233cb77a77aa8ead6b09f558f9bb7ff4038a0a5722d
SSDEEP

24576:9IPp9AR95SDxKE69t8vl+orJpJ31nTcf3drEbIQfKkB:9IPpKRSDQh8Trx9TnI

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.30.63:1916

127.0.0.1:1916

Mutex

bce1779d-9a41-430e-abc2-737cf5900556

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-05-21T21:52:34.187380636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1916
default_group
Nano
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bce1779d-9a41-430e-abc2-737cf5900556
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.30.63
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  323eb7cfdda6b481d8365875bae6bac7_JaffaCakes118
- Size
  
  956KB
- MD5
  
  323eb7cfdda6b481d8365875bae6bac7
- SHA1
  
  b52d8bf673c8dec9fda605c4def937478ca38e48
- SHA256
  
  b60e40f3eae92cac6a2d803b06586b7fe63d30dcfa37858a5e0e7226307139fb
- SHA512
  
  5269e0c117206b08831c9f269994c48b823b5765f9d4382a968960718e6741cf3de38a75d161068b8bfcd233cb77a77aa8ead6b09f558f9bb7ff4038a0a5722d
- SSDEEP
  
  24576:9IPp9AR95SDxKE69t8vl+orJpJ31nTcf3drEbIQfKkB:9IPpKRSDQh8Trx9TnI
Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocorediscoveryevasionkeyloggerspywarestealertrojan

behavioral2

nanocorediscoveryevasionkeyloggerspywarestealertrojan