nanocore | e9e0f7468a14cadd1a46ab016750820dc31be1c397f1f0b8fbee9aa0b6689ed4

General

Target

5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe
Size

1.9MB
MD5

5e2273cbdca381865b11ae2b3385b095
SHA1

a188b1ba45f165f71ed9db93694786cd1c2d57e3
SHA256

e9e0f7468a14cadd1a46ab016750820dc31be1c397f1f0b8fbee9aa0b6689ed4
SHA512

c151bc42e3cdf67206207a6f4f4dc964a5fae74c8d6b05a34d4f9b4be453ad80153e5eb25c4072dc0e0d36521ff2cf03e017999fb14af22eaff3907e0decfefc
SSDEEP

24576:hyvg4dVmis+ApQsxMAe9KC/ONZTkbo1cwHFX7owhZTctoqODY2+vck:8Vin+WzxMAe9K4ONxkcH2QZTIODa

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winIgon.exe"	winIgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winIgon.exe"	winIgon.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Shadow Copy Service = "C:\\Users\\Admin\\AppData\\Roaming\\wipeshadow.exe"	winIgon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winIgon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winIgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe
4756	winIgon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4756	winIgon.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4228	5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4756	winIgon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	winIgon.exe
Token: SeDebugPrivilege	4756	winIgon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4756	winIgon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4756	4228	5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe	86
PID 4228 wrote to memory of 4756	4228	5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe	86
PID 4228 wrote to memory of 4756	4228	5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe	86
PID 4756 wrote to memory of 2180	4756	winIgon.exe	88
PID 4756 wrote to memory of 2180	4756	winIgon.exe	88
PID 4756 wrote to memory of 2180	4756	winIgon.exe	88

C:\Users\Admin\AppData\Local\Temp\5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e2273cbdca381865b11ae2b3385b095_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Roaming\winIgon.exe
  "C:\Users\Admin\AppData\Roaming\winIgon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8983.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8983.tmp

Filesize
1KB

MD5
e94bdf331bdd7b845bd773770b192546

SHA1
a37c345cf7ad861ecf327692ae9a528ba2186812

SHA256
fd6cf1a0335d18fab42cf3a55429917fcbd1803c2c7c68e529a09a0ec9acf5c1

SHA512
ef530fef4298a0d93591685d33a32ab3d9806b78303aa11c0ac142b6673e971c9c994d009bd53272df81728851036922f666fab766e8e005d831b9c4b643567f

Download Submit
memory/4228-0-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

Filesize
4KB

Download
memory/4228-1-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/4228-2-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/4228-4-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/4756-5-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/4756-6-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/4756-7-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/4756-9-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/4756-15-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download
memory/4756-16-0x0000000074DC0000-0x0000000075371000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads