nanocore | 0b0818a3e82b1653a0160daedf39b18f4dd2a1b41661928451e5a26c4b6392a7 | Triage

Sharing

General

Target

79949bbec90a663289312a4bcb043aeb_JaffaCakes118
Size

420KB
Sample

241028-peb21ayfpe
MD5

79949bbec90a663289312a4bcb043aeb
SHA1

14b39b97dd2564d2bee5bdbb166552a5e15b8c1f
SHA256

0b0818a3e82b1653a0160daedf39b18f4dd2a1b41661928451e5a26c4b6392a7
SHA512

09ffa62f1af6bb6f0bb00fc9da3c6e59abaabc9c1e461a8dd3391d205ad3f0d3d4fa18e063230fdfefe4ddb105adbe8a5795d05d1414cf142cc80669c0628f1c
SSDEEP

12288:gOOOYs0vs0vs0vs0B53OZjoI0/XJ2dGPDi0sMUEzSxFEqW:Gs0vs0vs0vs0X80PJPP

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

grene231.ddns.net:9017

Mutex

050c3e25-856b-443b-ae6e-44a1fa0b6039

Attributes

activate_away_mode
true
backup_connection_host
grene231.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-12-09T09:11:12.426017136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9017
default_group
Vala
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
050c3e25-856b-443b-ae6e-44a1fa0b6039
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
grene231.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  79949bbec90a663289312a4bcb043aeb_JaffaCakes118
- Size
  
  420KB
- MD5
  
  79949bbec90a663289312a4bcb043aeb
- SHA1
  
  14b39b97dd2564d2bee5bdbb166552a5e15b8c1f
- SHA256
  
  0b0818a3e82b1653a0160daedf39b18f4dd2a1b41661928451e5a26c4b6392a7
- SHA512
  
  09ffa62f1af6bb6f0bb00fc9da3c6e59abaabc9c1e461a8dd3391d205ad3f0d3d4fa18e063230fdfefe4ddb105adbe8a5795d05d1414cf142cc80669c0628f1c
- SSDEEP
  
  12288:gOOOYs0vs0vs0vs0B53OZjoI0/XJ2dGPDi0sMUEzSxFEqW:Gs0vs0vs0vs0X80PJPP
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan