nanocore | 6b59ef9e80eed04fb2d45569f27dada7b901fc47e726e0c48ea75107d2ea2870

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe
Size

391KB
MD5

828e9fa440667700be0305848ec7c6fb
SHA1

9fe92bb6b7b6986690f840078b080c56b5aa4a0e
SHA256

6b59ef9e80eed04fb2d45569f27dada7b901fc47e726e0c48ea75107d2ea2870
SHA512

b8ce90cc662ed7384e5ecfe20e7b6b7436c940e5d44816aff21c17f52cdba72233b5790d3202249f86a61aa07862f38c4996a28a273e9e5c05e18583b8a1d725
SSDEEP

12288:IudCZLjBTMXU3wL4vXBMzHNGALXEss/gc:Ix2U3wMvxW1LXElb

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

jured123.ddns.net:9033

127.0.0.1:9033

Mutex

f2166d44-4025-4972-8286-3ae1f2df8b6f

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2017-01-30T18:03:09.422891336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9033
default_group
RATTED
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f2166d44-4025-4972-8286-3ae1f2df8b6f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
jured123.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2456	z.cmd
3056	z.cmd

Loads dropped DLL 3 IoCs

pid	Process
2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe
2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe
2456	z.cmd

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	z.cmd

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 3056	2456	z.cmd	32

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z.cmd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2456	z.cmd

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2456	z.cmd
2456	z.cmd

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2456	2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2456	2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2456	2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2456	2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2456	2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2456	2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2456	2916	828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe	29
PID 2456 wrote to memory of 2996	2456	z.cmd	30
PID 2456 wrote to memory of 2996	2456	z.cmd	30
PID 2456 wrote to memory of 2996	2456	z.cmd	30
PID 2456 wrote to memory of 2996	2456	z.cmd	30
PID 2456 wrote to memory of 2996	2456	z.cmd	30
PID 2456 wrote to memory of 2996	2456	z.cmd	30
PID 2456 wrote to memory of 2996	2456	z.cmd	30
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 2456 wrote to memory of 3056	2456	z.cmd	32
PID 3056 wrote to memory of 2844	3056	z.cmd	33
PID 3056 wrote to memory of 2844	3056	z.cmd	33
PID 3056 wrote to memory of 2844	3056	z.cmd	33
PID 3056 wrote to memory of 2844	3056	z.cmd	33
PID 3056 wrote to memory of 2844	3056	z.cmd	33
PID 3056 wrote to memory of 2844	3056	z.cmd	33
PID 3056 wrote to memory of 2844	3056	z.cmd	33

C:\Users\Admin\AppData\Local\Temp\828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\828e9fa440667700be0305848ec7c6fb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1036.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cm_

Filesize
160KB

MD5
5f1ac56c39eb680f3b21f120313c16f8

SHA1
30eb78f8fb55afca842fc75f974a5d301f57cdf6

SHA256
7218840273cfeb2cf6f507d3c238eb1f376fd997e60d52006f6a4876cc01f3a3

SHA512
fdcf2f060d9131ad6b41251d707e1d388a560e063ae97188b109dedb35a18c458917c4655de7a67b8611072d2b68ccd1bd3299a9c66f2609ca6eec206db3a0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd

Filesize
104KB

MD5
42ccd69a3be9618d329de0ea0fde3a81

SHA1
47e9897f303496eb9cd5883f9cdb283b6eee65d3

SHA256
14137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef

SHA512
33d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1036.tmp

Filesize
1KB

MD5
a1d0f75599c16902d28bb7b756a4f35c

SHA1
c752e4155b8445152c97805387a1719da4fcf4f3

SHA256
dfc004a96670a057f9d4ce4b2c70ea12aa196edb0d5e99e68e53b5366236a617

SHA512
8a3858b519fe899259b9b58a2343421d5ab7fdfec1ba65c834ef6009a8767007f64c648f96948418782ee33c31523517294f37a7d5eca75eaa6b021f31183842

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z.cmd

Filesize
372KB

MD5
e7de4028e07068ee6c54ca14081ecc40

SHA1
a83f5a9754b4dd98a28a6e717bb392383a4c3a1e

SHA256
18f9f8f7a81f58d61de969cb933a6170788339be7f3995af8c1e919e8e2c0763

SHA512
1eb53d5db1ba5a632f3fac669be8ec812eaf7d2f43f9be1f1b0388761aafb0411647582a3e924248b66ec17fd8f144706b82577b0ac2f74092630d610f0ed709

Download Submit
memory/2456-12-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/2456-20-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/3056-27-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-31-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-29-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-33-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-37-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-35-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-26-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-40-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-43-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-44-0x0000000000400000-0x0000000001210000-memory.dmp

Filesize
14.1MB

Download
memory/3056-23-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download