nanocore | b1d04d78ca542907bf8e87ac423cce20039b745b9500d292dcc1764feb660931

General

Target

96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
Size

804KB
MD5

96c46f1028dfd68dcafc774a331b7887
SHA1

a3f23dec1b19baeb71e75a9891a7a13a021c93bd
SHA256

b1d04d78ca542907bf8e87ac423cce20039b745b9500d292dcc1764feb660931
SHA512

ab318cb3228f0dd9087c64d4ea0e5021ec372a44c65d55a4d4209fba3b83e3b31cccb5f85c250fc31b650118a3e9891fa8dff45d142e41c576607739f51b3470
SSDEEP

12288:JGpk59Z3PCPoflr7RTd1To2k6qYa84nCsVcN9L4+xEWLIqD1fvIlwvCeP0/5KWRT:zdVPqY/4EIqD1Ylwvtz5C

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

audiotunes.exeaudiotunes.exe

pid process

1560 audiotunes.exe
3632 audiotunes.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

audiotunes.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiotunes.exe

pid	process
1560	audiotunes.exe
3632	audiotunes.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiotunes.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exeaudiotunes.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	audiotunes.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	audiotunes.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

audiotunes.exe

description pid process target process

PID 1560 set thread context of 3632 1560 audiotunes.exe audiotunes.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1560 set thread context of 3632	1560	audiotunes.exe	audiotunes.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exeschtasks.exeschtasks.execmd.exeaudiotunes.exeaudiotunes.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiotunes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiotunes.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4116 schtasks.exe

pid	process
4116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe

pid	process
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

audiotunes.exe

pid process

3632 audiotunes.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

audiotunes.exe

pid process

1560 audiotunes.exe

pid	process
3632	audiotunes.exe

pid	process
1560	audiotunes.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exeaudiotunes.exeaudiotunes.exe

description	pid	process
Token: SeDebugPrivilege	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
Token: SeDebugPrivilege	1560	audiotunes.exe
Token: SeDebugPrivilege	3632	audiotunes.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.execmd.exeaudiotunes.exe

description	pid	process	target process
PID 2552 wrote to memory of 3752	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	schtasks.exe
PID 2552 wrote to memory of 3752	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	schtasks.exe
PID 2552 wrote to memory of 3752	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	schtasks.exe
PID 2552 wrote to memory of 4116	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	schtasks.exe
PID 2552 wrote to memory of 4116	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	schtasks.exe
PID 2552 wrote to memory of 4116	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	schtasks.exe
PID 2552 wrote to memory of 2388	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	cmd.exe
PID 2552 wrote to memory of 2388	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	cmd.exe
PID 2552 wrote to memory of 2388	2552	96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe	cmd.exe
PID 2388 wrote to memory of 1560	2388	cmd.exe	audiotunes.exe
PID 2388 wrote to memory of 1560	2388	cmd.exe	audiotunes.exe
PID 2388 wrote to memory of 1560	2388	cmd.exe	audiotunes.exe
PID 1560 wrote to memory of 3632	1560	audiotunes.exe	audiotunes.exe
PID 1560 wrote to memory of 3632	1560	audiotunes.exe	audiotunes.exe
PID 1560 wrote to memory of 3632	1560	audiotunes.exe	audiotunes.exe
PID 1560 wrote to memory of 3632	1560	audiotunes.exe	audiotunes.exe

C:\Users\Admin\AppData\Local\Temp\96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96c46f1028dfd68dcafc774a331b7887_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\37a9f99f-41f8-4c98-ad5a-89e2379234cf" /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3752
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\37a9f99f-41f8-4c98-ad5a-89e2379234cf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp544102550.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /K "C:\ProgramData\audiotunes.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\ProgramData\audiotunes.exe
    C:\ProgramData\audiotunes.exe
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\ProgramData\audiotunes.exe
      C:\ProgramData\audiotunes.exe
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\audiotunes.exe

Filesize
804KB

MD5
f854de20ca4d24763fe1d741332ff3a7

SHA1
852210622a0b3f31a953682abfc1c4279ec14d72

SHA256
dc5fc101053307551b8d213823d5080b959e132755ec7321181491a2c8285ee4

SHA512
bcaa6c80475698c4990549325815530788e3ab8e0c5512dda0495e8af365f8360cbb23911c83bcffdbec353399eae82f4c764abe515218f3cfe3c3e3b2e83579

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp544102550.tmp

Filesize
1KB

MD5
3257a303a118b5848959139d86867c5e

SHA1
6e3493381aabb4d32e1ce4aea1a1f004557fa2b3

SHA256
14b348fc8716842929a43a5099a93372b75bacf8cd04a40af8965fc11490d071

SHA512
25da4cde73c9b8f8d2e7a6ae0f9548afdaa770761944e6be433b0537727342641ac19f7f88c91d514217afedf0d802bcf6ce344eb4b803672a3395e67f558dd8

Download Submit
memory/1560-33-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1560-31-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1560-26-0x0000000009280000-0x0000000009283000-memory.dmp

Filesize
12KB

Download
memory/1560-24-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1560-23-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1560-22-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-5-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-9-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-10-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-8-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-18-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-7-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-6-0x0000000075452000-0x0000000075453000-memory.dmp

Filesize
4KB

Download
memory/2552-0-0x0000000075452000-0x0000000075453000-memory.dmp

Filesize
4KB

Download
memory/2552-4-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-3-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-2-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2552-1-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3632-27-0x0000000000B50000-0x0000000000BAC000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads