nanocore | 9b916d451ce81a4fa56209262065797748bcbce9d8819288e46004c6d0f95c6b

General

Target

ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe
Size

569KB
MD5

ab0f429587409856cbf8b7eeda784818
SHA1

11361e5f830be948fe2f3115875baf8bd784009b
SHA256

9b916d451ce81a4fa56209262065797748bcbce9d8819288e46004c6d0f95c6b
SHA512

83ea74f260d64b143b44fbc067696aebe6e2cd670a4456b30b12282c0cb538428296fa53fd5ad37960d2edc146c95b4f383459f3ef666f4e672fd4dc243a801e
SSDEEP

12288:2NeZIXMuf2BBHkr4AgKB2E3/XjCPncDMQNvdL3XO2:68vLkrsE3/Xkc3vNnO

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

0.tcp.ngrok.io:15642

Mutex

d61fa598-6d05-4c22-9eba-11b25460477f

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-05-15T14:08:35.896694436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
15642
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d61fa598-6d05-4c22-9eba-11b25460477f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
0.tcp.ngrok.io
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
36	0.tcp.ngrok.io
49	0.tcp.ngrok.io
51	0.tcp.ngrok.io
68	0.tcp.ngrok.io
76	0.tcp.ngrok.io
20	0.tcp.ngrok.io
47	0.tcp.ngrok.io
53	0.tcp.ngrok.io
60	0.tcp.ngrok.io
62	0.tcp.ngrok.io
34	0.tcp.ngrok.io
66	0.tcp.ngrok.io
70	0.tcp.ngrok.io
74	0.tcp.ngrok.io
42	0.tcp.ngrok.io
40	0.tcp.ngrok.io
64	0.tcp.ngrok.io
72	0.tcp.ngrok.io
38	0.tcp.ngrok.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3832 set thread context of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LAN Service\lansv.exe	RegAsm.exe
File created	C:\Program Files (x86)\LAN Service\lansv.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1460	RegAsm.exe
1460	RegAsm.exe
1460	RegAsm.exe
1460	RegAsm.exe
1460	RegAsm.exe
1460	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1460	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89
PID 3832 wrote to memory of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89
PID 3832 wrote to memory of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89
PID 3832 wrote to memory of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89
PID 3832 wrote to memory of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89
PID 3832 wrote to memory of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89
PID 3832 wrote to memory of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89
PID 3832 wrote to memory of 1460	3832	ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab0f429587409856cbf8b7eeda784818_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-26-0x0000000006770000-0x0000000006780000-memory.dmp

Filesize
64KB

Download
memory/1460-29-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/1460-33-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/1460-32-0x0000000006960000-0x0000000006974000-memory.dmp

Filesize
80KB

Download
memory/1460-31-0x0000000006930000-0x000000000695E000-memory.dmp

Filesize
184KB

Download
memory/1460-30-0x00000000067D0000-0x00000000067DA000-memory.dmp

Filesize
40KB

Download
memory/1460-22-0x0000000006610000-0x0000000006622000-memory.dmp

Filesize
72KB

Download
memory/1460-27-0x0000000006780000-0x0000000006794000-memory.dmp

Filesize
80KB

Download
memory/1460-24-0x0000000006740000-0x000000000674C000-memory.dmp

Filesize
48KB

Download
memory/1460-28-0x0000000006790000-0x000000000679E000-memory.dmp

Filesize
56KB

Download
memory/1460-15-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/1460-11-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1460-14-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/1460-25-0x0000000006750000-0x0000000006764000-memory.dmp

Filesize
80KB

Download
memory/1460-23-0x0000000006720000-0x000000000672E000-memory.dmp

Filesize
56KB

Download
memory/1460-19-0x0000000005D20000-0x0000000005D32000-memory.dmp

Filesize
72KB

Download
memory/1460-21-0x0000000006600000-0x000000000660E000-memory.dmp

Filesize
56KB

Download
memory/1460-20-0x0000000005D30000-0x0000000005D4A000-memory.dmp

Filesize
104KB

Download
memory/1460-18-0x0000000005780000-0x000000000578A000-memory.dmp

Filesize
40KB

Download
memory/3832-1-0x0000000000590000-0x0000000000624000-memory.dmp

Filesize
592KB

Download
memory/3832-13-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/3832-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/3832-10-0x0000000005150000-0x000000000516E000-memory.dmp

Filesize
120KB

Download
memory/3832-9-0x0000000005380000-0x0000000005414000-memory.dmp

Filesize
592KB

Download
memory/3832-8-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/3832-7-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/3832-6-0x0000000005300000-0x0000000005376000-memory.dmp

Filesize
472KB

Download
memory/3832-5-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/3832-4-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/3832-3-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/3832-2-0x0000000005530000-0x0000000005AD4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads