nanocore | 4151897619823917cf3420046de0a8d3c0da19995acbcb134cc784250945d53a

General

Target

d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe
Size

928KB
MD5

d3a6b2942804437bb23319f5df1e56c3
SHA1

27e4cff6374c24928b365a80aef85697025b2af3
SHA256

4151897619823917cf3420046de0a8d3c0da19995acbcb134cc784250945d53a
SHA512

a0bd4f47c5ab4a1f5e7c637430593b5585ce691120ba84171c22e2bbd5a113546f81242ba5a0fb200fd90a33d774ab4960be66f79ee2c26e8dd065ab16707f16
SSDEEP

24576:X0I9AIw98hljilLI1hBd/+xF8oEHA8sBMxWrj8MNj:Ee+6lmi1hD+3+RdxYjlh

Score

10^/10

nanocore snakekeylogger discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
send.one.com
Port:
587
Username:
[email protected]
Password:
btRhqDDqbQXOw2SC
Email To:
[email protected]

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb4-35.dat	family_snakekeylogger
behavioral2/memory/5084-43-0x00000000004E0000-0x0000000000504000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3520	ikmerro nano.exe
5084	snake logger.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Monitor = "C:\\Program Files (x86)\\SCSI Monitor\\scsimon.exe"	ikmerro nano.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ikmerro nano.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	checkip.dyndns.org
37	freegeoip.app
38	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SCSI Monitor\scsimon.exe	ikmerro nano.exe
File opened for modification	C:\Program Files (x86)\SCSI Monitor\scsimon.exe	ikmerro nano.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikmerro nano.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1520	schtasks.exe
2840	schtasks.exe
4604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5084	snake logger.exe
3520	ikmerro nano.exe
3520	ikmerro nano.exe
3520	ikmerro nano.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3520	ikmerro nano.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	snake logger.exe
Token: SeDebugPrivilege	3520	ikmerro nano.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 1520	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	99
PID 4680 wrote to memory of 1520	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	99
PID 4680 wrote to memory of 1520	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	99
PID 4680 wrote to memory of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101
PID 4680 wrote to memory of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101
PID 4680 wrote to memory of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101
PID 4680 wrote to memory of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101
PID 4680 wrote to memory of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101
PID 4680 wrote to memory of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101
PID 4680 wrote to memory of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101
PID 4680 wrote to memory of 4272	4680	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	101
PID 4272 wrote to memory of 3520	4272	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	102
PID 4272 wrote to memory of 3520	4272	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	102
PID 4272 wrote to memory of 3520	4272	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	102
PID 4272 wrote to memory of 5084	4272	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	103
PID 4272 wrote to memory of 5084	4272	d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe	103
PID 3520 wrote to memory of 2840	3520	ikmerro nano.exe	105
PID 3520 wrote to memory of 2840	3520	ikmerro nano.exe	105
PID 3520 wrote to memory of 2840	3520	ikmerro nano.exe	105
PID 3520 wrote to memory of 4604	3520	ikmerro nano.exe	107
PID 3520 wrote to memory of 4604	3520	ikmerro nano.exe	107
PID 3520 wrote to memory of 4604	3520	ikmerro nano.exe	107

C:\Users\Admin\AppData\Local\Temp\d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fiPVDuIushYm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8901.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\ikmerro nano.exe
    "C:\Users\Admin\AppData\Local\Temp\ikmerro nano.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp95F2.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2840
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9650.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4604
- - C:\Users\Admin\AppData\Local\Temp\snake logger.exe
    "C:\Users\Admin\AppData\Local\Temp\snake logger.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d3a6b2942804437bb23319f5df1e56c3_JaffaCakes118.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikmerro nano.exe

Filesize
217KB

MD5
ec962e97ec8150569cda2415c5d07628

SHA1
1043e3b22ceb0f35d695f2096af0c2a5b25a1000

SHA256
0195b5c6f14b4d3c3b9654187133f96e8c498a0831d2a0961b6885a8d4932e47

SHA512
3a98f28160429cbc23efcaf59f8f8e60ada03a80b7dbb917a44d97b8e9442ea275c4fda8dc25655aab7c73e264459c78ec56fdf7cf49df163a43be553d6b0179

Download Submit
C:\Users\Admin\AppData\Local\Temp\snake logger.exe

Filesize
121KB

MD5
e0c153e19ccb6366a79cf3571a191561

SHA1
dfee299bd88926e7b9f07c4ea8ae31d2cba69367

SHA256
bc903d20250251ec239811b9007c5221f5c267a1e1a9e9e8dd1eb05e062d5e06

SHA512
b8e88d57e87a7b4b75206477de934076f222fd757325ee80aaadebbc8a58f9b93898e1b9a9c31f8a0ff833c7358fcb0b0bd57e60c7ac55ffd9f6822238fbaa60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8901.tmp

Filesize
1KB

MD5
73abb301edd8cd3712eecbe4e82397ed

SHA1
a47957f54bbb0dd4688aa09141e753fb09ae4756

SHA256
5a16fc179e19c64457c1bf823fc34a48860fc3db12f82a4006693efe264ba338

SHA512
616738d671b02038b53fd0fb50764a996db40913299eda02e795009eaa6b8578852a9cf133513e42e44d34dbe0da5e9b9a01476a3a060a376cfe1e0a8f2d2f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95F2.tmp

Filesize
1KB

MD5
de7b292240c4c9c91f0162c3cc05f7a5

SHA1
6d0150832d202896ad611cf840d8e794355ba276

SHA256
f63da8e36f2ec1c72796d9a7fc847fd0664eb70309220f235cade3298067ce4f

SHA512
a5df353a2ae111c3b847f26b7de7dab9b3ac323de55679e91f9d6f17d0d551ba783bef3c5603ae436aa5e5708fc9e6a97036927fc0c4239b51486e79e51f996e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9650.tmp

Filesize
1KB

MD5
2862e61d09852ea2886c036af0465051

SHA1
45e30b14543868213f7f1cba0a1e0cc840fb2cd2

SHA256
d4ba6219d0aff5a36d129a8475cf35b00043d205f751f63ddd56a5c7d4a03ff3

SHA512
33dfd9d12adaa19dd3d4dd7013930e233dd3ff1d114e1e86e50d20ffa848a27582eebdffc09ab974b8de86316c01da6f6254f349992ad507d0f8b13cf0e36579

Download Submit
memory/3520-52-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3520-42-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/4272-20-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-44-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-23-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4272-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4680-21-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4680-1-0x0000000000090000-0x000000000017C000-memory.dmp

Filesize
944KB

Download
memory/4680-4-0x0000000004C80000-0x0000000004D1C000-memory.dmp

Filesize
624KB

Download
memory/4680-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/4680-11-0x0000000008A70000-0x0000000008AEC000-memory.dmp

Filesize
496KB

Download
memory/4680-10-0x0000000006460000-0x000000000652E000-memory.dmp

Filesize
824KB

Download
memory/4680-2-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/4680-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp

Filesize
584KB

Download
memory/4680-9-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4680-8-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/4680-5-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4680-7-0x0000000005EC0000-0x0000000005EDA000-memory.dmp

Filesize
104KB

Download
memory/4680-6-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/5084-43-0x00000000004E0000-0x0000000000504000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads