nanocore

General

Target

ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118
Size

530KB
Sample

241213-f4bm4azkay
MD5

ea184a14a40394f152e2c08eb9ba62ee
SHA1

80a98688698a29681588d5fa23382b1fa33279b5
SHA256

46a8154f10cee5ed12613adee278ae790a10b359191ce045e94d0d8191f1389d
SHA512

d0232a2e16c8bf3e160446ee139c23ee0562b0e0161aa1153af84452be0db7a859a5a27e9e1f917186b25339f9be1a298218d21021f12a5758d07e0ff3156ac6
SSDEEP

6144:GrtIRxHou3JQW6ioI+CCeNsHLFwoRgv/uxEj0qqVqOjgsVP/RG4vDuK8tFAnpLLC:GORP36Wz8CCeMF5s2jBLG4buJgtY6qZ

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

79.134.225.124:1604

lambertofield1.ddns.net:1604

Mutex

0d315a12-7176-4d64-b8c3-817b06b4e0c7

Attributes

activate_away_mode
true
backup_connection_host
lambertofield1.ddns.net
backup_dns_server
37.235.1.177
buffer_size
65535
build_time
2021-04-11T06:44:19.506592036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1604
default_group
Async
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0d315a12-7176-4d64-b8c3-817b06b4e0c7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
79.134.225.124
primary_dns_server
37.235.1.174
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  ea184a14a40394f152e2c08eb9ba62ee_JaffaCakes118
- Size
  
  530KB
- MD5
  
  ea184a14a40394f152e2c08eb9ba62ee
- SHA1
  
  80a98688698a29681588d5fa23382b1fa33279b5
- SHA256
  
  46a8154f10cee5ed12613adee278ae790a10b359191ce045e94d0d8191f1389d
- SHA512
  
  d0232a2e16c8bf3e160446ee139c23ee0562b0e0161aa1153af84452be0db7a859a5a27e9e1f917186b25339f9be1a298218d21021f12a5758d07e0ff3156ac6
- SSDEEP
  
  6144:GrtIRxHou3JQW6ioI+CCeNsHLFwoRgv/uxEj0qqVqOjgsVP/RG4vDuK8tFAnpLLC:GORP36Wz8CCeMF5s2jBLG4buJgtY6qZ
Score

10^/10

nanocore discovery evasion execution keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2