nanocore | e9e64099c15c6850b94c2603fbdd740590e4aadca95ac03bb76c11a1969d9ae1

General

Target

f05290862fde867cfaad81d4be571636_JaffaCakes118.exe
Size

2.4MB
MD5

f05290862fde867cfaad81d4be571636
SHA1

403ff7bdf6597b64b253bc962e27033aed66d406
SHA256

e9e64099c15c6850b94c2603fbdd740590e4aadca95ac03bb76c11a1969d9ae1
SHA512

d3a355787d432d5fff35211cfe74cb8d1413a1fda828b98710796a038ce3412ca444e46c3b059b56081b8a46b0f515154bd66fdcb6b95322f7ae9fdda0b9168c
SSDEEP

49152:7CdW+NIRVRT111findksB10gI5h0kRKZg19awdDWNMQr5VmY2NQn8G7mKWteskA:7WtIxT11cGsBYFKm10wZWNKtVcmKikA

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.29.216:4050

Mutex

176627fc-9b6d-4f0a-ab26-654a31d03cfd

Attributes

activate_away_mode
true
backup_connection_host
185.244.29.216
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-15T10:38:24.409596736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4050
default_group
baby new
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
176627fc-9b6d-4f0a-ab26-654a31d03cfd
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 2 IoCs

pid	Process
2388	test.exe
2228	test.exe

Loads dropped DLL 3 IoCs

pid	Process
1912	cmd.exe
1912	cmd.exe
2388	test.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	test.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 2228	2388	test.exe	33

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3048-1-0x0000000000400000-0x0000000000942000-memory.dmp	upx
behavioral1/memory/2228-14-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2228-19-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2228-17-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2228-16-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2228-13-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2228-10-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/3048-21-0x0000000000400000-0x0000000000942000-memory.dmp	upx
behavioral1/memory/2228-32-0x0000000000400000-0x000000000047F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f05290862fde867cfaad81d4be571636_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2388	test.exe
2228	test.exe
2228	test.exe
2228	test.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	test.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2388	test.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	test.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1912	3048	f05290862fde867cfaad81d4be571636_JaffaCakes118.exe	31
PID 3048 wrote to memory of 1912	3048	f05290862fde867cfaad81d4be571636_JaffaCakes118.exe	31
PID 3048 wrote to memory of 1912	3048	f05290862fde867cfaad81d4be571636_JaffaCakes118.exe	31
PID 3048 wrote to memory of 1912	3048	f05290862fde867cfaad81d4be571636_JaffaCakes118.exe	31
PID 1912 wrote to memory of 2388	1912	cmd.exe	32
PID 1912 wrote to memory of 2388	1912	cmd.exe	32
PID 1912 wrote to memory of 2388	1912	cmd.exe	32
PID 1912 wrote to memory of 2388	1912	cmd.exe	32
PID 2388 wrote to memory of 2228	2388	test.exe	33
PID 2388 wrote to memory of 2228	2388	test.exe	33
PID 2388 wrote to memory of 2228	2388	test.exe	33
PID 2388 wrote to memory of 2228	2388	test.exe	33

C:\Users\Admin\AppData\Local\Temp\f05290862fde867cfaad81d4be571636_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f05290862fde867cfaad81d4be571636_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      test.exe
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
628KB

MD5
e28a0e468b4d4ea54cc62afc34c6897c

SHA1
4840f9085bb4371303e3afb37c4a67bde0350005

SHA256
e2f4430cb0c04004e768adf6b47509db5ff20728ff21d691c87b132e8c374eb1

SHA512
308df8b94bd6f3daa317db03c05572a10813f196f661a03850855c3cafa73821ba5a1ec61e4796bb0269bd0c9a0c23c931fb079338088b4b024f9023e18a8fb8

Download Submit
memory/2228-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-34-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-19-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-20-0x00000000004F0000-0x0000000000528000-memory.dmp

Filesize
224KB

Download
memory/2228-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-10-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2228-18-0x00000000004F0000-0x0000000000528000-memory.dmp

Filesize
224KB

Download
memory/2388-6-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2388-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2388-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2388-8-0x0000000000350000-0x0000000000359000-memory.dmp

Filesize
36KB

Download
memory/3048-1-0x0000000000400000-0x0000000000942000-memory.dmp

Filesize
5.3MB

Download
memory/3048-21-0x0000000000400000-0x0000000000942000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing