nanocore | 0e3d407a6703aa6daac111afc3ef6db70db97cc98bff8b33cc96d97d10a78cdf | Triage

Sharing

General

Target

f4b7c7fd4a506534cd052fde285714cb_JaffaCakes118
Size

873KB
Sample

241215-te5frsypcs
MD5

f4b7c7fd4a506534cd052fde285714cb
SHA1

9d2abc759ce6f9f5eef3082258c9d742ac57b5bc
SHA256

0e3d407a6703aa6daac111afc3ef6db70db97cc98bff8b33cc96d97d10a78cdf
SHA512

ff127c0c8665a292448053eef48cb33016546dc51875c48c5ba1c618dd82fab9a4d7226260632dacf0d09796fed518a7e3e7c73abdfda75861d4a8991be217e5
SSDEEP

24576:/kxpckImocfg6puArbvH+2UU7DnBnpx9eRRkBflmIlTVo:/opBeBOFpjcGBgaT

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.30.63:1916

127.0.0.1:1916

Mutex

bce1779d-9a41-430e-abc2-737cf5900556

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-05-21T21:52:34.187380636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1916
default_group
Nano
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bce1779d-9a41-430e-abc2-737cf5900556
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.244.30.63
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  f4b7c7fd4a506534cd052fde285714cb_JaffaCakes118
- Size
  
  873KB
- MD5
  
  f4b7c7fd4a506534cd052fde285714cb
- SHA1
  
  9d2abc759ce6f9f5eef3082258c9d742ac57b5bc
- SHA256
  
  0e3d407a6703aa6daac111afc3ef6db70db97cc98bff8b33cc96d97d10a78cdf
- SHA512
  
  ff127c0c8665a292448053eef48cb33016546dc51875c48c5ba1c618dd82fab9a4d7226260632dacf0d09796fed518a7e3e7c73abdfda75861d4a8991be217e5
- SSDEEP
  
  24576:/kxpckImocfg6puArbvH+2UU7DnBnpx9eRRkBflmIlTVo:/opBeBOFpjcGBgaT
Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocorediscoveryevasionkeyloggerspywarestealertrojan

behavioral2

nanocorediscoveryevasionkeyloggerspywarestealertrojan