nanocore | 13e353b5aaf0a49286d0148954759cf4eb844087f28bf0be58f9fe0f8c9df947

General

Target

fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
Size

11.2MB
MD5

fe3ec61798741f90f745a0f508f78c33
SHA1

a61540c961cbc8cc90715c610ec7e957d4153757
SHA256

13e353b5aaf0a49286d0148954759cf4eb844087f28bf0be58f9fe0f8c9df947
SHA512

78fee25e34482064bdcbcdb1681c4156d6ecf5db1ede0273cbe8b8e887bd30a30c1fc9f4fc8bd4d7921321386d8728ddc4dfdd0ab44b1c76ed3a490b23d2e9ee
SSDEEP

196608:ytgZqGeTGDbev2aL8bpXxOUu8q7WtnlpWGj8zPMw4XtPRk4R3BxCkfHOU08:bqGeTGWv2hlJj8SXtPR/3BxZHlX

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

lordranseierpilot.from-ms.com:4419

lordranseier.from-de.com:4419

Mutex

3840f080-c49f-4256-bcbf-eb2fbb38fb91

Attributes

activate_away_mode
true
backup_connection_host
lordranseier.from-de.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-10-14T12:02:11.615420136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4419
default_group
Olsders
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3840f080-c49f-4256-bcbf-eb2fbb38fb91
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
lordranseierpilot.from-ms.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 3 IoCs

pid	Process
2508	Vector Magic.exe
2760	Olsders_8.exe
2692	Olsders_8.exe

Loads dropped DLL 10 IoCs

pid	Process
2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
2760	Olsders_8.exe
2760	Olsders_8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Olsders_8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2692	2760	Olsders_8.exe	33

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Uninstall.exe	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
File created	C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Uninstall.ini	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vector Magic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olsders_8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olsders_8.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000016ce0-25.dat	nsis_installer_2
behavioral1/files/0x0008000000016cab-39.dat	nsis_installer_1
behavioral1/files/0x0008000000016cab-39.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2760	Olsders_8.exe
2760	Olsders_8.exe
2760	Olsders_8.exe
2760	Olsders_8.exe
2692	Olsders_8.exe
2692	Olsders_8.exe
2692	Olsders_8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	Olsders_8.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2760	Olsders_8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	Olsders_8.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2508	2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2508	2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2508	2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2508	2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2760	2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2760	2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2760	2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2760	2368	fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2692	2760	Olsders_8.exe	33
PID 2760 wrote to memory of 2692	2760	Olsders_8.exe	33
PID 2760 wrote to memory of 2692	2760	Olsders_8.exe	33
PID 2760 wrote to memory of 2692	2760	Olsders_8.exe	33
PID 2760 wrote to memory of 2692	2760	Olsders_8.exe	33

C:\Users\Admin\AppData\Local\Temp\fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe3ec61798741f90f745a0f508f78c33_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe
  "C:\Program Files (x86)\© Cedar Lake Ventures, Inc.\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2508
- C:\Users\Admin\AppData\Roaming\Olsders_8.exe
  "C:\Users\Admin\AppData\Roaming\Olsders_8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Roaming\Olsders_8.exe
    "C:\Users\Admin\AppData\Roaming\Olsders_8.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
3.0MB

MD5
e8992b1cf5ca990fc3781860d82eef4d

SHA1
3ad636b85ce23d58303e1ab453f55fe7f5eb71b8

SHA256
37d5faa577d6643212c71f952e4132f8284a0f997bbc8c665e0584de87f38827

SHA512
a827b83bb9019bdfa7fb187364799dd05e1b33c11617d38327f72add41b6a87f85d9788b4caa75b4d65783bd593cd543a0ef66d03639cfaa166c1f9914871f2d

Download Submit
\Program Files (x86)\© Cedar Lake Ventures, Inc\Vector Magic 1.15 Portable Win x32+x64 Multi Préactivé\Vector Magic.exe

Filesize
32.6MB

MD5
008447156ab02ae2c7428639b2c812df

SHA1
9b4de5635152b5d217b7c22f18141ca1efecc52c

SHA256
d9ed5b3ba625da9acf731290d3d45cc1192336c8beda5652f757ab8a3d4bdc00

SHA512
caa2b5c9d6b23a7763a4aa117b3df2239006710f7f61398b3e059596160d20e98f2fb5ad2b2387d1b235e3d95c031d8fa65b8cd88f7bd294df7d89a540908c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF603.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Roaming\Olsders_8.exe

Filesize
512KB

MD5
f49790681940884fe1df35a094f09b50

SHA1
5ac2fdc8530239f9a56f185b4ec28adaf0417865

SHA256
f54a4d8df2d9b58d1dae11003b21bef238239b16a1823269a8da73aaacdf1aa6

SHA512
d812f9cb50265ecba35e65c5add77c5da96633eebb3efbd8d174894725cda7b5457f8e4f3d4ab5a04035361325941bb375d6698f024b829eeff8ce07e8206a53

Download Submit
memory/2368-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-51-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2692-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2692-69-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2692-67-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2692-71-0x0000000001E80000-0x0000000001EB8000-memory.dmp

Filesize
224KB

Download
memory/2692-73-0x0000000002240000-0x000000000224A000-memory.dmp

Filesize
40KB

Download
memory/2692-74-0x0000000005080000-0x000000000509E000-memory.dmp

Filesize
120KB

Download
memory/2692-75-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/2692-76-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing