nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_b492a779314f8e5acadc326421167bd4ac3ed160d9ad85ce5bd02d71434caa00
Size

5.0MB
Sample

241228-3l9hqswjak
MD5

7b680fdd7ef26a6db365f28a74625d72
SHA1

c0a256e4f07a22b1db497545680afab7e0f5ebc8
SHA256

b492a779314f8e5acadc326421167bd4ac3ed160d9ad85ce5bd02d71434caa00
SHA512

6cb1e8d0b96cdff86c4b1bd1a984f78b94ebe036b8a610bec478850d7084a1cfbcf2dba5f47aa56dd4e65afd535fbc3c81780bcdd30bbc51f8ca2d6c0d2ee1de
SSDEEP

98304:a4OFGq9x9lwfVJlldCNVq7uYuxcKTF9eblC760WxHunuBuUVoNU4/:a4O8E9AJXT7uPxJeblC760z+K3

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

aboki0419.duckdns.org:9900

abokijob.hopto.org:9900

Mutex

a0c4817f-89a6-4daf-be72-4cec2c6ad4d3

Attributes

activate_away_mode
true
backup_connection_host
abokijob.hopto.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-09-24T13:12:11.549725036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9900
default_group
1001
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
a0c4817f-89a6-4daf-be72-4cec2c6ad4d3
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
aboki0419.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Malware Samples/0e634c282954fed04fc11071c8e6e13f.danger
- Size
  
  189KB
- MD5
  
  0e634c282954fed04fc11071c8e6e13f
- SHA1
  
  56e7f78b0d49bc74701ceb51e9be0ea0179b9841
- SHA256
  
  f11750939680d28d724a73bb0830a04fa7b926aead104ad7d0d8d76df634686f
- SHA512
  
  69e1a22f060f550255e20142afbc26b723ccab3c1f8541910f81c44832ce28b23a7e39fe7623afc444854e56f3e8a3560d55f9e60cd2ab8c5922800131e8c415
- SSDEEP
  
  3072:8U52y/Gdy7ktGDWLS0HZWD5w8K7Nk9JD7IBUrndHx/SvYp+KK:h52k4LtGiL3HJk9JD7brnnSQp+7
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Malware Samples/12e90e4b70e21ee2e80f2563f43e72ab.danger
- Size
  
  125KB
- MD5
  
  12e90e4b70e21ee2e80f2563f43e72ab
- SHA1
  
  85d7d298d8543f3dfc91d22225d1e9dad7fb10d4
- SHA256
  
  e8d3e9d5d4c9257a079e4140d2a7806854440a260a933a0f46c2d3a1979ecc9b
- SHA512
  
  9e7acc9a0030f98388866b1b36bfabffd253701624c85730e201cfe5f957b1807f2fa6cee4a6f131449cec428932b692615d0773b4cf0c472530e3701deb2800
- SSDEEP
  
  3072:FaKgdzSrG8KyIwLx3BhgC1s0rPOWfKNRd:FaKUzSLnLx3P3O0r2WfKN7
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Malware Samples/1d8789bb3b825f6119fbf8aaff2a7db2.danger
- Size
  
  184KB
- MD5
  
  1d8789bb3b825f6119fbf8aaff2a7db2
- SHA1
  
  c3c923900dbb997382936a5d923826c129d3bdaa
- SHA256
  
  5b281e3da52b533526e1e65746b8df24b33dde2f8f6f8700bd78823edb47f5d7
- SHA512
  
  297fb5d85275ee6e0f11d2372a3aa7ef028d559e6214d7c911232b0c9e9c1d6176f7159e906c3b3a3dc390d6cf6139f84b360f5192932d9668db670b05aa8ca5
- SSDEEP
  
  3072:FS2y/GdyjktGDWLS0HZWD5w8K7Nk9KD7IBUAFlsRZzpr3MBIBmXnoCGHkB/oc0:FS2k4ztGiL3HJk9KD7bAFlsDpr8BIBmS
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Malware Samples/2fe23715380e143ce8dfcd815d82a66f.danger
- Size
  
  195KB
- MD5
  
  2fe23715380e143ce8dfcd815d82a66f
- SHA1
  
  53ecdc4bc5e6c234840d069b570bc1159fd1ee20
- SHA256
  
  53c41353c60c2514c555e9c49ace7fd4ed2a45b100efa102b7ca6024ba591b0d
- SHA512
  
  7f1fcb466eddfe4229272ec145503661cc32fa29bcbad2951e2ebb22e1be1a4801451ab814ede12ec71848b88ed5d13b982aaf1c72e9ee7cf2a7664325cd1e30
- SSDEEP
  
  3072:MSQhIH+UaqFh5lr/SzFaSadGBrjC48+WZ/POhh+/d9t/hWO05VkN:MSQhIHNaqHSzGdD48+aPOnI9zWOK2
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Malware Samples/3449d1d98ec260570959636e381f0daf.danger
- Size
  
  190KB
- MD5
  
  3449d1d98ec260570959636e381f0daf
- SHA1
  
  445e0106d224d9c372c29059e8fa6f083aba98cd
- SHA256
  
  6c6738b570b485ffbf787d3514670c649339fb71fc8b0742ef6bac4f5385a020
- SHA512
  
  f5c560c12c6c0ec544ad929c4a5b875e63211a1a58bb294c25b4f52eb21557eb5710c9e7090094cee7859c66e5d72e8971a91893eb1e8c4d30f64e4c2ad0528a
- SSDEEP
  
  3072:8SB2y/Gdy7ktGDWLS0HZWD5w8K7Nk9JD7IBUxndHx/SvYp+KO:zB2k4LtGiL3HJk9JD7bxnnSQp+p
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Malware Samples/3608a584e78a18b8281b7da7956c38dc.danger
- Size
  
  184KB
- MD5
  
  3608a584e78a18b8281b7da7956c38dc
- SHA1
  
  cbf7a13d17de6fd06bcb40e253bbde9275cdef9b
- SHA256
  
  b20ec4d553dbfbd429f250574d665236c74b3ee44c0e7b7d3d718dc7fed30cb6
- SHA512
  
  f7133f5d705f72520e680320c79f98c5f23e98d6840cf107aba816b627501e2ae76214c5a47e1a4c214780f30ebc03c00500a7734d74aec2aec3ca3706998cef
- SSDEEP
  
  3072:YT2y/GdyDktGDWLS0HZWD5w8K7Nk9uD7IBUypCI8LL9QZL+jzdDym/ANmMAmMoRy:YT2k4TtGiL3HJk9uD7bsCI8LL9QZL+jv
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Malware Samples/3756d7ffc712e924f8f5b795a349f9ee.danger
- Size
  
  165KB
- MD5
  
  3756d7ffc712e924f8f5b795a349f9ee
- SHA1
  
  d86cf24c4ff4de457526084e0b1588425837f71a
- SHA256
  
  2278d355756398bc2771b5a1b69ce4d98aa59bcb91fc43ddcbd7e019dd18497f
- SHA512
  
  88fc65b8877918b577d1661b6839be4c47f8083069923e533492637941de6dfca8512825bce5447f72f6dde6bd6694df79f7ce82f3ddcc266d8b4deecc1e6aaa
- SSDEEP
  
  3072:wHRaUaqFh51r/SzFaSadGBrjC48+WZ/POhh+/DHRZKa12MG:wHRBaqbSzGdD48+aPOnYRZKa12T
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  Malware Samples/3910f5a17b016e4de8bf330d6348f211.danger
- Size
  
  172KB
- MD5
  
  3910f5a17b016e4de8bf330d6348f211
- SHA1
  
  445d04640b1af9785f8b52b8151fbc257dd54fed
- SHA256
  
  bd6e209b43ba05b1c30b60510f02ef0f58c0a2b12bdfbe48f0274678d9a600da
- SHA512
  
  43bc24f2c3ac8dae30464015863b832e29b9f3c6adbcf4d449ff9ad42f74857c492e3ae21302056ff6f3b5d5d09bb6d28b3ffb65f5faf5c0e4d682243a9d63e4
- SSDEEP
  
  3072:OH7nUaqFh57r/SzFaSadGBrjC48+WZ/POhh+/F/Ifxm6U5HOLrd3iRVUdszA1T:OH7UaqdSzGdD48+aPOnI/Ifxm6U5HOLJ
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  6287467283873,pdf.exe
- Size
  
  392KB
- MD5
  
  7d05704659c455feb3db77a62fe601bb
- SHA1
  
  803b4d7d1a5a75c1afaa715477a4250b031e8ac2
- SHA256
  
  5f04144eb435bf9f55a34c4ff65c42438249640b7cf8228cd9a5cbc84f291d64
- SHA512
  
  1632acabaeec7a10ed504f3a75dd065b7238ffa086431b82140f0788ce8769fd31b5087bee352914f56e226ce2c79794d6814900127e8efb92a0a73111a402a5
- SSDEEP
  
  6144:vdxgw0ffdLQt2OOn6RGDbvvpQrSUQ0vK1PjxJ2lwipq17:Vxgw0ffdLzOhRwvmrScKlmlnq17
Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  Malware Samples/4ea2ebaf57eae1cd10481a68d0bf7823.danger
- Size
  
  164KB
- MD5
  
  4ea2ebaf57eae1cd10481a68d0bf7823
- SHA1
  
  6a4236612f647a759848897bb05686825bb3b8c2
- SHA256
  
  ed890365a992734f3b751ada24636658025f74ae2e097106062de88d78d77043
- SHA512
  
  be6182ce5309fdef1afa73f3d1b6821cffd14ef0b08e443ab8d9b4d38fd92b797ee53a4d86d503c9bd3dd606c70e6044e8459ddcd25c8efd3de9bfa0427a29be
- SSDEEP
  
  3072:PH/VUaqFh51r/SzFaSadGBrjC48+WZ/POhh+/6sB/bDcSJBod:PH/GaqbSzGdD48+aPOnXsRbDhJBy
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  Malware Samples/53cbbf08fc5a6fb17799813e483efedc.danger
- Size
  
  189KB
- MD5
  
  53cbbf08fc5a6fb17799813e483efedc
- SHA1
  
  9a5c635740a31eb7c03083ca279965c6cf640467
- SHA256
  
  4f82bde52d13908fd77884ed0beefe2ed2bb9246a4f06255a46c8257cf78fffe
- SHA512
  
  411c3de3d346c3ae9a86a608ac6449ed5fb4bd4a1ed0dbb1613872715e93ade73f7f4ef390aa4ff086e9ff4600df4d4ed95d8955490e3e2ec9ca722b61644556
- SSDEEP
  
  3072:8J92y/Gdy7ktGDWLS0HZWD5w8K7Nk9JD7IBUTndHx/SvYp+Ke:I92k4LtGiL3HJk9JD7bTnnSQp+h
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Malware Samples/63e5798be7ba715c481aec7b2399f766.danger
- Size
  
  185KB
- MD5
  
  63e5798be7ba715c481aec7b2399f766
- SHA1
  
  275396d629861e030011c0155acc891f756456ef
- SHA256
  
  2b2aabaebbcaef76b058319870490f2dec8e950f8fd6533ffb8ed9c940d434a2
- SHA512
  
  0053de77dd10854c2480bc8319751198c34ea5fb142407b89de79024d51dfca1bd3e85ab193518e8dbf77a18e3ae6a83c9e7ce684c4164e2aee021de331fb415
- SSDEEP
  
  3072:Hy2y/GdyjktGDWLS0HZWD5w8K7Nk9KD7IBUTFlsRZzpr3MBIBmXnoCGHkB/occ:Hy2k4ztGiL3HJk9KD7bTFlsDpr8BIBmm
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  Malware Samples/65f6dc37499e3054f0f328b27ceef4e7.danger
- Size
  
  179KB
- MD5
  
  65f6dc37499e3054f0f328b27ceef4e7
- SHA1
  
  08677335cc0b8d4641ebbf997e348dc56dcdaa29
- SHA256
  
  c765ecf47cc4ba7c01f89d2a7349570cd9ffe689498c807227fadcc78f291da2
- SHA512
  
  38ece089fe3b2ca6714fc710ff7f6aed30bbf83ffd717f4383247f990267ad4f5d51834ae278c88d221c111dc3a4b830363bfa79166261400a9c0bbc253d01bc
- SSDEEP
  
  3072:bF2y/GdybktGDWLS0HZWD5w8K7Nk9iD7IBUnMFaLrWZLQQy:bF2k4btGiL3HJk9iD7bnQaLrGLQ7
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  Malware Samples/66f36808089fee107c02503745fc19b4.danger
- Size
  
  190KB
- MD5
  
  66f36808089fee107c02503745fc19b4
- SHA1
  
  ddec06a4471f71a4e7e80c3b63d2fa9daabdbd0e
- SHA256
  
  a0a0e9f2908955f2e6533d1c10a96868fa4992f37397a64071260f4726b602aa
- SHA512
  
  52b0e4fa571893a90145958ec6ed890493e8cdf457226bf7c9ee85af50583d7b2e8851a9dc7f655b47948d5627f5038fc43ccefe893f1d2b38365f04c98133cd
- SSDEEP
  
  3072:8LB2y/Gdy7ktGDWLS0HZWD5w8K7Nk9JD7IBUwndHx/SvYp+Ke:yB2k4LtGiL3HJk9JD7bwnnSQp+h
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  Malware Samples/6965e9bd1d11888c3c70895b241b1834.danger
- Size
  
  178KB
- MD5
  
  6965e9bd1d11888c3c70895b241b1834
- SHA1
  
  965c83dcf3ed250e4c153d96286b7746f33411d2
- SHA256
  
  151ba4f2edd183f0662c3514ba63817aca19ea7d4a8bbb702a6f3e23b7b58d0b
- SHA512
  
  a18f7f2edc5225c624ffa07da8ccdf0ca901164dd6f999b56824e9e10d10a0d55da5df709436fe47ba05085ef3cb87bbf44bba23bb01f083b3c632fd8d10a946
- SSDEEP
  
  3072:CZ2y/Gdy7ktGDWLS0HZWD5w8K7Nk9GD7IBUxlzA0Dl/S+vbF:CZ2k47tGiL3HJk9GD7bxZtp/S+vR
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Malware Samples/6ad036ba93c94d6976e2d93c7a3aec6f.danger
- Size
  
  172KB
- MD5
  
  6ad036ba93c94d6976e2d93c7a3aec6f
- SHA1
  
  cb098f7a0492454a31f3819a1b7ec143c0c507b6
- SHA256
  
  4ee0bf78e3b0a06c35fed0f912db6fabbb5fae13f838cd4132634359ad0d24da
- SHA512
  
  525d3ccb7078d6c34287307891023a47773cb3ec94d6e5d54a4c2cb4006be5ae3356238e8fe4ce5ff17767b8326af385a2be735dac8dbe78f10c185c665f7a00
- SSDEEP
  
  3072:vw2y/GdyrktGDWLS0HZWD5w8K7Nk9pD7IBUaT7jc5Hw:vw2k4jtGiL3HJk9pD7b+jMQ
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Nanocore family

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32