nanocore | a4d3c825a4ec99bcac7e75cecfb3f837c5b4c752c9ee49a070193fcf5221c9bf

General

Target

JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe
Size

740KB
MD5

1f104b823c9ac140f99dee39536db4e0
SHA1

1551da1ade3252b446d7a7d80295697138859c50
SHA256

a4d3c825a4ec99bcac7e75cecfb3f837c5b4c752c9ee49a070193fcf5221c9bf
SHA512

f124db7fce940fd31ab99d4dfb9adafa1d24da985c976136e96637267146cb310d39b79382e447fff07f142b40dbb2c5c731d180e739ea8e6b0e507e618a8e30
SSDEEP

12288:P2ghLvPhXpe3Plf/X+tGrn33gUdCjIXjT6rrqX8lb7LMsHPEibTxzGmlFQJBk:BXhZgPlfrrAU4jprrjH3HJFz9+e

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 2 IoCs

pid	Process
2664	infopdf.sfx.exe
2560	info pdf.exe

Loads dropped DLL 5 IoCs

pid	Process
1828	cmd.exe
2664	infopdf.sfx.exe
2664	infopdf.sfx.exe
2664	infopdf.sfx.exe
2664	infopdf.sfx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe"	info pdf.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	info pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
11	6.tcp.ngrok.io
13	6.tcp.ngrok.io
15	6.tcp.ngrok.io
20	6.tcp.ngrok.io
22	6.tcp.ngrok.io
2	6.tcp.ngrok.io
4	6.tcp.ngrok.io
6	6.tcp.ngrok.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DPI Subsystem\dpiss.exe	info pdf.exe
File opened for modification	C:\Program Files (x86)\DPI Subsystem\dpiss.exe	info pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	infopdf.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	info pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1072	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2560	info pdf.exe
2560	info pdf.exe
2560	info pdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2560	info pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	info pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1828	2888	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe	30
PID 2888 wrote to memory of 1828	2888	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe	30
PID 2888 wrote to memory of 1828	2888	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe	30
PID 2888 wrote to memory of 1828	2888	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe	30
PID 1828 wrote to memory of 2664	1828	cmd.exe	32
PID 1828 wrote to memory of 2664	1828	cmd.exe	32
PID 1828 wrote to memory of 2664	1828	cmd.exe	32
PID 1828 wrote to memory of 2664	1828	cmd.exe	32
PID 2664 wrote to memory of 2560	2664	infopdf.sfx.exe	33
PID 2664 wrote to memory of 2560	2664	infopdf.sfx.exe	33
PID 2664 wrote to memory of 2560	2664	infopdf.sfx.exe	33
PID 2664 wrote to memory of 2560	2664	infopdf.sfx.exe	33
PID 2560 wrote to memory of 1072	2560	info pdf.exe	34
PID 2560 wrote to memory of 1072	2560	info pdf.exe	34
PID 2560 wrote to memory of 1072	2560	info pdf.exe	34
PID 2560 wrote to memory of 1072	2560	info pdf.exe	34
PID 2560 wrote to memory of 2964	2560	info pdf.exe	36
PID 2560 wrote to memory of 2964	2560	info pdf.exe	36
PID 2560 wrote to memory of 2964	2560	info pdf.exe	36
PID 2560 wrote to memory of 2964	2560	info pdf.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\inf.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\infopdf.sfx.exe
    infopdf.sfx.exe -pbara -dC:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\info pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\info pdf.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp644F.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1072
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp64DC.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inf.bat

Filesize
36B

MD5
934627ff4a68a982fa6804cb94c3dfa3

SHA1
de095d8190f945384e1a801f2c800d40d4fd3612

SHA256
38133ed3a3fba9525559006d0338baa897f7889a6149371d1daae30e3ce6dd06

SHA512
e5277ca8c0a082207612101450f73a5d60bbf48256faa975645394aa3eda96147a0f4ec6822f0992bd26029eeb58ea1eb29c5805bfcc9715829562e9a024e12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\infopdf.sfx.exe

Filesize
580KB

MD5
e91a7d804e54dc53e026f56e3e45961c

SHA1
a045896bbe4797cd80890c17b23cd29bbdc9beab

SHA256
350a690a878fc026118975c88170de5aa73f42d2b514ce749f68e95bbbb01858

SHA512
c07c8ce06dc322d7c6f7d401f7906dcfdf0e7af7fce99c7c455d6668be97501a45d9a4b4443e2abb361fb7b206b2411eb45f8cd81909e388a2a0bcf68f12ccf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp644F.tmp

Filesize
1KB

MD5
2d19ad7392f7f5d0c9cfd97dfc77f73a

SHA1
e4f9fe47a8ccbedd509e608dfcec29216da1288f

SHA256
8cbdcb135a0503b74a0774d5dc660f927f39681491f0dd0ce3762a0005e2e7aa

SHA512
672511f97c7ba0e7dfc106c343dcbadfdb838f9987ba876e6b5ac936ef33fe91186b5d5ab0bce3c9c0e0178b59b12711bcf9977c65099df891c25efb547ef1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64DC.tmp

Filesize
1KB

MD5
5fea24e883e06e4df6d240dc72abf2c5

SHA1
d778bf0f436141e02df4b421e8188abdcc9a84a4

SHA256
e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66

SHA512
15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\info pdf.exe

Filesize
431KB

MD5
d43d29275fb37b0f267e09235f8a6796

SHA1
816ef7e3993c2c9a88829fa34eda6d3495044b86

SHA256
729c2c1508855eee3acee4055dc7ea2f4a17d97b6eb0ca903fd24720dfd7f2b0

SHA512
27bafd46aafdce0db91700bc8995e55958693a17f9938f3f94e7c6230a472723faaee6a10d07ad2e50237abd3a7211d4ad171b8492adfbca07dafcee4bdb0c04

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads