nanocore | a4d3c825a4ec99bcac7e75cecfb3f837c5b4c752c9ee49a070193fcf5221c9bf

General

Target

JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe
Size

740KB
MD5

1f104b823c9ac140f99dee39536db4e0
SHA1

1551da1ade3252b446d7a7d80295697138859c50
SHA256

a4d3c825a4ec99bcac7e75cecfb3f837c5b4c752c9ee49a070193fcf5221c9bf
SHA512

f124db7fce940fd31ab99d4dfb9adafa1d24da985c976136e96637267146cb310d39b79382e447fff07f142b40dbb2c5c731d180e739ea8e6b0e507e618a8e30
SSDEEP

12288:P2ghLvPhXpe3Plf/X+tGrn33gUdCjIXjT6rrqX8lb7LMsHPEibTxzGmlFQJBk:BXhZgPlfrrAU4jprrjH3HJFz9+e

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	infopdf.sfx.exe

Executes dropped EXE 2 IoCs

pid	Process
2464	infopdf.sfx.exe
2000	info pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager = "C:\\Program Files (x86)\\NTFS Manager\\ntfsmgr.exe"	info pdf.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	info pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
63	6.tcp.ngrok.io
3	6.tcp.ngrok.io
17	6.tcp.ngrok.io
41	6.tcp.ngrok.io
47	6.tcp.ngrok.io
51	6.tcp.ngrok.io
58	6.tcp.ngrok.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	info pdf.exe
File opened for modification	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	info pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	infopdf.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	info pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1720	schtasks.exe
4300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2000	info pdf.exe
2000	info pdf.exe
2000	info pdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2000	info pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	info pdf.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2160	2508	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe	82
PID 2508 wrote to memory of 2160	2508	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe	82
PID 2508 wrote to memory of 2160	2508	JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe	82
PID 2160 wrote to memory of 2464	2160	cmd.exe	85
PID 2160 wrote to memory of 2464	2160	cmd.exe	85
PID 2160 wrote to memory of 2464	2160	cmd.exe	85
PID 2464 wrote to memory of 2000	2464	infopdf.sfx.exe	86
PID 2464 wrote to memory of 2000	2464	infopdf.sfx.exe	86
PID 2464 wrote to memory of 2000	2464	infopdf.sfx.exe	86
PID 2000 wrote to memory of 1720	2000	info pdf.exe	87
PID 2000 wrote to memory of 1720	2000	info pdf.exe	87
PID 2000 wrote to memory of 1720	2000	info pdf.exe	87
PID 2000 wrote to memory of 4300	2000	info pdf.exe	89
PID 2000 wrote to memory of 4300	2000	info pdf.exe	89
PID 2000 wrote to memory of 4300	2000	info pdf.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f104b823c9ac140f99dee39536db4e0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\inf.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\infopdf.sfx.exe
    infopdf.sfx.exe -pbara -dC:\Users\Admin\AppData\Roaming
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\info pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\info pdf.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBA67.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBAB6.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inf.bat

Filesize
36B

MD5
934627ff4a68a982fa6804cb94c3dfa3

SHA1
de095d8190f945384e1a801f2c800d40d4fd3612

SHA256
38133ed3a3fba9525559006d0338baa897f7889a6149371d1daae30e3ce6dd06

SHA512
e5277ca8c0a082207612101450f73a5d60bbf48256faa975645394aa3eda96147a0f4ec6822f0992bd26029eeb58ea1eb29c5805bfcc9715829562e9a024e12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\infopdf.sfx.exe

Filesize
580KB

MD5
e91a7d804e54dc53e026f56e3e45961c

SHA1
a045896bbe4797cd80890c17b23cd29bbdc9beab

SHA256
350a690a878fc026118975c88170de5aa73f42d2b514ce749f68e95bbbb01858

SHA512
c07c8ce06dc322d7c6f7d401f7906dcfdf0e7af7fce99c7c455d6668be97501a45d9a4b4443e2abb361fb7b206b2411eb45f8cd81909e388a2a0bcf68f12ccf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\info pdf.exe

Filesize
431KB

MD5
d43d29275fb37b0f267e09235f8a6796

SHA1
816ef7e3993c2c9a88829fa34eda6d3495044b86

SHA256
729c2c1508855eee3acee4055dc7ea2f4a17d97b6eb0ca903fd24720dfd7f2b0

SHA512
27bafd46aafdce0db91700bc8995e55958693a17f9938f3f94e7c6230a472723faaee6a10d07ad2e50237abd3a7211d4ad171b8492adfbca07dafcee4bdb0c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA67.tmp

Filesize
1KB

MD5
2d19ad7392f7f5d0c9cfd97dfc77f73a

SHA1
e4f9fe47a8ccbedd509e608dfcec29216da1288f

SHA256
8cbdcb135a0503b74a0774d5dc660f927f39681491f0dd0ce3762a0005e2e7aa

SHA512
672511f97c7ba0e7dfc106c343dcbadfdb838f9987ba876e6b5ac936ef33fe91186b5d5ab0bce3c9c0e0178b59b12711bcf9977c65099df891c25efb547ef1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAB6.tmp

Filesize
1KB

MD5
41808f05a9aa523d0ef506d4993f1d6c

SHA1
5a228145decf63ebbbd673c9b7c08a86236a22d4

SHA256
f76bd5da395a725b5998efab9a5d3160657cf2d44a8be83fa24af6ba29acf731

SHA512
7cf71f8fd8dccaa8cf2c724afca3178be8b7a6e0cc6e4b44990e96413bd0dac8248e2bcfa1bb82da05efb6c4b46649722c20ce14cf4a44f1720e18732bd9246e

Download Submit
memory/2000-19-0x0000000001670000-0x0000000001680000-memory.dmp

Filesize
64KB

Download
memory/2000-27-0x0000000001670000-0x0000000001680000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads