nanocore | deb290d1814ac220e75764aa0cb487a9e5e5b7d0704611b083f1e69b437e9131 | Triage

Submit
Reports

Overview

overview

Static

static

3

a39b7b6d33...18.exe

windows7-x64

a39b7b6d33...18.exe

windows10-2004-x64

Sharing

General

Target

a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118
Size

906KB
Sample

240613-dgdstssblh
MD5

a39b7b6d3387114bbfba279dfe94fd59
SHA1

8d8aa54719b7b9258184e1b5fdb962b26272d872
SHA256

deb290d1814ac220e75764aa0cb487a9e5e5b7d0704611b083f1e69b437e9131
SHA512

59cce852cb32040219dbe9b9f47aea969dea9ee656c5bb96e177c6b8a20bf1d7e3ab5ea71bf141ae61f523dd666a16be06d1fe8ffc2eb64a6f08b3bb31e90484
SSDEEP

24576:f2O/GlXajxQlqZHtl7VX2HTLlwmxhKbH3rUO46GEm4:I7Yl5X2zLlwmxUT3i/4

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe

Resource

win7-20240611-en

nanocore keylogger persistence spyware stealer trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118.exe

Resource

win10v2004-20240508-en

nanocore keylogger persistence spyware stealer trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

kgentle777.hopto.org:58887

kgentle77.duckdns.org:58887

Mutex

a505bdab-59dd-476b-933f-8d85db4e0377

Attributes

activate_away_mode
true
backup_connection_host
kgentle77.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-11-10T09:39:09.885360936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
58887
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
a505bdab-59dd-476b-933f-8d85db4e0377
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kgentle777.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  a39b7b6d3387114bbfba279dfe94fd59_JaffaCakes118
- Size
  
  906KB
- MD5
  
  a39b7b6d3387114bbfba279dfe94fd59
- SHA1
  
  8d8aa54719b7b9258184e1b5fdb962b26272d872
- SHA256
  
  deb290d1814ac220e75764aa0cb487a9e5e5b7d0704611b083f1e69b437e9131
- SHA512
  
  59cce852cb32040219dbe9b9f47aea969dea9ee656c5bb96e177c6b8a20bf1d7e3ab5ea71bf141ae61f523dd666a16be06d1fe8ffc2eb64a6f08b3bb31e90484
- SSDEEP
  
  24576:f2O/GlXajxQlqZHtl7VX2HTLlwmxhKbH3rUO46GEm4:I7Yl5X2zLlwmxUT3i/4
Score

10^/10

nanocore keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocorekeyloggerpersistencespywarestealertrojan

behavioral2

nanocorekeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy