nanocore | bcfbf1fd4641c8b686c9dabd458b4db3efdcf03157fa7b09515a00e980e889ce

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe
Size

806KB
MD5

a8d385367ec6e7c892816e137900ff79
SHA1

8d6b34a726c8206d3c76c0b2e418ae064e5eaac0
SHA256

bcfbf1fd4641c8b686c9dabd458b4db3efdcf03157fa7b09515a00e980e889ce
SHA512

2f9f0f27fa3ff7db5f4afa46826ee0e85e30e918dbd58ae0162b3cbc7aeaafc647e88263758f2fb2e00d9d0bd5f4584b808ee0dbe1eaf15f6a05b123a48d4f43
SSDEEP

24576:rmoO8itEqfZm27QKJ44ZErvgjUn2wTF/2W:qvZpQKPErvWKF/9

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exeoutlook.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	outlook.sfx.exe

Executes dropped EXE 2 IoCs

Processes:

outlook.sfx.exeoutlook.exe

pid process

4780 outlook.sfx.exe
3692 outlook.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

outlook.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files\\PCI Service\\pcisv.exe" outlook.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

outlook.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA outlook.exe
Drops file in Program Files directory 2 IoCs

Processes:

outlook.exe

description ioc process

File created C:\Program Files\PCI Service\pcisv.exe outlook.exe
File opened for modification C:\Program Files\PCI Service\pcisv.exe outlook.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

outlook.exe

pid process

3692 outlook.exe
3692 outlook.exe
3692 outlook.exe
3692 outlook.exe
3692 outlook.exe
3692 outlook.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

outlook.exe

pid process

3692 outlook.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

outlook.exe

description pid process

Token: SeDebugPrivilege 3692 outlook.exe

pid	process
4780	outlook.sfx.exe
3692	outlook.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files\\PCI Service\\pcisv.exe"	outlook.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	outlook.exe

description	ioc	process
File created	C:\Program Files\PCI Service\pcisv.exe	outlook.exe
File opened for modification	C:\Program Files\PCI Service\pcisv.exe	outlook.exe

pid	process
3692	outlook.exe
3692	outlook.exe
3692	outlook.exe
3692	outlook.exe
3692	outlook.exe
3692	outlook.exe

pid	process
3692	outlook.exe

description	pid	process
Token: SeDebugPrivilege	3692	outlook.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a8d385367ec6e7c892816e137900ff79_JaffaCakes118.execmd.exeoutlook.sfx.exe

description	pid	process	target process
PID 2084 wrote to memory of 732	2084	a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe	cmd.exe
PID 2084 wrote to memory of 732	2084	a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe	cmd.exe
PID 2084 wrote to memory of 732	2084	a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe	cmd.exe
PID 732 wrote to memory of 4780	732	cmd.exe	outlook.sfx.exe
PID 732 wrote to memory of 4780	732	cmd.exe	outlook.sfx.exe
PID 732 wrote to memory of 4780	732	cmd.exe	outlook.sfx.exe
PID 4780 wrote to memory of 3692	4780	outlook.sfx.exe	outlook.exe
PID 4780 wrote to memory of 3692	4780	outlook.sfx.exe	outlook.exe

C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8d385367ec6e7c892816e137900ff79_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\frg.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
outlook.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\frg.bat
Filesize
30B

MD5
ffa5e8316d6624bc4988a91fc24107f2

SHA1
087399a1d78f1fee901ec77f7bfd011027003c37

SHA256
858e2cd0a37f82e72708bc15d0ed615746335027431b25ad7e4d8019e7fdc0f6

SHA512
7a0766d6c743ffff886adf9a680c774bb65cc99dd257f14016d6cd1240a0d7db1c0e4e4a65dacc00c2a1d97bb28d58af0b8ab790fe0b9ef1af3ba834b4634c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\outlook.sfx.exe
Filesize
679KB

MD5
089936829e638abf2b4cf0287727ee51

SHA1
985e4dea3285f69dbdb631975db8beb988f703ad

SHA256
8152d18936f593cfddeeac2b9e5bfc5ffe2318b2a5f3a03f0436f4f5ee650da6

SHA512
75d4e19582008947a88458de2503dcefe16719b524b4219f9f29c68737855ff8421b0e6f72f84504d0e80f5e7b3689cf22de401ca2495065f4dded17fc85dc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\outlook.exe
Filesize
474KB

MD5
d2493c220e2349658da794a9fc2b8218

SHA1
f71d7f8943b5aea24df5a846e7c875c0baae6446

SHA256
1a102d9004be63a3b0921dce05c5f18ffbf81d8dbc2c8584f9b19cc38f6dee35

SHA512
eb878ca785198d682e685cc845c402d4038b6f786beecc726f1e72185755b8edb6ee794f48d221d57db57d122efa3dd6e1d336f141aab1f806f8a27453c1a2fd

Download Submit
memory/3692-19-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/3692-20-0x000000001B820000-0x000000001BCEE000-memory.dmp

Filesize
4.8MB

Download
memory/3692-21-0x000000001BCF0000-0x000000001BD8C000-memory.dmp

Filesize
624KB

Download
memory/3692-22-0x000000001BF40000-0x000000001BFE6000-memory.dmp

Filesize
664KB

Download
memory/3692-23-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/3692-26-0x000000001C4C0000-0x000000001C4CA000-memory.dmp

Filesize
40KB

Download
memory/3692-27-0x000000001C1F0000-0x000000001C202000-memory.dmp

Filesize
72KB

Download
memory/3692-28-0x000000001C6D0000-0x000000001C6EA000-memory.dmp

Filesize
104KB

Download
memory/3692-29-0x0000000000EC0000-0x0000000000ED4000-memory.dmp

Filesize
80KB

Download
memory/3692-31-0x000000001C6F0000-0x000000001C70E000-memory.dmp

Filesize
120KB

Download
memory/3692-30-0x000000001C020000-0x000000001C02E000-memory.dmp

Filesize
56KB

Download
memory/3692-32-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/3692-33-0x000000001C980000-0x000000001C9AE000-memory.dmp

Filesize
184KB

Download
memory/3692-34-0x000000001C820000-0x000000001C834000-memory.dmp

Filesize
80KB

Download
memory/3692-35-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download