nanocore | 20751156d821460ab4c7db367bf964831c51daac7bf4a4eecfa4c0cf23816490

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe
Size

234KB
MD5

a929acb4997a9366c61cb3edcc0b2498
SHA1

77bb8b60b1341f2c0d021b4baefb7e7f6694ccca
SHA256

20751156d821460ab4c7db367bf964831c51daac7bf4a4eecfa4c0cf23816490
SHA512

55e5ea17d289bfae1fbedbc7f5dba812c01f4802442a502c72af28dd5ebed9c7e5d2f2565e19f3e20159aa5a3a566e06ceba746e53d1192ccb0eaf1480e5f231
SSDEEP

6144:CLV6Bta6dtJmakIM5SP2ZCt/YSyHLDe1YO9o+l:CLV6BtpmkvkfvMo

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

Tempexplorer.exe

pid process

2836 Tempexplorer.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

Tempexplorer.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Manager = "C:\\Program Files (x86)\\SAAS Manager\\saasmgr.exe" Tempexplorer.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Tempexplorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Tempexplorer.exe
Drops file in Program Files directory 2 IoCs

Processes:

Tempexplorer.exe

description ioc process

File opened for modification C:\Program Files (x86)\SAAS Manager\saasmgr.exe Tempexplorer.exe
File created C:\Program Files (x86)\SAAS Manager\saasmgr.exe Tempexplorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3732 schtasks.exe
2172 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Tempexplorer.exe

pid process

2836 Tempexplorer.exe
2836 Tempexplorer.exe
2836 Tempexplorer.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Tempexplorer.exe

pid process

2836 Tempexplorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Tempexplorer.exe

description pid process

Token: SeDebugPrivilege 2836 Tempexplorer.exe
Token: SeDebugPrivilege 2836 Tempexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe

pid	process
2836	Tempexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Manager = "C:\\Program Files (x86)\\SAAS Manager\\saasmgr.exe"	Tempexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tempexplorer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SAAS Manager\saasmgr.exe	Tempexplorer.exe
File created	C:\Program Files (x86)\SAAS Manager\saasmgr.exe	Tempexplorer.exe

pid	process
3732	schtasks.exe
2172	schtasks.exe

pid	process
2836	Tempexplorer.exe
2836	Tempexplorer.exe
2836	Tempexplorer.exe

pid	process
2836	Tempexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2836	Tempexplorer.exe
Token: SeDebugPrivilege	2836	Tempexplorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exeTempexplorer.exe

description	pid	process	target process
PID 2848 wrote to memory of 2836	2848	a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe	Tempexplorer.exe
PID 2848 wrote to memory of 2836	2848	a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe	Tempexplorer.exe
PID 2848 wrote to memory of 2836	2848	a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe	Tempexplorer.exe
PID 2836 wrote to memory of 3732	2836	Tempexplorer.exe	schtasks.exe
PID 2836 wrote to memory of 3732	2836	Tempexplorer.exe	schtasks.exe
PID 2836 wrote to memory of 3732	2836	Tempexplorer.exe	schtasks.exe
PID 2836 wrote to memory of 2172	2836	Tempexplorer.exe	schtasks.exe
PID 2836 wrote to memory of 2172	2836	Tempexplorer.exe	schtasks.exe
PID 2836 wrote to memory of 2172	2836	Tempexplorer.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a929acb4997a9366c61cb3edcc0b2498_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Tempexplorer.exe
"C:\Users\Admin\AppData\Local\Tempexplorer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SAAS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp"
3⤵
- Creates scheduled task(s)
PID:3732

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SAAS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp68EC.tmp"
3⤵
- Creates scheduled task(s)
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp
Filesize
1KB

MD5
c32c74e937be74259424933c09985921

SHA1
b0a7f3b2609bd66e695181e492a904c994c40553

SHA256
1ae1a9bb3477f5dcb9c0be4a919e54eca05647e254725af8e9a552628b255cef

SHA512
96e17111f01c88c2b8edaa2ec08b4cd5dd40f4e0b78dcf316d7c3ca3b69267fd63a4f91ddf01baa50ddcee7b4fa393d91e4ba80087010caf7accf47dac29889e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp68EC.tmp
Filesize
1KB

MD5
b5ee6d4d0a6aab49e12d44d82afc5157

SHA1
9fbe67452ca81b59802441955020086c3d163b2c

SHA256
f769b73883f96cefd35c438e8bdbe12c10a87ce11e09e4084474a85f6e4f8a10

SHA512
c4071b68c40aedd04b48bcbf4c4256e8b746474c6d4cfe680a4c0bcd61c9c4daa45d5d1e2fc8df655feba77de485258d06a81ac1a9144ed37ab9c80fbce09754

Download Submit
C:\Users\Admin\AppData\Local\Tempexplorer.exe
Filesize
203KB

MD5
2a10ebef275e2d24c8f3e3d8dd01e929

SHA1
5d82da79265984af7399c6d19766b9d3afb4fe59

SHA256
226de25b7d0372d2f18c5f080d58a2766b50b70bb2f4f4505071acd45407abaa

SHA512
06fe337e2444b15a3ac0a16645a9b114033f4c6ebc0465c660a739615a7d1e134dfebfc630565a8d5df11aa3e7d38a186a1a36e7746322492f7f65031ae2b32c

Download Submit
memory/2836-19-0x0000000070470000-0x0000000070A21000-memory.dmp

Filesize
5.7MB

Download
memory/2836-31-0x0000000070470000-0x0000000070A21000-memory.dmp

Filesize
5.7MB

Download
memory/2836-30-0x0000000070470000-0x0000000070A21000-memory.dmp

Filesize
5.7MB

Download
memory/2836-29-0x0000000070472000-0x0000000070473000-memory.dmp

Filesize
4KB

Download
memory/2836-28-0x0000000070470000-0x0000000070A21000-memory.dmp

Filesize
5.7MB

Download
memory/2836-27-0x0000000070470000-0x0000000070A21000-memory.dmp

Filesize
5.7MB

Download
memory/2836-17-0x0000000070472000-0x0000000070473000-memory.dmp

Filesize
4KB

Download
memory/2836-18-0x0000000070470000-0x0000000070A21000-memory.dmp

Filesize
5.7MB

Download
memory/2848-4-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/2848-16-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2848-6-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2848-5-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/2848-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/2848-3-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/2848-2-0x00000000059C0000-0x0000000005F64000-memory.dmp

Filesize
5.6MB

Download
memory/2848-1-0x0000000000AF0000-0x0000000000B32000-memory.dmp

Filesize
264KB

Download