nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

b93ab92ae78f48fc913cb97e7e6e89a1_JaffaCakes118
Size

797KB
Sample

240617-wdrjmasbkn
MD5

b93ab92ae78f48fc913cb97e7e6e89a1
SHA1

59ad143182c29b523d3256ac2604c197cb3297db
SHA256

35e9a600576c02110e577a51b41a0df596126ccd260c9aa2210e2390e99ff776
SHA512

f5da4824f89eabb3a93d89ad0e16a979cf37c829f702c98140415a10b833ed4d330f87e78feeeb3f676b8e481c2525844c4cc19616e85f776e39988f0e3a2b51
SSDEEP

24576:0lWBVDM/Une2vs54zt8ZphKSIrBql+kiCSc:OS3exZv8Ul+Cr

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

maxhasminipp.ddns.net:54984

127.0.0.1:54984

Mutex

e859e030-1d62-4073-998f-c3e8c8fdde04

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-06-25T23:47:05.285361136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e859e030-1d62-4073-998f-c3e8c8fdde04
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
maxhasminipp.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5010
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  TeamzPAZ/Bunifu_UI_v1.5.3.dll
- Size
  
  236KB
- MD5
  
  2ecb51ab00c5f340380ecf849291dbcf
- SHA1
  
  1a4dffbce2a4ce65495ed79eab42a4da3b660931
- SHA256
  
  f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
- SHA512
  
  e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
- SSDEEP
  
  6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
Score

1^/10
behavioral1 behavioral2
- Target
  
  TeamzPAZ/Fortnite Checker TeamzPAZ.exe
- Size
  
  203KB
- MD5
  
  e8b7db8bfcbb200e704b65126660c529
- SHA1
  
  c69450b1f8d5ccb1743570d7a8091530493fc36d
- SHA256
  
  24cf8b07f7694cbfc67e79dd18d6c1fab296eec76120e269f96202e43aa4340a
- SHA512
  
  c5913c6548e1c76518d379928d239af028d11ee419fd5af1ee9a596e4c0c32581c60228569d589c85e0c23de2c71b713ebf9f9c0f89c1520cc373bb538556973
- SSDEEP
  
  6144:sLV6Bta6dtJmakIM5kcGLYiO5C3e6s7338vSz:sLV6Btpmk1YiOS1k3Tz
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral3 behavioral4
- Target
  
  TeamzPAZ/HtmlAgilityPack.dll
- Size
  
  113KB
- MD5
  
  45223650cff5e89e56c1bdd4cb7fb786
- SHA1
  
  110bee36ca7afc5fe404b82d5fed5de482758cd2
- SHA256
  
  8019602af8f267c4e09489b3d80b514b2498a495d0fa3d7d74c2eb86b1e25781
- SHA512
  
  23d75f48b21b08650d081a6b081efc35d0ec4132f9400537e1813dd53fa0a51d735e8935b914ce7cdc38d271b08f1bd9585e346708cdedd42e2753202d6efb20
- SSDEEP
  
  1536:3trxCwY9I/QndjSOXAiW4XO2TSBVt4l6Y5lF4cglELWPGr1Y7KmYDw5yz8S:zQIInsOQWX+BVM6YycAww5K8S
Score

1^/10
behavioral5 behavioral6
- Target
  
  TeamzPAZ/MailKit.dll
- Size
  
  652KB
- MD5
  
  be99f9896236c6106887959541d22f05
- SHA1
  
  12fc2ac3bda1b2023bed12320cd3a140413a5850
- SHA256
  
  786e2126d22afabcb42d57cf07760690c18c21007c93abaed0cb4c7fe2044eb6
- SHA512
  
  dd995323b28ef7a3a492f5fa966d278a4495bd5d5703fc9bd066d665ceafbb57851429cca80e89aba4c09598d786206e1f7efddd44c185bd71b825958e4de330
- SSDEEP
  
  6144:b7GoLbF2oxbF/j/FFYgIQ0APJAO62mGQ0HhWt5ZMdYJwjvinKzGQ1kNnav2P0hsv:bJYsbqhGhHhh3jvinKqZ4earo88XA
Score

1^/10
behavioral7 behavioral8
- Target
  
  TeamzPAZ/Newtonsoft.Json.dll
- Size
  
  647KB
- MD5
  
  5afda7c7d4f7085e744c2e7599279db3
- SHA1
  
  3a833eb7c6be203f16799d7b7ccd8b8c9d439261
- SHA256
  
  f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
- SHA512
  
  7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944
- SSDEEP
  
  6144:3o4V9ynqKoxhi0gAsfLBhJJzhGIVrdhoHuLFGAJmKApt5psaLGBFahKGRd67XLEm:LyncxQRhJJzhoqgH5sB4dxHG
Score

1^/10
behavioral10 behavioral9
- Target
  
  TeamzPAZ/xNet.dll
- Size
  
  104KB
- MD5
  
  158defd55a804aa8d4d67bfdf7a4af9c
- SHA1
  
  9dd41914fa181cb5225e593373f7dca062d7af0b
- SHA256
  
  6c7ec4cc31a2ce0b97703b7a42e3448e9b87d96dda12761ca24d8787ac27cff1
- SHA512
  
  e98062b3b035d7d87c3457621c5ffc0aefed490544739219c4f4cafc3e7de248f1cf91edb3564e49d406f9fcaf314838d33b2ddd7e3b1a1751e5819b9ab798d6
- SSDEEP
  
  3072:0IALHSH7PhqKnUqnV+xnEdSCo5E/awN5lRd0YjJ0:07LyIqnV+xnEdEmf
Score

1^/10
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Adds Run key to start application

Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12