In my previous article, we analyzed the famous ransomware, WannaCry which wreaked havoc in 2017. In this article, we’ll be looking at a variant of NanoCore which was found more recently – early 2019.
What kind of file is it?
The sample is a
.NET file with a compilation timestamp of
Fri May 31 11:13:32 1985. It is definitely obfuscated with some tool, as is evident from the function names / symbols.
What file system modifications does the sample make?
The malware creates multiple files/directories under
run.dat has obfuscated data of small length.
It also copies itself to
C:\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe and
It then hooks into browsers present in the system and spies on user activity. In the image below, it can be seen that the malware tracked the user visiting
facebook.com on Chrome and
bankofamerica.com on IE.
The sample also keeps track of the processes that are spawned on the system.
What network activity exists?
On execution, the malware periodically pings back obfuscated data to the C&C server at
18.104.22.168 on port
3365. We can expect this data to contain identifying information about the infected system.
What processes are spawned when the sample is executed?
When the sample is executed, it spawns a sub-process,
cmd.exe to launch
app.exe (same as the original sample).
app.exe in turn spawns itself as an independent process.
What modifications are made to the Registry and Startup activity?
The malware achieves persistence by installing itself as a startup service in the
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Unlike other malware that I’ve encountered, NanoCore installs itself as two separate startup services.
On system restart, even though there are two NanoCore instances that are started, only one remains at the end. The other one exits. The running
app.exe process again connects to the C&C on the same address and port.
Mapping to MITRE ATT&CK
Let’s map NanoCore’s activity to MITRE ATT&CK Framework:
|NanoCore sample executes through command line processes only and does not have a GUI.||Execution: Command-Line Interface|
|NanoCore achieves persistence through installing itself as a startup service through registry key modification.||Persistence: Registry Run Keys / Startup FolderDefense Evasion: Modify Registry|
|NanoCore EXE was obfuscated.||Defense Evasion: Obfuscated Files or Information|
|NanoCore encrypted communications with the C&C on port ||Command and Control: Uncommonly Used Port, Standard Cryptographic Protocol|
Thanks for reading!
In this article, I described my analysis for the RAT – NanoCore. I wasn’t able to de-obfuscate the EXE, so I presented only my basic analysis. This implies that the sample may be capable of more malicious behavior than what is described here. The malicious behavior may depend on the installed software or the OS itself or some other factor which can only be known through code analysis.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credits: https://hackersonlineclub.com/malware-analysis/