MalwareAnalysisFeatureImage

Malware Analysis – NanoCore + MITRE ATT&CK Mapping

Posted by

In my previous article, we analyzed the famous ransomware, WannaCry which wreaked havoc in 2017. In this article, we’ll be looking at a variant of NanoCore which was found more recently – early 2019.

Analysis

Basic Static

SHA256: 8394496d6464a1413c12ffddcf554da8f7ad3b1fdc9880d109b4f181078236c5

What kind of file is it?

The sample is a .NET file with a compilation timestamp of Fri May 31 11:13:32 1985. It is definitely obfuscated with some tool, as is evident from the function names / symbols.

Basic Dynamic

What file system modifications does the sample make?

The malware creates multiple files/directories under C:\Users\AppData\Roaming\ directory.

file_dir.png

run.dat has obfuscated data of small length.

file_run_dat.png

It also copies itself to C:\Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe and C:\Users\AppData\Roaming\BE5DE3F7-33F4-48F5-9438-0060EB487369\TCP Service\tcpsv.exe.

file_startup.png
file_tcpsv.png

It then hooks into browsers present in the system and spies on user activity. In the image below, it can be seen that the malware tracked the user visiting google.com and facebook.com on Chrome and google.com and bankofamerica.com on IE.

file_spy.png

The sample also keeps track of the processes that are spawned on the system.

file_processes.png

What network activity exists?

On execution, the malware periodically pings back obfuscated data to the C&C server at 89.35.228.199 on port 3365. We can expect this data to contain identifying information about the infected system.

net1.png
net2.png

What processes are spawned when the sample is executed?

When the sample is executed, it spawns a sub-process, cmd.exe to launch app.exe (same as the original sample). app.exe in turn spawns itself as an independent process.

process1
process2

What modifications are made to the Registry and Startup activity?

The malware achieves persistence by installing itself as a startup service in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Unlike other malware that I’ve encountered, NanoCore installs itself as two separate startup services.

registry.png
startup.png

On system restart, even though there are two NanoCore instances that are started, only one remains at the end. The other one exits. The running app.exe process again connects to the C&C on the same address and port.

Mapping to MITRE ATT&CK

Let’s map NanoCore’s activity to MITRE ATT&CK Framework:

ActivityATT&CK Technique
NanoCore sample executes through command line processes only and does not have a GUI.Execution: Command-Line Interface
NanoCore achieves persistence through installing itself as a startup service through registry key modification.Persistence: Registry Run Keys / Startup FolderDefense Evasion: Modify Registry
NanoCore EXE was obfuscated.Defense Evasion: Obfuscated Files or Information
NanoCore encrypted communications with the C&C on port 3365.Command and Control: Uncommonly Used Port, Standard Cryptographic Protocol

Thanks for reading!

In this article, I described my analysis for the RAT – NanoCore. I wasn’t able to de-obfuscate the EXE, so I presented only my basic analysis. This implies that the sample may be capable of more malicious behavior than what is described here. The malicious behavior may depend on the installed software or the OS itself or some other factor which can only be known through code analysis.

Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!

Feature image credits: https://hackersonlineclub.com/malware-analysis/

Leave a Reply

Your email address will not be published.