In my previous article, we analyzed the famous ransomware, WannaCry which wreaked havoc in 2017. In this article, we’ll be looking at a variant of NanoCore which was found more recently — early 2019. This article will cover just basic dynamic analysis and so, it’s quite short.
Note: I highly recommend reading my article on Infostealer.Dyre before reading this post. I’ve explained the test lab setup and basic malware analysis process in detail and that information will not be repeated in every article.
Basic Static
SHA256: 8394496d6464a1413c12ffddcf554da8f7ad3b1fdc9880d109b4f181078236c5
What kind of file is it?
The sample is a .NET file with a compilation timestamp of Fri May 31 11:13:32 1985. It is definitely obfuscated with some tool, as is evident from the function names / symbols.
Basic Dynamic
What file system modifications does the sample make?
The malware creates multiple files/directories under C:\Users\\AppData\Roaming\\ directory.
run.dat has obfuscated data of small length.
It also copies itself to C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe and C:\Users\\AppData\Roaming\BE5DE3F7–33F4–48F5–9438–0060EB487369\TCP Service\tcpsv.exe.
It then hooks into browsers present in the system and spies on user activity. In the image below, it can be seen that the malware tracked the user visiting google.com and facebook.com on Chrome and google.com and bankofamerica.com on IE.
The sample also keeps track of the processes that are spawned on the system.
What network activity exists?
On execution, the malware periodically pings back obfuscated data to the C&C server at 89.35.228.199 on port 3365. We can expect this data to contain identifying information about the infected system.
What processes are spawned when the sample is executed?
When the sample is executed, it spawns a sub-process, cmd.exe to launch app.exe (same as the original sample). app.exe in turn spawns itself as an independent process.
What modifications are made to the Registry and Startup activity?
The malware achieves persistence by installing itself as a startup service in the HKCU\SOFTWARE|Microsoft\Windows\CurrentVersion\Run registry key. Unlike other malware that I’ve encountered, NanoCore installs itself as two separate startup services.
On system restart, even though there are two NanoCore instances that are started, only one remains at the end. The other one exits. The running app.exe process again connects to the C&C on the same address and port.
Mapping to MITRE ATT&CK
Let’s map NanoCore’s activity to MITRE ATT&CK Framework:
Thanks for reading!
In this article, I described my analysis for the RAT — NanoCore. I wasn’t able to de-obfuscate the EXE, so I presented only my basic analysis. This implies that the sample may be capable of more malicious behavior than what is described here. The malicious behavior may depend on the installed software or the OS itself or some other factor which can only be known through code analysis.
Thank you for reading! If you have any questions, leave them in the comments section below and I’ll get back to you as soon as I can!
Feature image credits: https://hackersonlineclub.com/malware-analysis/
P.S. I also write on my blog https://0x90sploiter.wordpress.com.
Originally published at http://0x90sploiter.wordpress.com on September 5, 2019.
