NanoCore Malware

Malware Analysis
1

 

Technical details of NanoCore















Identification

Sample didn’t exist in virus total as shown in figure below.




The following table contains list of artifacts that had been analyzed within this document.


PE timestamp

SHA256

Size in bytes

File name

Description

Thu Jun 25 03:38:24 2020

C0E3A49CBB496D4B77897BF1BBB7564391A37CEC

200.00 KB (204800 bytes)

Debug.exe

dropper

 

Summary

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework which has a lot of function to enable you steal any information to control current machine and sent it to C&C server.


Important Note

The initialize stage of current sample (NanoCore malware) is exactly the same code of malware njRAT.

Link

Njrat


Code of NanoCore malware




Code of Nirjart malware



Technical details

First Stage

It gets processes called SetDllDirectoryW and SetDefaultDllDirectories as shown in figure below.




It resolves a lot of dll libraries as shown in figure below.



It gets operating system version as shown in figure below.



It gets information about any valid installed or available code page as shown in figure below.




It sets new environment variable called "sfxcmd" as shown in figure below.




It sets another environment variable called "sfxpar" as shown in figure below.



It sets new variable called "sfxname" as shown in figure below.


It gets current date and time including minutes and seconds based on pattern as shown in figure below.




It unlocks resource called png as shown in figure below.



It control current window using GetDC ,GetWindowLongW and GetWindow as shown in figures below.






It creates new file called __tmp_rar_sfx_access_check_ as shown in figure with the following parameters as shown in table below.



hTemplateFile

NULL

dwFlagsAndAttributes

NULL

dwCreationDisposition

CREATE_ALWAYS

dwDesiredAccess

GENERIC_READ_WRITE

lpSecurityAttributes

FILE_SHARE_READ

dwShareMode

GENERIC_READ_WRITE

lpFileNam

__tmp_rar_sfx_access_check_0

 

It map to new file called winrarsfxmappingfile.tmp and run it as shown in figure below.







Second stage

It creates new process called notepad.exe as shown in figure below.



PE timestamp

Md5

Size in bytes

Filename

Description

Sat Feb 21 16:49:37 2015

 

1993DF80C98372579FED41C32495BA5B

207872 bytes

notepad.exe

RAT

 

It connects to this domain called qwertyontop.ddns.net as shown in figure below and it has full control of machine right now.




Some clear functions

It gets operating system version (major) and current domain as shown in figure below.




It gets current username as shown in figure below.



All clear strings

  • GetDetails
  • ValidateSource
  • ValidateBlock
  • GetBlockHash
  • WriteBlockData
  • ReadBlockData
  • HostDetails
  • HostData
  • Details
  • SetThreadExecutionState
  • GetCurrentProcess
  • OpenProcess
  • CloseHandle
  • QueryDosDevice
  • GetProcessImageFileName
  • NtSetInformationProcess
  • GetKernelObjectSecurity
  • SetKernelObjectSecurity
  • RegOpenKeyEx
  • RegQueryValueEx
  • RegCloseKey
  • FindResourceEx
  • LoadResource
  • SizeofResource
  • LockResource
  • AllocConsole
  • DeleteFile
  • DnsQuery_A
  • Variables
  • ClientSettings
  • BuilderSettings
  • Connected
  • #=qJEtGIBRUjtEusa67yMyqWQ==
  • get_AddressFamily
  • GetAddressBytes
  • CreateInstance
  • get_IsDisposed
  • GetTypeFromHandle
  • ContainsKey
  • GetResourceString
  • SetProjectError
  • get_InnerException
  • get_Message
  • Remove
  • Dispose
  • GetObjectValue
  • get_Count
  • Dequeue
  • Format
  • ToArray
  • GetEnumerator
  • get_Current
  • Contains
  • ClearProjectError
  • MoveNext
  • VariableChanged
  • ClientSettingChanged
  • BuildingHostCache
  • ConnectionFailed
  • ConnectionStateChanged
  • PipeClosed
  • ReadPacket
  • PluginUninstalling
  • ClientUninstalling
  • get_Item
  • IsNullOrEmpty
  • Write
  • Close
  • OpenRead
  • get_Length
  • get_Exists
  • CompareString
  • Empty
  • set_Position
  • Combine
  • Change
  • CheckForSyncLockOnValueType
  • Enter
  • set_Item
  • get_Key
  • get_Value
  • Clear
  • MaxValue
  • add_ThreadException
  • get_CurrentDomain
  • add_UnhandledException
  • add_AssemblyResolve
  • get_StartupPath
  • set_CurrentDirectory
  • get_OSVersion
  • get_Version
  • get_Major
  • Exists
  • ReadAllBytes
  • WriteAllBytes
  • Compare
  • GetFolderPath
  • GetFiles
  • GetFileNameWithoutExtension
  • Enqueue
  • ReadInt32
  • ReadBytes
  • GetExecutingAssembly
  • op_Equality
  • GetCustomAttributes
  • ToByteArray
  • GetBytes
  • set_IV
  • set_Key
  • CreateDecryptor
  • TransformFinalBlock
  • set_AutoFlush
  • Sleep
  • get_ExecutablePath
  • get_CurrentDirectory
  • set_WorkingDirectory
  • set_Verb
  • Start
  • get_UTF8
  • GetString
  • Replace
  • Concat
  • QueueUserWorkItem
  • LocalMachine
  • OpenSubKey
  • ToInteger
  • GetCurrent
  • IsInRole
  • ToUpper
  • CreateDirectory
  • get_UtcNow
  • ToInt64
  • FromBinary
  • ToBinary
  • ReadAllText
  • WriteAllText
  • TryParse
  • EnterDebugMode
  • LeaveDebugMode
  • Increment
  • Decrement
  • GetTempFileName
  • WaitForExit
  • get_ExitCode
  • Delete
  • set_UseShellExecute
  • set_CreateNoWindow
  • set_WindowStyle
  • GetDirectoryName
  • CurrentUser
  • DeleteValue
  • get_ExceptionObject
  • get_Exception
  • ToLower
  • get_Name
  • StartsWith
  • get_Now
  • AddMinutes
  • get_MachineName
  • get_UserName
  • get_StackTrace
  • get_Day
  • WriteLine
  • ToLongDateString
  • op_Subtraction
  • get_TotalMilliseconds
  • GetCallingAssembly
  • get_Assembly
  • GetName
  • get_FullName
  • GetPublicKeyToken
  • AddRange
  • get_Unicode
  • GetFrame
  • GetMethod
  • get_DeclaringType
  • get_MetadataToken
  • GetManifestResourceStream
  • Intern
  • ReadByte
  • BlockCopy
  • get_Chars
  • ToInt32
  • get_InvokeRequired
  • set_BlockSize
  • CreateEncryptor
  • GetType
  • get_IsEnum
  • GetUnderlyingType
  • get_Width
  • get_Height
  • get_X
  • get_Y
  • SetLength
  • ReadBoolean
  • ReadChar
  • ReadString
  • ToCharArray
  • ReadDecimal
  • ReadDouble
  • ReadInt64
  • ReadSByte
  • ReadInt16
  • ReadSingle
  • ReadUInt32
  • ReadUInt64
  • ReadUInt16
  • get_Position
  • GetConstructors
  • GetParameters
  • get_ParameterType
  • GetInterfaces
  • get_DiscretionaryAcl
  • InsertAce
  • get_BinaryLength
  • GetBinaryForm
  • AppendLine
  • GetTypes
  • IndexOf
  • ComputeHash
  • TransformBlock
  • get_Hash
  • NewGuid
  • get_LocalEndPoint
  • get_Port
  • SetBuffer
  • add_Completed
  • GetHostEntry
  • get_AddressList
  • set_LingerState
  • set_RemoteEndPoint
  • ConnectAsync
  • get_RemoteEndPoint
  • ReceiveAsync
  • get_SocketError
  • get_LastOperation
  • get_BytesTransferred
  • get_Buffer
  • Resize
  • Collect
  • get_Offset
  • SendAsync
  • PtrToStructure
  • ToUInt32
  • add_FormClosing
  • add_Shown
  • EnableVisualStyles
  • set_ShowInTaskbar
  • set_WindowState
  • set_Visible
  • MyTemplate
  • 8.0.0.0



If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malwares and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  

YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA

 

Reference

·       https://success.trendmicro.com/solution/1122912-nanocore-malware-information.

·       https://spanning.com/blog/nanocore-rat-malware-of-the-month/.


Article Link: NanoCore Malware