Technical details of NanoCore
Identification
Sample didn’t exist in virus total as shown in figure below.
The following table contains list of artifacts that had been analyzed within this document.
PE timestamp | SHA256 | Size in bytes | File name | Description |
Thu Jun 25 03:38:24 2020 | C0E3A49CBB496D4B77897BF1BBB7564391A37CEC | 200.00 KB (204800 bytes) | Debug.exe | dropper |
Summary
NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework which has a lot of function to enable you steal any information to control current machine and sent it to C&C server.
Important Note
The initialize stage of current sample (NanoCore malware) is exactly the same code of malware njRAT.
Link
Code of NanoCore malware
Code of Nirjart malware
Technical details
First Stage
It gets processes called SetDllDirectoryW and SetDefaultDllDirectories as shown in figure below.
It resolves a lot of dll libraries as shown in figure below.
It gets operating system version as shown in figure below.
It gets information about any valid installed or available code page as shown in figure below.
It sets new environment variable called "sfxcmd" as shown in figure below.
It sets another environment variable called "sfxpar" as shown in figure below.
It sets new variable called "sfxname" as shown in figure below.
It gets current date and time including minutes and seconds based on pattern as shown in figure below.
It unlocks resource called png as shown in figure below.
It control current window using GetDC ,GetWindowLongW and GetWindow as shown in figures below.
It creates new file called __tmp_rar_sfx_access_check_ as shown in figure with the following parameters as shown in table below.
hTemplateFile | NULL |
dwFlagsAndAttributes | NULL |
dwCreationDisposition | CREATE_ALWAYS |
dwDesiredAccess | GENERIC_READ_WRITE |
lpSecurityAttributes | FILE_SHARE_READ |
dwShareMode | GENERIC_READ_WRITE |
lpFileNam | __tmp_rar_sfx_access_check_0 |
It map to new file called winrarsfxmappingfile.tmp and run it as shown in figure below.
Second stage
It creates new process called notepad.exe as shown in figure below.
PE timestamp | Md5 | Size in bytes | Filename | Description |
Sat Feb 21 16:49:37 2015
| 1993DF80C98372579FED41C32495BA5B | 207872 bytes | notepad.exe | RAT |
It connects to this domain called qwertyontop.ddns.net as shown in figure below and it has full control of machine right now.
Some clear functions
It gets operating system version (major) and current domain as shown in figure below.
It gets current username as shown in figure below.
All clear strings
- GetDetails
- ValidateSource
- ValidateBlock
- GetBlockHash
- WriteBlockData
- ReadBlockData
- HostDetails
- HostData
- Details
- SetThreadExecutionState
- GetCurrentProcess
- OpenProcess
- CloseHandle
- QueryDosDevice
- GetProcessImageFileName
- NtSetInformationProcess
- GetKernelObjectSecurity
- SetKernelObjectSecurity
- RegOpenKeyEx
- RegQueryValueEx
- RegCloseKey
- FindResourceEx
- LoadResource
- SizeofResource
- LockResource
- AllocConsole
- DeleteFile
- DnsQuery_A
- Variables
- ClientSettings
- BuilderSettings
- Connected
- #=qJEtGIBRUjtEusa67yMyqWQ==
- get_AddressFamily
- GetAddressBytes
- CreateInstance
- get_IsDisposed
- GetTypeFromHandle
- ContainsKey
- GetResourceString
- SetProjectError
- get_InnerException
- get_Message
- Remove
- Dispose
- GetObjectValue
- get_Count
- Dequeue
- Format
- ToArray
- GetEnumerator
- get_Current
- Contains
- ClearProjectError
- MoveNext
- VariableChanged
- ClientSettingChanged
- BuildingHostCache
- ConnectionFailed
- ConnectionStateChanged
- PipeClosed
- ReadPacket
- PluginUninstalling
- ClientUninstalling
- get_Item
- IsNullOrEmpty
- Write
- Close
- OpenRead
- get_Length
- get_Exists
- CompareString
- Empty
- set_Position
- Combine
- Change
- CheckForSyncLockOnValueType
- Enter
- set_Item
- get_Key
- get_Value
- Clear
- MaxValue
- add_ThreadException
- get_CurrentDomain
- add_UnhandledException
- add_AssemblyResolve
- get_StartupPath
- set_CurrentDirectory
- get_OSVersion
- get_Version
- get_Major
- Exists
- ReadAllBytes
- WriteAllBytes
- Compare
- GetFolderPath
- GetFiles
- GetFileNameWithoutExtension
- Enqueue
- ReadInt32
- ReadBytes
- GetExecutingAssembly
- op_Equality
- GetCustomAttributes
- ToByteArray
- GetBytes
- set_IV
- set_Key
- CreateDecryptor
- TransformFinalBlock
- set_AutoFlush
- Sleep
- get_ExecutablePath
- get_CurrentDirectory
- set_WorkingDirectory
- set_Verb
- Start
- get_UTF8
- GetString
- Replace
- Concat
- QueueUserWorkItem
- LocalMachine
- OpenSubKey
- ToInteger
- GetCurrent
- IsInRole
- ToUpper
- CreateDirectory
- get_UtcNow
- ToInt64
- FromBinary
- ToBinary
- ReadAllText
- WriteAllText
- TryParse
- EnterDebugMode
- LeaveDebugMode
- Increment
- Decrement
- GetTempFileName
- WaitForExit
- get_ExitCode
- Delete
- set_UseShellExecute
- set_CreateNoWindow
- set_WindowStyle
- GetDirectoryName
- CurrentUser
- DeleteValue
- get_ExceptionObject
- get_Exception
- ToLower
- get_Name
- StartsWith
- get_Now
- AddMinutes
- get_MachineName
- get_UserName
- get_StackTrace
- get_Day
- WriteLine
- ToLongDateString
- op_Subtraction
- get_TotalMilliseconds
- GetCallingAssembly
- get_Assembly
- GetName
- get_FullName
- GetPublicKeyToken
- AddRange
- get_Unicode
- GetFrame
- GetMethod
- get_DeclaringType
- get_MetadataToken
- GetManifestResourceStream
- Intern
- ReadByte
- BlockCopy
- get_Chars
- ToInt32
- get_InvokeRequired
- set_BlockSize
- CreateEncryptor
- GetType
- get_IsEnum
- GetUnderlyingType
- get_Width
- get_Height
- get_X
- get_Y
- SetLength
- ReadBoolean
- ReadChar
- ReadString
- ToCharArray
- ReadDecimal
- ReadDouble
- ReadInt64
- ReadSByte
- ReadInt16
- ReadSingle
- ReadUInt32
- ReadUInt64
- ReadUInt16
- get_Position
- GetConstructors
- GetParameters
- get_ParameterType
- GetInterfaces
- get_DiscretionaryAcl
- InsertAce
- get_BinaryLength
- GetBinaryForm
- AppendLine
- GetTypes
- IndexOf
- ComputeHash
- TransformBlock
- get_Hash
- NewGuid
- get_LocalEndPoint
- get_Port
- SetBuffer
- add_Completed
- GetHostEntry
- get_AddressList
- set_LingerState
- set_RemoteEndPoint
- ConnectAsync
- get_RemoteEndPoint
- ReceiveAsync
- get_SocketError
- get_LastOperation
- get_BytesTransferred
- get_Buffer
- Resize
- Collect
- get_Offset
- SendAsync
- PtrToStructure
- ToUInt32
- add_FormClosing
- add_Shown
- EnableVisualStyles
- set_ShowInTaskbar
- set_WindowState
- set_Visible
- MyTemplate
- 8.0.0.0
If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malwares and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥
YouTube channel
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA
Reference
· https://success.trendmicro.com/solution/1122912-nanocore-malware-information.
· https://spanning.com/blog/nanocore-rat-malware-of-the-month/.
Article Link: NanoCore Malware