MalwareAnalysisSeries
This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham
NanoCore 1.2.2.0
This repo includes the technical analysis of a commercial RAT which is easily available on black market for cheap price. NanoCore is a famous Remote Access Trojan malicious software that has its own client builder and multiple delivery methods.
NanoCore RAT 1.2.2.0 Analysis PDF Report
In this repo, the original sample of NanoCore 1.2.2.0 is provided along with its extracted stages samples. The password is “infected” for all archieves.
NanoCore 1.2.2.0 RAT TTPs
| TTP | Description | Code | Detection |
|---|---|---|---|
| Credential Access: Input Capture: Keylogging | NanoCore has keylogging capabilities in its surveillanceEx plugin | Code | Rule/Query Coming Soon! |
| Privilege Escalation: Scheduled Task/Job: Scheduled Task | NanoCore uses task scheuduler in a unique way to escalate privileges | Code | Rule/Query Coming Soon! |
| Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | NanoCore achieves persistence by abusing windows Run Registry Keys | Code | Rule/Query Coming Soon! |
| Collection: Clipboard Data | NanoCore steals clipboard data by setting itself as a clipboard viewer | Code | Rule/Query Coming Soon! |
| Collection: Data from Local System | NanoCore steals DNS records from the DNS cache of victim system | Code | Rule/Query Coming Soon! |
| Impair Defenses: Disable or Modify Tools | NanoCore prevents security tools from terminating the process without crashing the system, effectively disabling their ability to mitigate the threat | Code | Rule/Query Coming Soon! |
| Defense Evasion: Subvert Trust Controls: Mark-of-the-Web Bypass | NanoCore can bypass Mark-of-the-Web by deleting Zone.Identifier tags | Code | Rule/Query Coming Soon! |
| NanoCore execute its stage2 malware by extracting it from the resources and injecting it inside another instance of stage1 process using Process Hollowing | Code | Rule/Query Coming Soon! | |
| Command & Control: Non-Application Layer Protocol | NanoCore creates RAW sockets for c2 communication and data exfiltration | Code coming soon... | Rule\Query coming soon... |
Note: Artifacts & code of this repository is inteneded for educational purposes only!