2018-05-18 Nanocore sample

1. #nanocore #malware
2. @neonprimetime security
3. https://www.joesandbox.com/analysis/59815/0/html
4. https://www.reverse.it/sample/47755676f0bfab8a782ea04dd3c5e22324e92dda42810c902e3a23327375a57b?environmentId=100
5. excel md5 aa4876cc060652d9d54355188bbeafda
6. exe md5 a237fa451c0fcd5f06057d3d4db5398c
7. -------------
8. interesting in memory strings
9. -------------
10. 0x2b1c80 (19): NanoCore Client.exe
11. 0x2b1cb0 (19): nanocore client.exe
12. 0x2baa28 (30): NanoCore Client
13. 0x411cf5 (15): NanoCore Client
14. 0x411d05 (19): NanoCore Client.exe
15. 0x411f4d (21): NanoCore.ClientPlugin
16. 0x411f8d (25): NanoCore.ClientPluginHost
17. 0x1de3c34 (140): NanoCore Client, Version=1.2.2.0, Culture=neutral, PublicKeyToken=null
18. 0x1de3cf0 (176): ClientLoaderForm, NanoCore Client, Version=1.2.2.0, Culture=neutral, PublicKeyToken=null
19. 0x1de4344 (30): NanoCore Client
20. 0x1df25c3 (11): NanoCore.My
21. 0x1df261c (21): NanoCore.ClientPlugin
22. 0x1df2659 (25): NanoCore.ClientPluginHost
23. 0x1e21810 (44): shinanomachi.nagano.jp
24. 0x1e25718 (34): minano.saitama.jp
25. 0x1e72314 (30): NanoCore Client
26. 0x1e72440 (30): NanoCore Client
27. 0x1e7254c (42): NanoCore Client[4020]
28. 0x1e73ff0 (42): nanocore client[4020]
29. 0x1e76198 (42): nanocore client[4020]
30. 0x1e766a4 (42): nanocore client[4020]
31. 0x1e76e54 (42): nanocore client[4020]
32. 0x1e77608 (42): nanocore client[4020]
33. 0x1e77db4 (42): nanocore client[4020]
34. 0x2e2aa6d (11): NanoCore.My
35. 0x2e2aac6 (21): NanoCore.ClientPlugin
36. 0x2e2ab03 (25): NanoCore.ClientPluginHost
37. 0x2e3e23c (21): NanoCore.ClientPlugin
38. 0x2e3e271 (25): NanoCore.ClientPluginHost
39. 0x2e57220 (21): NanoCore.ClientPlugin
40. 0x2e57255 (25): NanoCore.ClientPluginHost
41. 0x1df6790 (26): 89.35.228.244
42. 0x1e51968 (68): Connecting to 89.35.228.244:2233..
43. 0x1e5208c (26): 89.35.228.244
44. 0x1e533e4 (38): Host: 89.35.228.244
45. 0x1e7abf4 (68): Connecting to 89.35.228.244:2233..
46. 0x1e7f0f0 (26): 89.35.228.244
47. 0x1f069cc (68): Connecting to 89.35.228.244:2233..
48. 0x1f35100 (26): 89.35.228.244
49. 89.35.228.244
50. 0x2e2eaaa (21): SurveillanceEx Plugin
51. 0x2e3dfd5 (26): SurveillanceExClientPlugin
52. 0x2e3dff0 (30): SurveillanceExClientPlugin.dll
53. 0x2e47110 (60): SurveillanceExClientPlugin.dll
54. 0x2e471a0 (60): SurveillanceExClientPlugin.dll
55. 0x2e56fb9 (26): SurveillanceExClientPlugin
56. 0x2e56fd4 (30): SurveillanceExClientPlugin.dll
57. 0x2e600f4 (60): SurveillanceExClientPlugin.dll
58. 0x2e60184 (60): SurveillanceExClientPlugin.dll