{
	"id": "76b88f88-9b78-40e4-a236-1fc23f621f14",
	"created_at": "2026-04-06T00:17:46.816554Z",
	"updated_at": "2026-04-10T13:12:47.16872Z",
	"deleted_at": null,
	"sha1_hash": "1347e4664cb163133bc6d4440404b63e6080c2cb",
	"title": "Malware Analysis [#1]- NanoCore Rat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2522550,
	"plain_text": "Malware Analysis [#1]- NanoCore Rat\r\nBy 0xM3H51N\r\nPublished: 2022-09-09 · Archived: 2026-04-05 20:09:20 UTC\r\nDynamic Analysis of ccgkcf.exe:\r\nAs mentioned before when running this instance without any argument the process will exit and no action will be\r\ntaken, but when adding the “cmdkuqqy” as an argument as we saw the installer did when creating a new process,\r\nthe sample continue it’s work by opening the “cmdkuqqy” file get it’s size read it and decrypt it and at last handle\r\nthe execution to the shell-code :\r\nPress enter or click to view image in full size\r\nx64dbg: Error path not found\r\nx64dbg: Command to add argument\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918\r\nPage 1 of 5\n\nx64dbg: function succeed\r\nPress enter or click to view image in full size\r\nhex comparison\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918\r\nPage 2 of 5\n\nx64dbg: Jumping after decryption\r\nThe shell-code start by loading libraries and importing modules then it pushes the below names letter by letter to\r\nmemory:\r\nka9zcqw3l6l48a1uuba.\r\nratotpvvsmo.exe.\r\ngswccl.\r\nhhtktvn.\r\nafter that it opens “ka9zcqw3l6l48a1uuba” file from the %TEMP% folder to get handle of it then get the file\r\nsize, allocate memory, read file and decrypt the data read from the file, so I dumped it to a file to be analyzed later:\r\nPress enter or click to view image in full size\r\nThe buffer that receives the data read from file “ka9zcqw3l6l48a1uuba”\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918\r\nPage 3 of 5\n\nx64dbg: After decrypting data\r\nAfter that it creates a folder with name “gswccl” in “C:\\\u003cUSER\u003e\\AppData\\Roaming” and creates a file named\r\n“ratotpvvsmo.exe” in it and use this file as persistence technique by changing the auto run value in the registry\r\n“HKCU\\SOFTWARE\\Micorsoft\\Windows\\CurrentVersion\\Run” with name “hhtktvn” :\r\nPress enter or click to view image in full size\r\nRegistry new value; path to executable was changed for the snapshot\r\nand by fast look at that “ratotpvvsmo.exe” we see that it is a copy of “ccgkcf.exe” executable:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918\r\nPage 4 of 5\n\nHashCalc: comparison for ccgkcf.exe and ratotpvvsmo.exe\r\nProceeding with the analysis we see that it create a new process with it’s name and inject the code the was\r\ndecrypted from the “ka9zcqw3l6l48a1uuba” file to it and exit the process\r\nProcmon: process injection\r\nWhat also worth to mention that it uses “Havens gate” technique which refer to far return, to switch to the 64bit\r\nmode, also It can be used as an anti reverse engineering technique for protecting the malware.\r\nFrom Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with.\r\nJoin our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3\r\nvideos, 2 Github Repos and tools, and 1 job alert for FREE!\r\nSource: https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918\r\nhttps://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918"
	],
	"report_names": [
		"malware-analysis-nanocore-rat-6cae8c6df918"
	],
	"threat_actors": [],
	"ts_created_at": 1775434666,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1347e4664cb163133bc6d4440404b63e6080c2cb.pdf",
		"text": "https://archive.orkl.eu/1347e4664cb163133bc6d4440404b63e6080c2cb.txt",
		"img": "https://archive.orkl.eu/1347e4664cb163133bc6d4440404b63e6080c2cb.jpg"
	}
}