Decrypting NanoCore config and dump all plugins
By NexusFuzzy
Published: 2020-09-10 · Archived: 2026-04-05 14:12:16 UTC
Press enter or click to view image in full size
Even after the arresting of the developer NanoCore remains relevant due to its cracked versions
While the original author of NanoCore was arrested back in 2017 and plead guilty, pirated copies of his creation
keep floating around the internet making it available to even the most amateurish “threat actors”.
As stated in my other article about AgentTesla, the main focus for an analyst should be to squeeze out the IOCs
(Indicators of compromise) as fast as possible to be able to move on to more interesting threats. That’s why I
created a decryptor for NanoCore which does not only dump the config but also all used plugins.
The dissection
NanoCore comes with a comfortable to use Server/Builder which doesn’t need any technical experience at all:
Press enter or click to view image in full size
https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52
Page 1 of 6

The builder for NanoCore
In cases of those builders, most of the time the “client” which gets distributed to victims remains the same, just the
configuration gets embedded in one way or another so this is the first step in our process: Finding out how the
plugins and config are getting embedded in the client.
For this reason, I built my own client and used de4dot to deobfuscate the created file:
Press enter or click to view image in full size
As you may notice on the path I’m using one of the cracked versions of NanoCore
Afterwards you can open up the sample in dnSpy and begin reversing the sample as you normally would. During
this process I found an interesting function:
https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52
Page 2 of 6

Press enter or click to view image in full size
So what does this mean? Well, it’s a strong indicator that the client is accessing its native resource(s) which could
be the perfect place to embed a dynamic configuration. Let’s dig deeper…
Get NexusFuzzy’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
After anaylizing where those functions are used I stumbled across this function:
Press enter or click to view image in full size
Looks like our assumption was right!
What this function does, is to find a resource by its number and afterwards loading its content into a byte array.
Let’s have a look at this resource with Resource Hacker, maybe we can find some clear text strings for a quick
win:
https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52
Page 3 of 6

Press enter or click to view image in full size
Doesn’t look really readable to be honest
Could it be that the resource is encrypted? Let’s have a look! To see this we follow the rabbit hole and see where
our function to load the resource is referenced:
Press enter or click to view image in full size
Don’t mind that my functions have other names than the original binary
If we open up this function we can see some interesting things:
Press enter or click to view image in full size
https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52
Page 4 of 6

Let’s examine the interesting parts:
First, it’s getting the Guid of itsself and passing this guid together with 4 byte integer to some sort of decryption
method:
Press enter or click to view image in full size
The returning byte array is used to initialize a DES encryptor & decryptor using the byte array as Key and IV:
Press enter or click to view image in full size
This decryptor is then used to decrypt the config and plugins.
Let’s summarize: First, it’s getting its guid and uses it to get the key itsself which was used to encrypt the resource
file. The fact, that the Guid is created by the server randomly for every new client which is build lead me to the
initial conclusion that you have to extract the Guid from the sample to dynamically dump the config — Well, I
https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52
Page 5 of 6

was wrong. The guid changes but the key remains the same so you could skip this step but I left it in my tool since
this may change from version to version and I would like to keep it dynamically.
After having realized how those steps are working together I was able to come up with a decryptor which you can
find in my GitHub repo called NanoDump.
Press enter or click to view image in full size
Source of NanoDump
As you can see, I replicated the neccessary steps to reach the goal to decrypt and dump the details of NanoCore.
If you have any questions, feel free to drop me a message on Twitter or open a GitHub issue!
Source: https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52
https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52
Page 6 of 6