· 6 years ago · Sep 11, 2019, 12:32 PM
1
2* ID: 1513
3* MalFamily: "Nanocore"
4
5* MalScore: 10.0
6
7* File Name: "NanoCore_10a0f955d92a0988b09e81c3b5ce378f.exe"
8* File Size: 462848
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "b037a16df70f25422941f24d4b46173fcbabd86b0bcaf7c4a7b008db066e3c71"
11* MD5: "10a0f955d92a0988b09e81c3b5ce378f"
12* SHA1: "77786ccf15fb9c43d850f10c88d9017df3b01f23"
13* SHA512: "72a03892dbf75854f84d52b4b49f51cf62c1033ddc057adc4a677432ef8cee7fe1c387b2a9e4e8c43af1c72148b55e790b9e1091d384beecd1592130bdde657a"
14* CRC32: "F2BAB74E"
15* SSDEEP: "6144:JRhRT4BMwzUq/SSv0Vf45o1OJ/+L6cVPGNHzpxZXteG8dhO:zT8hdv0VfNOh26SPGNTpxttZ"
16
17* Process Execution:
18 "J24p2.exe",
19 "J24p2.exe",
20 "schtasks.exe",
21 "schtasks.exe",
22 "svchost.exe"
23
24
25* Executed Commands:
26 "\"C:\\Users\\user\\AppData\\Local\\Temp\\J24p2.exe\"",
27 "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF7B0.tmp\"",
28 "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C3.tmp\""
29
30
31* Signatures Detected:
32
33 "Description": "Behavioural detection: Executable code extraction",
34 "Details":
35
36
37 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
38 "Details":
39
40
41 "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
42 "Details":
43
44 "IP_ioc": "79.134.225.70:3940 (Switzerland)"
45
46
47 "IP_ioc": "105.112.108.176:3940 (Nigeria)"
48
49
50
51
52 "Description": "Creates RWX memory",
53 "Details":
54
55
56 "Description": "Guard pages use detected - possible anti-debugging.",
57 "Details":
58
59
60 "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
61 "Details":
62
63 "ioc": "v2.0.50727"
64
65
66
67
68 "Description": "A process created a hidden window",
69 "Details":
70
71 "Process": "J24p2.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF7B0.tmp\""
72
73
74 "Process": "J24p2.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C3.tmp\""
75
76
77
78
79 "Description": "The binary likely contains encrypted or compressed data.",
80 "Details":
81
82 "section": "name: .text, entropy: 7.25, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0006e000, virtual_size: 0x0006dc50"
83
84
85
86
87 "Description": "Uses Windows utilities for basic functionality",
88 "Details":
89
90 "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpF7B0.tmp\""
91
92
93 "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C3.tmp\""
94
95
96
97
98 "Description": "Behavioural detection: Injection (Process Hollowing)",
99 "Details":
100
101 "Injection": "J24p2.exe(940) -> J24p2.exe(2684)"
102
103
104
105
106 "Description": "Executed a process and injected code into it, probably while unpacking",
107 "Details":
108
109 "Injection": "J24p2.exe(940) -> J24p2.exe(2684)"
110
111
112
113
114 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
115 "Details":
116
117 "file": "C:\\Users\\user\\AppData\\Local\\Temp\\J24p2.exe:Zone.Identifier"
118
119
120
121
122 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
123 "Details":
124
125 "Spam": "J24p2.exe (2684) called API NtYieldExecution 10234 times"
126
127
128
129
130 "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
131 "Details":
132
133 "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
134
135
136
137
138 "Description": "Installs itself for autorun at Windows startup",
139 "Details":
140
141 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
142
143
144 "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
145
146
147
148
149 "Description": "Exhibits behavior characteristic of Nanocore RAT",
150 "Details":
151
152
153 "Description": "File has been identified by 17 Antiviruses on VirusTotal as malicious",
154 "Details":
155
156 "McAfee": "Fareit-FPW!10A0F955D92A"
157
158
159 "Cylance": "Unsafe"
160
161
162 "CrowdStrike": "win/malicious_confidence_60% (D)"
163
164
165 "Invincea": "heuristic"
166
167
168 "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
169
170
171 "Symantec": "ML.Attribute.HighConfidence"
172
173
174 "APEX": "Malicious"
175
176
177 "Paloalto": "generic.ml"
178
179
180 "Endgame": "malicious (high confidence)"
181
182
183 "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.gc"
184
185
186 "Trapmine": "malicious.high.ml.score"
187
188
189 "FireEye": "Generic.mg.10a0f955d92a0988"
190
191
192 "SentinelOne": "DFI - Malicious PE"
193
194
195 "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
196
197
198 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
199
200
201 "Acronis": "suspicious"
202
203
204 "Cybereason": "malicious.f15fb9"
205
206
207
208
209 "Description": "Creates a copy of itself",
210 "Details":
211
212 "copy": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
213
214
215
216
217 "Description": "Generates some ICMP traffic",
218 "Details":
219
220
221 "Description": "Collects information to fingerprint the system",
222 "Details":
223
224
225 "Description": "Created network traffic indicative of malicious activity",
226 "Details":
227
228 "signature": "ET TROJAN Possible NanoCore C2 60B"
229
230
231
232
233
234* Started Service:
235
236* Mutexes:
237 "Global\\CLR_PerfMon_WrapMutex",
238 "Global\\CLR_CASOFF_MUTEX",
239 "Global\\323df2fa-8482-4fe0-ae2a-af543502105e",
240 "Global\\.net clr networking"
241
242
243* Modified Files:
244 "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
245 "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
246 "C:\\Users\\user\\AppData\\Local\\Temp\\tmpF7B0.tmp",
247 "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\task.dat",
248 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C3.tmp",
249 "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
250 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
251
252
253* Deleted Files:
254 "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
255 "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
256 "C:\\Users\\user\\AppData\\Local\\Temp\\tmpF7B0.tmp",
257 "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C3.tmp",
258 "C:\\Users\\user\\AppData\\Local\\Temp\\J24p2.exe:Zone.Identifier",
259 "C:\\Windows\\Tasks\\DSL Subsystem.job",
260 "C:\\Windows\\Tasks\\DSL Subsystem Task.job",
261 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
262
263
264* Modified Registry Keys:
265 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem",
266 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Path",
267 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Hash",
268 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Id",
269 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Index",
270 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Triggers",
271 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Path",
272 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Hash",
273 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem Task\\Id",
274 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem Task\\Index",
275 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Triggers"
276
277
278* Deleted Registry Keys:
279 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job",
280 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job.fp",
281 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem Task.job",
282 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem Task.job.fp"
283
284
285* DNS Communications:
286
287 "type": "A",
288 "request": "danishcent.duckdns.org",
289 "answers":
290
291 "data": "105.112.108.176",
292 "type": "A"
293
294
295
296
297
298* Domains:
299
300 "ip": "105.112.108.176",
301 "domain": "danishcent.duckdns.org"
302
303
304
305* Network Communication - ICMP:
306
307 "src": "63.218.207.77",
308 "dst": "169.254.255.254
309 "type": 11,
310 "data": ""
311
312
313
314* Network Communication - HTTP:
315
316* Network Communication - SMTP:
317
318* Network Communication - Hosts:
319
320 "country_name": "Switzerland",
321 "ip": "79.134.225.70",
322 "inaddrarpa": "",
323 "hostname": ""
324
325
326 "country_name": "Nigeria",
327 "ip": "105.112.108.176",
328 "inaddrarpa": "",
329 "hostname": "danishcent.duckdns.org"
330
331
332
333* Network Communication - IRC: