Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Nanocore"
- * MalScore: 10.0
- * File Name: "NanoCore_ec56cc8e321ba060e4eb52b0e296b307.pif"
- * File Size: 1140224
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "d38dbcb7d8b8b31fb112257305a6c1a90e7a304546c24e6cf6044e2ac256cf8a"
- * MD5: "ec56cc8e321ba060e4eb52b0e296b307"
- * SHA1: "2f3e2208f8fc54a205d03f4c0d3c97549277cf76"
- * SHA512: "f2fcf47bd8e19d4351bde79b4dbab11d53969319f8ae24ead0fc40b2a0f901975213ad9d18735d84659dda0ac58f9aab42b2f4098c268bfb8baefa6e4108bdb0"
- * CRC32: "0152BF26"
- * SSDEEP: "24576:yAHnh+eWsN3skA4RV1Hom2KXMmHahjGUqITLC5:1h+ZkldoPK8YaVGUBTs"
- * Process Execution:
- "P5rJQ.exe",
- "RegAsm.exe",
- "schtasks.exe",
- "schtasks.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "taskeng.exe",
- "taskeng.exe",
- "taskeng.exe",
- "svchost.exe"
- * Executed Commands:
- "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpB3AE.tmp\"",
- "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpBE6D.tmp\"",
- "taskeng.exe 06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 69E21F04-938C-46A8-B4AD-6FCB4F20E4CC S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "taskeng.exe E80BCF90-2770-40E3-A64D-3E6331A4BEE3 S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 6864624C-748C-42BC-951C-D9405A41132B S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 05587565-AC7C-43BF-838B-9F2EC71C2015 S-1-5-18:NT AUTHORITY\\System:Service:",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP": "185.105.236.176:2179 (Iran, Islamic Republic of)"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "RegAsm.exe tried to sleep 1368 seconds, actually delayed analysis time by 0 seconds"
- "Process": "svchost.exe tried to sleep 315 seconds, actually delayed analysis time by 0 seconds"
- "Process": "taskeng.exe tried to sleep 601 seconds, actually delayed analysis time by 0 seconds"
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: P5rJQ.exe, pid: 2484, offset: 0x00000000, length: 0x00116600"
- "self_read": "process: RegAsm.exe, pid: 2900, offset: 0x00000000, length: 0x00001000"
- "self_read": "process: RegAsm.exe, pid: 2900, offset: 0x00000080, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 2900, offset: 0x00000178, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 2900, offset: 0x0000a720, length: 0x00000200"
- "self_read": "process: RegAsm.exe, pid: 2900, offset: 0x0000a73c, length: 0x00000200"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "RegAsm.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpB3AE.tmp\""
- "Process": "RegAsm.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpBE6D.tmp\""
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rsrc, entropy: 7.86, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0004c000, virtual_size: 0x0004bf4c"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpB3AE.tmp\""
- "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmpBE6D.tmp\""
- "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "P5rJQ.exe(2484) -> RegAsm.exe(2900)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "P5rJQ.exe(2484) -> RegAsm.exe(2900)"
- "Description": "Attempts to remove evidence of file being downloaded from the Internet",
- "Details":
- "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier"
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
- "Details":
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\eoyxwfmnmydtdsnhhxqv"
- "data": "C:\\Users\\Public\\eoyxwfmnmydtdsnhhxqv.vbs"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
- "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
- "Description": "Exhibits behavior characteristic of Nanocore RAT",
- "Details":
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "taskeng.exe:660"
- "Description": "File has been identified by 26 Antiviruses on VirusTotal as malicious",
- "Details":
- "McAfee": "Trojan-AitInject.aq"
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_80% (W)"
- "Alibaba": "Trojan:Win32/AutoitInject.984ef763"
- "F-Prot": "W32/Autoit.G.gen!Eldorado"
- "ESET-NOD32": "a variant of Win32/Injector.Autoit.EGA"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "Avast": "Win32:Trojan-gen"
- "Rising": "Trojan.Obfus/Autoit!1.BB81 (CLASSIC)"
- "Endgame": "malicious (high confidence)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc"
- "FireEye": "Generic.mg.ec56cc8e321ba060"
- "Cyren": "W32/Autoit.G.gen!Eldorado"
- "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
- "Microsoft": "Trojan:Win32/AutoitInject.BH!MTB"
- "AegisLab": "Trojan.Multi.Generic.4!c"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "AhnLab-V3": "Win-Trojan/Autoinj02.Exp"
- "Acronis": "suspicious"
- "MAX": "malware (ai score=100)"
- "Fortinet": "AutoIt/Injector.EFY!tr"
- "AVG": "Win32:Trojan-gen"
- "Qihoo-360": "HEUR/QVM10.1.7B5F.Malware.Gen"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\difx64\\GenValObj.bat"
- "percent_match": 100
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Possible NanoCore C2 60B"
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\57ffda26-c21f-4689-a222-3f698e68773b",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\difx64\\GenValObj.bat",
- "C:\\Users\\Public\\eoyxwfmnmydtdsnhhxqv.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
- "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmpB3AE.tmp",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\task.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmpBE6D.tmp",
- "\\Device\\LanmanDatagramReceiver",
- "\\??\\PIPE\\srvsvc",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
- * Deleted Files:
- "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmpB3AE.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmpBE6D.tmp",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier",
- "C:\\Windows\\Tasks\\DSL Subsystem.job",
- "C:\\Windows\\Tasks\\DSL Subsystem Task.job",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\eoyxwfmnmydtdsnhhxqv",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DB552228-963B-4834-85B5-1AB46FE86BF1\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DB552228-963B-4834-85B5-1AB46FE86BF1\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DB552228-963B-4834-85B5-1AB46FE86BF1\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6695562F-EAB8-491E-BD4B-50D4AC2F08F6\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6695562F-EAB8-491E-BD4B-50D4AC2F08F6\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem Task\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem Task\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6695562F-EAB8-491E-BD4B-50D4AC2F08F6\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\69E21F04-938C-46A8-B4AD-6FCB4F20E4CC",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\E80BCF90-2770-40E3-A64D-3E6331A4BEE3",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\6864624C-748C-42BC-951C-D9405A41132B",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\05587565-AC7C-43BF-838B-9F2EC71C2015",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\69E21F04-938C-46A8-B4AD-6FCB4F20E4CC\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\E80BCF90-2770-40E3-A64D-3E6331A4BEE3\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\6864624C-748C-42BC-951C-D9405A41132B\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\05587565-AC7C-43BF-838B-9F2EC71C2015\\data"
- * Deleted Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem Task.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem Task.job.fp"
- * DNS Communications:
- "type": "A",
- "request": "calitus.hopto.org",
- "answers":
- "data": "185.105.236.176",
- "type": "A"
- * Domains:
- "ip": "185.105.236.176",
- "domain": "calitus.hopto.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Iran, Islamic Republic of",
- "ip": "185.105.236.176",
- "inaddrarpa": "",
- "hostname": "calitus.hopto.org"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement