1682NanoCore_fb229b03784ad63ca1a7cc6191364158_exe_2019-09-12_13_30.txt

1.  
2. * ID: 1682
3. * MalFamily: "Nanocore"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "NanoCore_fb229b03784ad63ca1a7cc6191364158.exe"
8. * File Size: 507904
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "f54f5002fa901362b43715d5f581b984621bee92a1ce11f86b91aa8656c0f56d"
11. * MD5: "fb229b03784ad63ca1a7cc6191364158"
12. * SHA1: "151672d769dc811fe30b7ea68a80f9233eb2bf5a"
13. * SHA512: "27ab7abeb98327cb743e6fe62a0c5dd8b360c4b8aafa3c6838986c02ada30e38e3511ea5b093ddf165dbac060e1e8ba646cbcb86c04e9b3fdce9906fdf1802b6"
14. * CRC32: "60F3A159"
15. * SSDEEP: "12288:xtV8DgLybOGNyOArVD36fDlPqIwo3Zg8:xtVV+bOGEOI3WDlPqeZg8"
16.  
17. * Process Execution:
18. "whbhv.exe",
19. "whbhv.exe",
20. "schtasks.exe",
21. "schtasks.exe",
22. "svchost.exe"
23.  
24.  
25. * Executed Commands:
26. "\"C:\\Users\\user\\AppData\\Local\\Temp\\whbhv.exe\"",
27. "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp\"",
28. "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp\""
29.  
30.  
31. * Signatures Detected:
32.  
33. "Description": "Behavioural detection: Executable code extraction",
34. "Details":
35.  
36.  
37. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
38. "Details":
39.  
40.  
41. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
42. "Details":
43.  
44. "IP_ioc": "79.134.225.74:2177 (Switzerland)"
45.  
46.  
47.  
48.  
49. "Description": "Possible date expiration check, exits too soon after checking local time",
50. "Details":
51.  
52. "process": "whbhv.exe, PID 2220"
53.  
54.  
55.  
56.  
57. "Description": "Guard pages use detected - possible anti-debugging.",
58. "Details":
59.  
60.  
61. "Description": "A process attempted to delay the analysis task.",
62. "Details":
63.  
64. "Process": "whbhv.exe tried to sleep 1032 seconds, actually delayed analysis time by 0 seconds"
65.  
66.  
67. "Process": "svchost.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
68.  
69.  
70.  
71.  
72. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
73. "Details":
74.  
75. "ioc": "v2.0.50727"
76.  
77.  
78.  
79.  
80. "Description": "A process created a hidden window",
81. "Details":
82.  
83. "Process": "whbhv.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp\""
84.  
85.  
86. "Process": "whbhv.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp\""
87.  
88.  
89.  
90.  
91. "Description": "The binary likely contains encrypted or compressed data.",
92. "Details":
93.  
94. "section": "name: .text, entropy: 7.11, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00079000, virtual_size: 0x00078bf0"
95.  
96.  
97.  
98.  
99. "Description": "Uses Windows utilities for basic functionality",
100. "Details":
101.  
102. "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp\""
103.  
104.  
105. "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp\""
106.  
107.  
108.  
109.  
110. "Description": "Behavioural detection: Injection (Process Hollowing)",
111. "Details":
112.  
113. "Injection": "whbhv.exe(2220) -> whbhv.exe(2988)"
114.  
115.  
116.  
117.  
118. "Description": "Executed a process and injected code into it, probably while unpacking",
119. "Details":
120.  
121. "Injection": "whbhv.exe(2220) -> whbhv.exe(2988)"
122.  
123.  
124.  
125.  
126. "Description": "Attempts to remove evidence of file being downloaded from the Internet",
127. "Details":
128.  
129. "file": "C:\\Users\\user\\AppData\\Local\\Temp\\whbhv.exe:Zone.Identifier"
130.  
131.  
132.  
133.  
134. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
135. "Details":
136.  
137. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
138.  
139.  
140.  
141.  
142. "Description": "Installs itself for autorun at Windows startup",
143. "Details":
144.  
145. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
146.  
147.  
148. "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
149.  
150.  
151.  
152.  
153. "Description": "Exhibits behavior characteristic of Nanocore RAT",
154. "Details":
155.  
156.  
157. "Description": "File has been identified by 16 Antiviruses on VirusTotal as malicious",
158. "Details":
159.  
160. "FireEye": "Generic.mg.fb229b03784ad63c"
161.  
162.  
163. "Cylance": "Unsafe"
164.  
165.  
166. "Cybereason": "malicious.769dc8"
167.  
168.  
169. "Invincea": "heuristic"
170.  
171.  
172. "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
173.  
174.  
175. "Symantec": "ML.Attribute.HighConfidence"
176.  
177.  
178. "APEX": "Malicious"
179.  
180.  
181. "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.gc"
182.  
183.  
184. "Trapmine": "malicious.high.ml.score"
185.  
186.  
187. "SentinelOne": "DFI - Suspicious PE"
188.  
189.  
190. "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
191.  
192.  
193. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
194.  
195.  
196. "Endgame": "malicious (high confidence)"
197.  
198.  
199. "Acronis": "suspicious"
200.  
201.  
202. "McAfee": "Fareit-FPW!FB229B03784A"
203.  
204.  
205. "CrowdStrike": "win/malicious_confidence_70% (D)"
206.  
207.  
208.  
209.  
210. "Description": "Creates a copy of itself",
211. "Details":
212.  
213. "copy": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
214.  
215.  
216.  
217.  
218. "Description": "Collects information to fingerprint the system",
219. "Details":
220.  
221.  
222.  
223. * Started Service:
224.  
225. * Mutexes:
226. "Global\\CLR_PerfMon_WrapMutex",
227. "Global\\CLR_CASOFF_MUTEX",
228. "Global\\57ac23a9-49e6-40ed-b469-3425e518602c",
229. "Global\\.net clr networking"
230.  
231.  
232. * Modified Files:
233. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
234. "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
235. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp",
236. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\task.dat",
237. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp",
238. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
239. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
240.  
241.  
242. * Deleted Files:
243. "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
244. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
245. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6206.tmp",
246. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CF4.tmp",
247. "C:\\Users\\user\\AppData\\Local\\Temp\\whbhv.exe:Zone.Identifier",
248. "C:\\Windows\\Tasks\\DSL Subsystem.job",
249. "C:\\Windows\\Tasks\\DSL Subsystem Task.job",
250. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
251.  
252.  
253. * Modified Registry Keys:
254. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem",
255. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\3F840E57-A70C-4327-8D4C-6299DE36D6F0\\Path",
256. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\3F840E57-A70C-4327-8D4C-6299DE36D6F0\\Hash",
257. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Id",
258. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Index",
259. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\3F840E57-A70C-4327-8D4C-6299DE36D6F0\\Triggers",
260. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Path",
261. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Hash",
262. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem Task\\Id",
263. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem Task\\Index",
264. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\51DBD72A-CC84-4922-8645-8823E24A7109\\Triggers"
265.  
266.  
267. * Deleted Registry Keys:
268. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job",
269. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job.fp",
270. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem Task.job",
271. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem Task.job.fp"
272.  
273.  
274. * DNS Communications:
275.  
276. "type": "A",
277. "request": "harri2gud.duckdns.org",
278. "answers":
279.  
280.  
281.  
282. * Domains:
283.  
284. "ip": "79.134.225.74",
285. "domain": "harri2gud.duckdns.org"
286.  
287.  
288.  
289. * Network Communication - ICMP:
290.  
291. * Network Communication - HTTP:
292.  
293. * Network Communication - SMTP:
294.  
295. * Network Communication - Hosts:
296.  
297. "country_name": "Switzerland",
298. "ip": "79.134.225.74",
299. "inaddrarpa": "",
300. "hostname": ""
301.  
302.  
303.  
304. * Network Communication - IRC: