Loading ...

Play interactive tourEdit tour

Analysis Report AFP.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:223279
Start date:17.04.2020
Start time:08:04:22
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 25s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:AFP.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.troj.evad.winEXE@3/3@1/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 1% (good quality ratio 0.3%)
  • Quality average: 25.8%
  • Quality standard deviation: 39.9%
HCA Information:
  • Successful, ratio: 92%
  • Number of executed functions: 116
  • Number of non-executed functions: 20
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.158.208.111, 2.18.68.82, 92.123.22.235
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, e5684.g.akamaiedge.net, fs.microsoft.com, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold800 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential DumpingVirtualization/Sandbox Evasion14Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection11Software Packing1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSecurity Software Discovery231Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion14Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Information Discovery21Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceTimestomp1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection11Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information2Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmp, type: MEMORY

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: site-cdn.onenote.net
Urls found in memory or binary dataShow sources
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmp, AFP.exe, 00000000.00000003.533968282.0000000005A1B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmp, AFP.exe, 00000000.00000003.533308743.0000000005A1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: AFP.exe, 00000000.00000003.533224166.0000000005A1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.coms
Source: AFP.exe, 00000000.00000003.536738055.0000000005A0A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: AFP.exe, 00000000.00000003.537428847.0000000005A0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn-
Source: AFP.exe, 00000000.00000003.537243823.0000000005A3D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: AFP.exe, 00000000.00000003.536107970.0000000005A0A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/F
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: AFP.exe, 00000000.00000003.536107970.0000000005A0A000.00000004.00000001.sdmp, AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: AFP.exe, 00000000.00000003.536107970.0000000005A0A000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krt
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: AFP.exe, 00000000.00000003.536107970.0000000005A0A000.00000004.00000001.sdmp, AFP.exe, 00000000.00000003.535862064.0000000005A0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: AFP.exe, 00000000.00000002.568081142.0000000005AF6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large stringsShow sources
Source: AFP.exe, EChartsNet/ClassCore.csLong String: Length: 86015
Source: 0.2.AFP.exe.d40000.0.unpack, EChartsNet/ClassCore.csLong String: Length: 86015
Source: 0.0.AFP.exe.d40000.0.unpack, EChartsNet/ClassCore.csLong String: Length: 86015
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_057A1A16 NtQueryInformationProcess,0_2_057A1A16
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_057A1B86 NtQuerySystemInformation,0_2_057A1B86
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_057A1B4B NtQuerySystemInformation,0_2_057A1B4B
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_057A19F4 NtQueryInformationProcess,0_2_057A19F4
Creates files inside the system directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_0323B7B00_2_0323B7B0
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03233BF10_2_03233BF1
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_0323BBD80_2_0323BBD8
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03239E3F0_2_03239E3F
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03232AF00_2_03232AF0
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032332D90_2_032332D9
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03230D810_2_03230D81
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032337210_2_03233721
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032367A80_2_032367A8
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032367B80_2_032367B8
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03231F890_2_03231F89
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032357880_2_03235788
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032357980_2_03235798
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03236BC00_2_03236BC0
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03236BD00_2_03236BD0
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_0323A6200_2_0323A620
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_0323A6280_2_0323A628
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032362000_2_03236200
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03232A4E0_2_03232A4E
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03232A5E0_2_03232A5E
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032355A80_2_032355A8
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032369880_2_03236988
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03236D900_2_03236D90
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032369980_2_03236998
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032361F00_2_032361F0
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032364A20_2_032364A2
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_0323ACA00_2_0323ACA0
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_0323A0A80_2_0323A0A8
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_0323A0B80_2_0323A0B8
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_072500700_2_07250070
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_00D4537B0_2_00D4537B
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1340
Sample file is different than original file name gathered from version infoShow sources
Source: AFP.exeBinary or memory string: OriginalFilename vs AFP.exe
Source: AFP.exe, 00000000.00000002.579907290.00000000089D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs AFP.exe
Source: AFP.exe, 00000000.00000002.560827377.0000000000D42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBbLbE.exe6 vs AFP.exe
Source: AFP.exe, 00000000.00000002.567903376.00000000058D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDefender Protect.dllB vs AFP.exe
Source: AFP.exeBinary or memory string: OriginalFilenameBbLbE.exe6 vs AFP.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Yara signature matchShow sources
Source: 00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Classification labelShow sources
Source: classification engineClassification label: mal80.troj.evad.winEXE@3/3@1/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_057A1772 AdjustTokenPrivileges,0_2_057A1772
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_057A173B AdjustTokenPrivileges,0_2_057A173B
Creates mutexesShow sources
Source: C:\Users\user\Desktop\AFP.exeMutant created: \Sessions\1\BaseNamedObjects\NzQrUkdRYeClbqDtHLlWR
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFD6.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: AFP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\AFP.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\AFP.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\AFP.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\AFP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\AFP.exeFile read: C:\Users\user\Desktop\AFP.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\AFP.exe 'C:\Users\user\Desktop\AFP.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1340
Source: C:\Users\user\Desktop\AFP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1340Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\AFP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\AFP.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: AFP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\AFP.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: AFP.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: AFP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: symbols\dll\mscorlib.pdb source: AFP.exe, 00000000.00000002.561273289.0000000001166000.00000004.00000010.sdmp
Source: Binary string: lib.pdb source: AFP.exe, 00000000.00000002.562615942.0000000003240000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: AFP.exe, 00000000.00000002.562615942.0000000003240000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: AFP.exe, 00000000.00000002.567903376.00000000058D0000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbd source: AFP.exe, 00000000.00000002.562615942.0000000003240000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: AFP.exe, 00000000.00000002.579907290.00000000089D0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xA24DBC77 [Sat Apr 15 05:51:51 2056 UTC]
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_015B8D7D push edi; iretd 0_2_015B8D7E
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_015B816A push ebp; ret 0_2_015B81D1
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_015B95D1 push edi; iretd 0_2_015B95D2
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_015B819A push ebp; ret 0_2_015B81D1
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_015B4048 push eax; ret 0_2_015B4049
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_015B341C pushad ; ret 0_2_015B341D
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_03238BDB push ebp; retf 0_2_03238BDC
Source: C:\Users\user\Desktop\AFP.exeCode function: 0_2_032370DF push edi; iretd 0_2_032370E6
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.8094574278

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: AFP.exe PID: 4880, type: MEMORY
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\AFP.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\AFP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
Source: C:\Users\user\Desktop\AFP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\AFP.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\AFP.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
Source: C:\Users\user\Desktop\AFP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\AFP.exe TID: 4704Thread sleep time: -65000s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0Jump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: vmware
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: qA"SOFTWARE\VMware, Inc.\VMware Tools
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: q#"SOFTWARE\VMware, Inc.\VMware Tools
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: q87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: AFP.exe, 00000000.00000002.563907589.0000000003590000.00000004.00000001.sdmpBinary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsP
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\AFP.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\AFP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\AFP.exeProcess queried: DebugPortJump to behavior
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\AFP.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\AFP.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\AFP.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1340Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AFP.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmp, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
08:05:02API Interceptor1x Sleep call for process: AFP.exe modified
08:05:05API Interceptor1x Sleep call for process: dw20.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
site-cdn.onenote.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/0%VirustotalBrowse
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn-0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe1%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.goodfont.co.krt0%Avira URL Cloudsafe
http://www.tiro.com0%VirustotalBrowse
http://www.tiro.com0%URL Reputationsafe
http://www.sandoll.co.kr0%VirustotalBrowse
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.fonts.coms0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/F0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%VirustotalBrowse
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%VirustotalBrowse
http://www.sakkal.com0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%VirustotalBrowse
http://www.sajatypeworks.com0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xa865d:$x1: NanoCore.ClientPluginHost
  • 0xa869a:$x2: IClientNetworkHost
  • 0xac1cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.566676032.000000000462B000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xa83c5:$a: NanoCore
    • 0xa83d5:$a: NanoCore
    • 0xa8609:$a: NanoCore
    • 0xa861d:$a: NanoCore
    • 0xa865d:$a: NanoCore
    • 0xa8424:$b: ClientPlugin
    • 0xa8626:$b: ClientPlugin
    • 0xa8666:$b: ClientPlugin
    • 0xa854b:$c: ProjectData
    • 0xa8f52:$d: DESCrypto
    • 0xb091e:$e: KeepAlive
    • 0xae90c:$g: LogClientMessage
    • 0xaab07:$i: get_Connected
    • 0xa9288:$j: #=q
    • 0xa92b8:$j: #=q
    • 0xa92d4:$j: #=q
    • 0xa9304:$j: #=q
    • 0xa9320:$j: #=q
    • 0xa933c:$j: #=q
    • 0xa936c:$j: #=q
    • 0xa9388:$j: #=q
    Process Memory Space: AFP.exe PID: 4880JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Unpacked PEs

      No yara matches

      Sigma Overview

      No Sigma rule has matched

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.