Loading ...

Play interactive tourEdit tour

Analysis Report GxJPP1P6.exe

Overview

General Information

Sample Name:GxJPP1P6.exe
Analysis ID:285179
MD5:ce9f619cb4e70118128afc00c60faa3a
SHA1:69f8ae3c7d4a22d0c20ead0d810b2d7723e4f161
SHA256:1a25dfe77d53a45af68ca9bb5bfe81e30fe2f9e5e720096f5e2b447d182495a5

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Startup

  • System is w10x64
  • GxJPP1P6.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\GxJPP1P6.exe' MD5: CE9F619CB4E70118128AFC00C60FAA3A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
GxJPP1P6.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
GxJPP1P6.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
GxJPP1P6.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    GxJPP1P6.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x6dbf:$a: NanoCore
      • 0x6de4:$a: NanoCore
      • 0x6e3d:$a: NanoCore
      • 0x16fda:$a: NanoCore
      • 0x17000:$a: NanoCore
      • 0x1705c:$a: NanoCore
      • 0x23eb1:$a: NanoCore
      • 0x23f0a:$a: NanoCore
      • 0x23f3d:$a: NanoCore
      • 0x24169:$a: NanoCore
      • 0x241e5:$a: NanoCore
      • 0x247fe:$a: NanoCore
      • 0x24947:$a: NanoCore
      • 0x24e1b:$a: NanoCore
      • 0x25102:$a: NanoCore
      • 0x25119:$a: NanoCore
      • 0x2a6b7:$a: NanoCore
      • 0x2a731:$a: NanoCore
      • 0x2f2ce:$a: NanoCore
      • 0x30688:$a: NanoCore
      • 0x306d2:$a: NanoCore
      Process Memory Space: GxJPP1P6.exe PID: 6708Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1a2bc2:$x1: NanoCore.ClientPluginHost
      • 0x217c4f:$x1: NanoCore.ClientPluginHost
      • 0x222569:$x1: NanoCore.ClientPluginHost
      • 0x2350e4:$x1: NanoCore.ClientPluginHost
      • 0x237ace:$x1: NanoCore.ClientPluginHost
      • 0x23af23:$x1: NanoCore.ClientPluginHost
      • 0x23db0e:$x1: NanoCore.ClientPluginHost
      • 0x244cb2:$x1: NanoCore.ClientPluginHost
      • 0x249b0d:$x1: NanoCore.ClientPluginHost
      • 0x2562e7:$x1: NanoCore.ClientPluginHost
      • 0x271c87:$x1: NanoCore.ClientPluginHost
      • 0x280642:$x1: NanoCore.ClientPluginHost
      • 0x1a2c23:$x2: IClientNetworkHost
      • 0x217c91:$x2: IClientNetworkHost
      • 0x2225ae:$x2: IClientNetworkHost
      • 0x235141:$x2: IClientNetworkHost
      • 0x237b2b:$x2: IClientNetworkHost
      • 0x23dd7a:$x2: IClientNetworkHost
      • 0x244d0f:$x2: IClientNetworkHost
      • 0x249b33:$x2: IClientNetworkHost
      • 0x25630d:$x2: IClientNetworkHost
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.GxJPP1P6.exe.c10000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      1.0.GxJPP1P6.exe.c10000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      1.0.GxJPP1P6.exe.c10000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        1.0.GxJPP1P6.exe.c10000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\GxJPP1P6.exe, ProcessId: 6708, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: GxJPP1P6.exeAvira: detected
        Multi AV Scanner detection for domain / URLShow sources
        Source: deaphnote.ddns.netVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for submitted fileShow sources
        Source: GxJPP1P6.exeVirustotal: Detection: 79%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: GxJPP1P6.exe, type: SAMPLE
        Source: Yara matchFile source: 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: GxJPP1P6.exe PID: 6708, type: MEMORY
        Source: Yara matchFile source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: GxJPP1P6.exeJoe Sandbox ML: detected
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49713 -> 185.244.30.3:3606
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: deaphnote.ddns.net
        Source: global trafficTCP traffic: 192.168.2.5:49713 -> 185.244.30.3:3606
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: deaphnote.ddns.net
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpString found in binary or memory: http://google.com

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: GxJPP1P6.exe, type: SAMPLE
        Source: Yara matchFile source: 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: GxJPP1P6.exe PID: 6708, type: MEMORY
        Source: Yara matchFile source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: GxJPP1P6.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: GxJPP1P6.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: GxJPP1P6.exe PID: 6708, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: GxJPP1P6.exe PID: 6708, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs GxJPP1P6.exe
        Source: GxJPP1P6.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: GxJPP1P6.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: GxJPP1P6.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: GxJPP1P6.exe PID: 6708, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: GxJPP1P6.exe PID: 6708, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: GxJPP1P6.exeStatic PE information: Section: .rsrc ZLIB complexity 0.996569113757
        Source: GxJPP1P6.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: GxJPP1P6.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: GxJPP1P6.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: GxJPP1P6.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: GxJPP1P6.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/4@1/1
        Source: C:\Users\user\Desktop\GxJPP1P6.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8a87abf2-eee0-4055-b367-0a0ea67cfc6e}
        Source: C:\Users\user\Desktop\GxJPP1P6.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: GxJPP1P6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\GxJPP1P6.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: GxJPP1P6.exeVirustotal: Detection: 79%
        Source: C:\Users\user\Desktop\GxJPP1P6.exeFile read: C:\Users\user\Desktop\GxJPP1P6.exeJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: GxJPP1P6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\GxJPP1P6.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: GxJPP1P6.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: GxJPP1P6.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: GxJPP1P6.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: GxJPP1P6.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.0.GxJPP1P6.exe.c10000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\GxJPP1P6.exeFile opened: C:\Users\user\Desktop\GxJPP1P6.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeWindow / User API: threadDelayed 1233Jump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeWindow / User API: foregroundWindowGot 699Jump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeWindow / User API: foregroundWindowGot 678Jump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exe TID: 6736Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exe TID: 6732Thread sleep time: -260000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeMemory allocated: page read and write | page guardJump to behavior
        Source: GxJPP1P6.exe, 00000001.00000003.197194644.000000000126A000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: C:\Users\user\Desktop\GxJPP1P6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\GxJPP1P6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\GxJPP1P6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\GxJPP1P6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: GxJPP1P6.exe, type: SAMPLE
        Source: Yara matchFile source: 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: GxJPP1P6.exe PID: 6708, type: MEMORY
        Source: Yara matchFile source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: GxJPP1P6.exe, 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: GxJPP1P6.exe, 00000001.00000003.194380048.00000000047D3000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: GxJPP1P6.exeString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: GxJPP1P6.exe, type: SAMPLE
        Source: Yara matchFile source: 00000001.00000000.187225852.0000000000C12000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: GxJPP1P6.exe PID: 6708, type: MEMORY
        Source: Yara matchFile source: 1.0.GxJPP1P6.exe.c10000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.