Play interactive tour

Edit tour

Windows Analysis Report Orderpdf.exe

Overview

General Information

Sample Name:	Orderpdf.exe
Analysis ID:	458217
MD5:	2849c98c8d071260b2618beacf873a98
SHA1:	2431f573d98aaaaa1752b73c4a5f53e8b4660e50
SHA256:	959536bfd1cf19758dde804eaf7e1d38585b573ccf4dc327898979f29cac33a8
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Orderpdf.exe (PID: 1268 cmdline: 'C:\Users\user\Desktop\Orderpdf.exe' MD5: 2849C98C8D071260B2618BEACF873A98)

MSBuild.exe (PID: 5876 cmdline: 'C:\Users\user\Desktop\Orderpdf.exe' MD5: 88BBB7610152B48C2B3879473B17857E)

schtasks.exe (PID: 4436 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 6004 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "8a1be7ed-1b25-4346-8844-80b424a6", "Group": "Default", "Domain1": "sobe123.ddns.net", "Domain2": "127.0.0.1", "Port": 5656, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5024, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Process Memory Space: Orderpdf.exe PID: 1268	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x70948:$x1: NanoCore.ClientPluginHost 0x70985:$x2: IClientNetworkHost 0x74476:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f4e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Orderpdf.exe PID: 1268	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Orderpdf.exe PID: 1268	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x70615:$a: NanoCore 0x70625:$a: NanoCore 0x706e4:$a: NanoCore 0x706f3:$a: NanoCore 0x708f4:$a: NanoCore 0x70908:$a: NanoCore 0x70948:$a: NanoCore 0x7bb4e:$a: NanoCore 0x7bb60:$a: NanoCore 0x7bb9c:$a: NanoCore 0x70674:$b: ClientPlugin 0x7073d:$b: ClientPlugin 0x70911:$b: ClientPlugin 0x70951:$b: ClientPlugin 0x7bb69:$b: ClientPlugin 0x7bba5:$b: ClientPlugin 0x70836:$c: ProjectData 0x7ba9b:$c: ProjectData 0x7120a:$d: DESCrypto 0x7c3f9:$d: DESCrypto 0x78bc7:$e: KeepAlive
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Orderpdf.exe.2120000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Orderpdf.exe.2120000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.Orderpdf.exe.2120000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Orderpdf.exe.2120000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Orderpdf.exe.2120000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Orderpdf.exe.2120000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Orderpdf.exe.2120000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Orderpdf.exe.2120000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 3 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 5876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.Orderpdf.exe.2120000.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "8a1be7ed-1b25-4346-8844-80b424a6", "Group": "Default", "Domain1": "sobe123.ddns.net", "Domain2": "127.0.0.1", "Port": 5656, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5024, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: Orderpdf.exe	Virustotal: Detection: 27%			Perma Link
Source: Orderpdf.exe	ReversingLabs: Detection: 21%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orderpdf.exe PID: 1268, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: Orderpdf.exe

Joe Sandbox ML: detected

Source: Orderpdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: wntdll.pdbUGP source: Orderpdf.exe, 00000000.00000003.202490567.0000000002470000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Orderpdf.exe, 00000000.00000003.202490567.0000000002470000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Orderpdf.exe

Code function: 0_2_0042E672 FindFirstFileExW,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49714 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49720 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49726 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 185.244.30.22:5656
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 185.244.30.22:5656

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: sobe123.ddns.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: sobe123.ddns.net

Source: global traffic

TCP traffic: 192.168.2.3:49706 -> 185.244.30.22:5656

Source: Joe Sandbox View

IP Address: 185.244.30.22 185.244.30.22

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.71

Source: unknown

DNS traffic detected: queries for: sobe123.ddns.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orderpdf.exe PID: 1268, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Orderpdf.exe PID: 1268, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Orderpdf.exe PID: 1268, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Orderpdf.exe

Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00477095
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00430525
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_0042CA20
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00416A80
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00426F60
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_0042502A
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_0042D129
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00425287
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00419340
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00433646
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00433766
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4_2_02A30708

Source: C:\Users\user\Desktop\Orderpdf.exe

Code function: String function: 00421060 appears 33 times

Source: Orderpdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Orderpdf.exe, 00000000.00000003.201065384.00000000023F6000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs Orderpdf.exe

Source: Orderpdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Orderpdf.exe PID: 1268, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Orderpdf.exe PID: 1268, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: MSBuild.exe, 00000004.00000002.214099841.0000000002F71000.00000004.00000001.sdmp

Binary or memory string: *.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/6@20/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{8a1be7ed-1b25-4346-8844-80b424a6856e}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1636:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\tmp86BE.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Orderpdf.exe

Command line argument: .KC

Source: Orderpdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\Orderpdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Orderpdf.exe	Virustotal: Detection: 27%
Source: Orderpdf.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\Orderpdf.exe

File read: C:\Users\user\Desktop\Orderpdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Orderpdf.exe 'C:\Users\user\Desktop\Orderpdf.exe'
Source: C:\Users\user\Desktop\Orderpdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\Orderpdf.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Orderpdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\Orderpdf.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: Orderpdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Orderpdf.exe, 00000000.00000003.202490567.0000000002470000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Orderpdf.exe, 00000000.00000003.202490567.0000000002470000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Orderpdf.exe

Code function: 0_2_004210A6 push ecx; ret

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 405
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 1041
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 354

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5984	Thread sleep time: -460000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5608	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Orderpdf.exe

Code function: 0_2_0042E672 FindFirstFileExW,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Orderpdf.exe

Code function: 0_2_0042B27F IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00477095 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_0042E361 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_0042E3D6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_0042E3A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00427A76 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00420F38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_004212D2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Orderpdf.exe	Code function: 0_2_00425E37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Orderpdf.exe

Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe protection: execute and read and write

Source: C:\Users\user\Desktop\Orderpdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 'C:\Users\user\Desktop\Orderpdf.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'

Source: MSBuild.exe, 00000001.00000003.434382108.00000000013BC000.00000004.00000001.sdmp	Binary or memory string: Program Managersoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: MSBuild.exe, 00000001.00000003.308640440.00000000013BC000.00000004.00000001.sdmp	Binary or memory string: Program Managersoft.NET\Framework\v2.0.50727\MSBuild.exet

Source: C:\Users\user\Desktop\Orderpdf.exe

Code function: 0_2_00421128 cpuid

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation

Source: C:\Users\user\Desktop\Orderpdf.exe

Code function: 0_2_004214BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orderpdf.exe PID: 1268, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Orderpdf.exe, 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Orderpdf.exe.2120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orderpdf.exe.2120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orderpdf.exe PID: 1268, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Scheduled Task/Job1	Process Injection112	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol22	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery23	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Orderpdf.exe	28%	Virustotal		Browse
Orderpdf.exe	22%	ReversingLabs	Win32.Trojan.NanoBot
Orderpdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
127.0.0.1	0%	Virustotal		Browse
127.0.0.1	0%	Avira URL Cloud	safe
sobe123.ddns.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sobe123.ddns.net	185.244.30.22	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
sobe123.ddns.net	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.30.22	sobe123.ddns.net	Netherlands		209623	DAVID_CRAIGGG	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458217
Start date:	03.08.2021
Start time:	03:31:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Orderpdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/6@20/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 67% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 104.42.151.234, 20.50.102.62, 23.211.4.86, 80.67.82.211, 80.67.82.235, 40.112.88.60, 23.211.6.115 Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
03:32:00	API Interceptor	1064x Sleep call for process: MSBuild.exe modified
03:32:02	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.244.30.22	Permintaan Baru 0010.exe	Get hash	malicious	Browse
	Shipping document PL and BL0070,pdf.exe	Get hash	malicious	Browse
	Shipping document PL and BL0070,pdf.exe	Get hash	malicious	Browse
	Shipping document PL and BL0070,pdf.exe	Get hash	malicious	Browse
	AWB 686553534 L#U00f4 h#U00e0ng ,pdf.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	d1IaoX0mpm.exe	Get hash	malicious	Browse	185.140.53.6
	ORDER LIST.xlsx	Get hash	malicious	Browse	185.140.53.6
	8146Q5rN9g.exe	Get hash	malicious	Browse	91.193.75.162
	Scanned Documents 001.doc	Get hash	malicious	Browse	91.193.75.162
	Quotation Request August RFQ8012021.exe	Get hash	malicious	Browse	185.140.53.253
	NEW PO pdf.exe	Get hash	malicious	Browse	91.193.75.162
	Permintaan Baru 0010.exe	Get hash	malicious	Browse	185.244.30.22
	5yvgVnT8wz.exe	Get hash	malicious	Browse	185.244.30.23
	LxYbtlP5nB.exe	Get hash	malicious	Browse	185.244.30.23
	eInFMnZWWV.exe	Get hash	malicious	Browse	185.244.30.143
	Purchase order FOD-0056-2021-D.exe	Get hash	malicious	Browse	91.193.75.162
	ARRIVAL NOTICE FOR NEW ORDER190009.exe	Get hash	malicious	Browse	185.140.53.142
	Quotation RequestQR28072021.exe	Get hash	malicious	Browse	185.140.53.253
	Spare Parts Requisition-003,004.exe	Get hash	malicious	Browse	185.244.30.238
	Order List.exe	Get hash	malicious	Browse	91.193.75.228
	Quote 992002892.doc	Get hash	malicious	Browse	185.244.30.238
	4FNiWwUTLR.exe	Get hash	malicious	Browse	185.244.30.238
	PMA21-110.exe	Get hash	malicious	Browse	91.193.75.228
	PEDIDO DE COMPRA ASHCROFT - 41901E-001,pdf.exe	Get hash	malicious	Browse	185.140.53.11
	Quotation.exe	Get hash	malicious	Browse	185.244.30.53

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	325
Entropy (8bit):	5.334380084018418
Encrypted:	false
SSDEEP:	6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
MD5:	65CE98936A67552310EFE2F0FF5BDF88
SHA1:	8133653A6B9A169C7496ADE315CED322CFC3613A
SHA-256:	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
SHA-512:	2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp86BE.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.136963558289723
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnc2xtn:cbk4oL600QydbQxIYODOLedq3ZLj
MD5:	AE766004C0D8792953BAFFFE8F6A2E3B
SHA1:	14B12F27543A401E2FE0AF8052E116CAB0032426
SHA-256:	1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
SHA-512:	E530DA4A5D4336FC37838D0E93B5EB3804B9C489C71F6954A47FC81A4C655BB72EC493E109CF96E6E3617D7623AC80697AD3BBD5FFC6281BAFC8B34DCA5E6567
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	2320
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhDjhDjhL
MD5:	2CC2E05CB39A76B255530F61BA4AA2E3
SHA1:	76BD6001B1922B2B3FB2F618740FA74A6C532A7F
SHA-256:	FBF89196FF1A9FC33EE6C42DC0A959DAA89E2322F3417C77534C9968C0885271
SHA-512:	2EACD3A81456781803A9C14F7471DBBDB126BBE7AEC3105B1A49AB115A8BB831EA0D1DF48BAB00EB8231B114EAE5A03DF73A7A60B45BA03CB2F92382CF4DBB38
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:6vtn:6vt
MD5:	604254C4E0DED10AC094C2AEFF16A952
SHA1:	D0CCCC461EE99F9C1D7DE9045FEBE2BB8753597C
SHA-256:	9C14AE70F96EB4C5BCCADA9E26DE13EB95ED53E08D10F2283F51049A3381E5E9
SHA-512:	14229C84CA48525291DE039DC041A053ABAEBCFA17E7A351A36CC8BF06971A2A4CBC77DB5E4B019918961F2790AD4C63946A26A5240066924C06539C9CAD6394
Malicious:	true
Reputation:	low
Preview:	....iV.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.85263908467479
Encrypted:	false
SSDEEP:	3:oMty8WbSI1u:oMLWuI1u
MD5:	A35128E4E28B27328F70E4E8FF482443
SHA1:	B89066B2F8DB34299AABFD7ABEE402D5444DD079
SHA-256:	88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
SHA-512:	F098E844B5373B34642B49B6E0F2E15CFDAA1A8B6CABC2196CEC0F3765289E5B1FD4AB588DD65F97C8E51FA9A81077621E9A06946859F296904C646906A70F33
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	235
Entropy (8bit):	5.107306146099542
Encrypted:	false
SSDEEP:	6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFPRAgRYan:zK1XnV30ZsGMIG9BFRbQ5AUYan
MD5:	67DDD8252A246E7B14649B0063E351C0
SHA1:	AAE1C6839D1CC4A626D0FB2D4773823AD209FA17
SHA-256:	24C8283BA3F7FCA2E4CEF6F141263DD1E8A36E5A5CD96A97BFE83525D7663116
SHA-512:	326A5E0A440F60D4808C91499F1F3616C496B67DC053B4A2A40B0FE09002074AE5365018781F8746E98E7E3CFCD35F1310D17FB7C2138A8157318E6791987025
Malicious:	false
Preview:	Microsoft (R) Build Engine Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1009: Project file does not exist...Switch: 0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.186849273906373
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Orderpdf.exe
File size:	869938
MD5:	2849c98c8d071260b2618beacf873a98
SHA1:	2431f573d98aaaaa1752b73c4a5f53e8b4660e50
SHA256:	959536bfd1cf19758dde804eaf7e1d38585b573ccf4dc327898979f29cac33a8
SHA512:	0e84db59a75e6010953f247e74716996f7c652d7b9a541dd3407aa5284958c17c7cb3750d638240410feaea4804fe5d700fc4303eb0f18a5b96ef1833553efab
SSDEEP:	12288:f1Wl8T5UM63xjmelf+6QY+IffW3TLueA0b:fA2adx06QYffaLNb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;$G..E)].E)].E)]k.\kE)]k.,\.E)]k.-\eE)]D.\kE)]D.,\DE)]D.-\]E)]k.(\vE)].E(].E)]..,\vE)]...]~E)].E.]~E)]..+\~E)]Rich.E)].......

File Icon


Icon Hash:	00ecf0f0e8ecf400

Static PE Info

General
Entrypoint:	0x420e4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x61087E6E [Mon Aug 2 23:23:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	49be0836dac021f86af2cb207b4613c8

Entrypoint Preview

Instruction
call 00007F1ED0C53BF2h
jmp 00007F1ED0C53413h
jmp dword ptr [0043617Ch]
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00477304h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F1ED0C52DCFh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F1ED0C52DB9h
int3
int3
int3
int3
push ebx
push esi
mov eax, dword ptr [esp+18h]
or eax, eax
jne 00007F1ED0C5359Ah
mov ecx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+0Ch]
div ecx
mov edx, ebx
jmp 00007F1ED0C535C3h
mov ecx, eax
mov ebx, dword ptr [esp+14h]
mov edx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007F1ED0C53576h
div ebx
mov esi, eax
mul dword ptr [eax+eax+00h]

Rich Headers

Programming Language:

[C++] VS2015 UPD3.1 build 24215
[LNK] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7602c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7b000	0x294e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x74950	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x749e4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x74988	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x34912	0x34a00	False	0.446050141033	data	6.54583953865	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x36000	0x408b6	0x40a00	False	0.257729388298	data	4.10647165512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x77000	0x1e08	0x1000	False	0.296630859375	DOS executable (COM)	3.39752271911	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x79000	0x150	0x200	False	0.33203125	data	1.72024643613	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x7a000	0x9	0x200	False	0.033203125	data	0.0203931352361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x7b000	0x294e0	0x29600	False	0.0884688916163	data	3.29281992913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x7b270	0x18a7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x7cb18	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x8d340	0x94a8	data	English	United States
RT_ICON	0x967e8	0x5488	data	English	United States
RT_ICON	0x9bc70	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295	English	United States
RT_ICON	0x9fe98	0x25a8	data	English	United States
RT_ICON	0xa2440	0x10a8	data	English	United States
RT_ICON	0xa34e8	0x988	data	English	United States
RT_ICON	0xa3e70	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0xa42d8	0x84	data	English	United States
RT_MANIFEST	0xa4360	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	OutputDebugStringW, FormatMessageW, VirtualProtect, HeapSize, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, GetFileSizeEx, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetProcessHeap, WriteFile, ExitProcess, HeapReAlloc, HeapFree, HeapAlloc, WriteConsoleW, GetModuleHandleExW, GetModuleFileNameW, GetFileType, GetStdHandle, LoadLibraryExW, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, LCMapStringW, GetCPInfo, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, RaiseException, RtlUnwind, GetLastError, FreeLibrary, CreateFileW
USER32.dll	GrayStringA, GetDC, TranslateMessage, DispatchMessageW, PeekMessageW, DefWindowProcW, PostQuitMessage, UnregisterClassW, RegisterClassExW, CreateWindowExW, ShowWindow, SetCapture, ReleaseCapture, LoadImageW, LoadCursorW, SetWindowLongW, GetWindowLongW, AdjustWindowRect, UpdateWindow
d3d11.dll	D3D11CreateDeviceAndSwapChain
gdiplus.dll	GdiplusStartup, GdiplusShutdown

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-03:32:01.658714	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49706	5656	192.168.2.3	185.244.30.22
08/03/21-03:32:07.884442	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49714	5656	192.168.2.3	185.244.30.22
08/03/21-03:32:13.096068	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	5656	192.168.2.3	185.244.30.22
08/03/21-03:32:20.053138	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49726	5656	192.168.2.3	185.244.30.22
08/03/21-03:32:26.158381	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49729	5656	192.168.2.3	185.244.30.22
08/03/21-03:32:35.527911	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49731	5656	192.168.2.3	185.244.30.22
08/03/21-03:32:41.635368	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49732	5656	192.168.2.3	185.244.30.22
08/03/21-03:32:48.089965	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49733	5656	192.168.2.3	185.244.30.22
08/03/21-03:32:56.068267	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:02.446681	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:08.692026	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49744	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:14.889582	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:21.077319	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:27.201337	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49749	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:33.527958	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49753	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:40.158463	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49755	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:46.612650	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:52.859023	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	5656	192.168.2.3	185.244.30.22
08/03/21-03:33:58.969834	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49758	5656	192.168.2.3	185.244.30.22
08/03/21-03:34:04.972456	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49759	5656	192.168.2.3	185.244.30.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 03:31:50.874691963 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.874774933 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.885886908 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.885925055 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.885943890 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.886004925 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.886028051 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.886061907 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.886090040 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.886113882 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.886183977 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.886212111 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.886234045 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.886255980 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.886271000 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.886349916 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.886447906 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897280931 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897326946 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897356033 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897380114 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897404909 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897403955 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897429943 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897454023 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897476912 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897479057 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897502899 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897507906 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897562981 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897584915 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897603035 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897629023 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897701979 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897726059 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897751093 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897773981 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897841930 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897852898 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897878885 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.897885084 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897898912 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897911072 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.897948027 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.898009062 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.898014069 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.898037910 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.898072004 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.898145914 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.898173094 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.898211956 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.910824060 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.910860062 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.910883904 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.910901070 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.910926104 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.910949945 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.910974979 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.910998106 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911031961 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911061049 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911083937 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911108017 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911204100 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911231995 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911259890 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911284924 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911309004 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911343098 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911372900 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911396980 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911422014 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911447048 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911480904 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.911484003 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911509037 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911534071 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911566973 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911567926 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:50.911597013 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911621094 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911645889 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911672115 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911694050 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911719084 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911744118 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911777973 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911806107 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911828995 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.911854982 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.966413021 CEST	443	49696	204.79.197.200	192.168.2.3
Aug 3, 2021 03:31:50.966567993 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:55.852992058 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:55.853085995 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:55.853144884 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:55.853187084 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:55.853225946 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:55.853252888 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:55.853267908 CEST	49696	443	192.168.2.3	204.79.197.200
Aug 3, 2021 03:31:55.853293896 CEST	49696	443	192.168.2.3	204.79.197.200

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 03:31:49.568717957 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:31:49.604372978 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 03:31:50.238764048 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:31:50.264038086 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 03:31:59.450725079 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:31:59.484168053 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:01.459546089 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:01.494106054 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:01.928421021 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:01.953347921 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:02.915808916 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:02.949610949 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:04.053642035 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:04.078742981 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:04.755917072 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:04.780930042 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:05.873358965 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:05.899503946 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:06.560197115 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:06.595525980 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:07.284277916 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:07.311912060 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:07.727443933 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:07.762829065 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:07.975522041 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:08.012305975 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:08.970345974 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:08.999629021 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:10.023586035 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:10.048660040 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:10.744406939 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:10.771956921 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:11.706285000 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:11.734200954 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:12.893038988 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:12.928888083 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:13.963527918 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:13.995934963 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:15.629363060 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:15.653919935 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:17.219129086 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:17.254772902 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:19.907943010 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:19.943284988 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:26.012536049 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:26.048392057 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:27.197000980 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:27.233195066 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:32.371571064 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:32.403898954 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:41.492619038 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:41.526473045 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:47.952207088 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:47.976875067 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:51.863406897 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:51.905147076 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:53.899343967 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:53.936256886 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 3, 2021 03:32:55.367870092 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:32:55.394695997 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:02.150737047 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:02.184956074 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:08.559366941 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:08.584351063 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:14.747713089 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:14.780982971 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:20.908586025 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:20.944596052 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:26.054903030 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:26.088956118 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:27.059242964 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:27.093126059 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:32.376171112 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:32.417201996 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:33.107549906 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:33.143085957 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:33.388942957 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:33.421489954 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:39.841692924 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:39.878473043 CEST	53	55708	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:46.470058918 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:46.502367020 CEST	53	56803	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:52.714616060 CEST	57145	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:52.748580933 CEST	53	57145	8.8.8.8	192.168.2.3
Aug 3, 2021 03:33:58.801398039 CEST	55359	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:33:58.836028099 CEST	53	55359	8.8.8.8	192.168.2.3
Aug 3, 2021 03:34:04.816489935 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 3, 2021 03:34:04.851423025 CEST	53	58306	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 03:32:01.459546089 CEST	192.168.2.3	8.8.8.8	0xae9c	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:07.727443933 CEST	192.168.2.3	8.8.8.8	0x275a	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:12.893038988 CEST	192.168.2.3	8.8.8.8	0x328c	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:19.907943010 CEST	192.168.2.3	8.8.8.8	0x17e8	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:26.012536049 CEST	192.168.2.3	8.8.8.8	0xd834	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:32.371571064 CEST	192.168.2.3	8.8.8.8	0xa93a	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:41.492619038 CEST	192.168.2.3	8.8.8.8	0x37d6	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:47.952207088 CEST	192.168.2.3	8.8.8.8	0x6a52	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:55.367870092 CEST	192.168.2.3	8.8.8.8	0x3950	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:02.150737047 CEST	192.168.2.3	8.8.8.8	0xae82	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:08.559366941 CEST	192.168.2.3	8.8.8.8	0x8027	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:14.747713089 CEST	192.168.2.3	8.8.8.8	0xae74	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:20.908586025 CEST	192.168.2.3	8.8.8.8	0x8775	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:27.059242964 CEST	192.168.2.3	8.8.8.8	0x79c9	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:33.388942957 CEST	192.168.2.3	8.8.8.8	0x39f4	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:39.841692924 CEST	192.168.2.3	8.8.8.8	0xdd75	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:46.470058918 CEST	192.168.2.3	8.8.8.8	0xf814	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:52.714616060 CEST	192.168.2.3	8.8.8.8	0xb9c8	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:58.801398039 CEST	192.168.2.3	8.8.8.8	0xa220	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)
Aug 3, 2021 03:34:04.816489935 CEST	192.168.2.3	8.8.8.8	0xfaa0	Standard query (0)	sobe123.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 03:32:01.494106054 CEST	8.8.8.8	192.168.2.3	0xae9c	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:07.762829065 CEST	8.8.8.8	192.168.2.3	0x275a	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:12.928888083 CEST	8.8.8.8	192.168.2.3	0x328c	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:19.943284988 CEST	8.8.8.8	192.168.2.3	0x17e8	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:26.048392057 CEST	8.8.8.8	192.168.2.3	0xd834	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:32.403898954 CEST	8.8.8.8	192.168.2.3	0xa93a	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:41.526473045 CEST	8.8.8.8	192.168.2.3	0x37d6	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:47.976875067 CEST	8.8.8.8	192.168.2.3	0x6a52	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:32:55.394695997 CEST	8.8.8.8	192.168.2.3	0x3950	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:02.184956074 CEST	8.8.8.8	192.168.2.3	0xae82	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:08.584351063 CEST	8.8.8.8	192.168.2.3	0x8027	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:14.780982971 CEST	8.8.8.8	192.168.2.3	0xae74	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:20.944596052 CEST	8.8.8.8	192.168.2.3	0x8775	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:27.093126059 CEST	8.8.8.8	192.168.2.3	0x79c9	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:33.421489954 CEST	8.8.8.8	192.168.2.3	0x39f4	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:39.878473043 CEST	8.8.8.8	192.168.2.3	0xdd75	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:46.502367020 CEST	8.8.8.8	192.168.2.3	0xf814	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:52.748580933 CEST	8.8.8.8	192.168.2.3	0xb9c8	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:33:58.836028099 CEST	8.8.8.8	192.168.2.3	0xa220	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)
Aug 3, 2021 03:34:04.851423025 CEST	8.8.8.8	192.168.2.3	0xfaa0	No error (0)	sobe123.ddns.net	185.244.30.22	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Orderpdf.exe PID: 1268 Parent PID: 5648

General

Start time:	03:31:57
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Orderpdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Orderpdf.exe'
Imagebase:	0x400000
File size:	869938 bytes
MD5 hash:	2849C98C8D071260B2618BEACF873A98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.205053043.0000000002120000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: MSBuild.exe PID: 5876 Parent PID: 1268

General

Start time:	03:31:57
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Orderpdf.exe'
Imagebase:	0xd90000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: schtasks.exe PID: 4436 Parent PID: 5876

General

Start time:	03:31:59
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp86BE.tmp'
Imagebase:	0x1240000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 1636 Parent PID: 4436

General

Start time:	03:32:00
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MSBuild.exe PID: 6004 Parent PID: 528

General

Start time:	03:32:02
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Imagebase:	0x6d0000
File size:	69632 bytes
MD5 hash:	88BBB7610152B48C2B3879473B17857E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: conhost.exe PID: 6076 Parent PID: 6004

General

Start time:	03:32:02
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Orderpdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts