Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SFNM#U007e12345HBV-09876567.exe

Overview

General Information

Sample Name:SFNM#U007e12345HBV-09876567.exe
Analysis ID:709714
MD5:54e31b7e289bea078ed769a046c3842e
SHA1:bf7d74cb34792b258f46e29221c4cbff57bb6979
SHA256:9cf831ec812b6928eb2fe0c9625da78e8f294d6a5b255ddf894bbbe5b3f7698a
Infos:

Detection

Nanocore, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkTortilla Crypter
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SFNM#U007e12345HBV-09876567.exe (PID: 588 cmdline: "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe" MD5: 54E31B7E289BEA078ED769A046C3842E)
    • cmd.exe (PID: 5960 cmdline: cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6068 cmdline: ping 127.0.0.1 -n 38 MD5: 70C24A306F768936563ABDADB9CA9108)
      • reg.exe (PID: 2708 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "CHRIST,MARICERTYK" /t REG_SZ /d "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe" MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • cmd.exe (PID: 1888 cmdline: cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\user\Desktop\SFNM#U007e12345HBV-09876567.exe" "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\user\Favorites\SFNM~12345HBV-09876567.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 4768 cmdline: ping 127.0.0.1 -n 41 MD5: 70C24A306F768936563ABDADB9CA9108)
      • PING.EXE (PID: 920 cmdline: ping 127.0.0.1 -n 41 MD5: 70C24A306F768936563ABDADB9CA9108)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2c83c052-5c8c-4da8-8e82-9c1bb5be", "Group": "9812", "Domain1": "9812.hopto.org", "Domain2": "91.193.75.133", "Port": 9812, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.420676515.0000000002643000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x43e7f:$x1: NanoCore.ClientPluginHost
    • 0x76c6f:$x1: NanoCore.ClientPluginHost
    • 0xa9a4f:$x1: NanoCore.ClientPluginHost
    • 0x43ebc:$x2: IClientNetworkHost
    • 0x76cac:$x2: IClientNetworkHost
    • 0xa9a8c:$x2: IClientNetworkHost
    • 0x479ef:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x7a7df:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xad5bf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.425643462.00000000036FB000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x43be7:$a: NanoCore
        • 0x43bf7:$a: NanoCore
        • 0x43e2b:$a: NanoCore
        • 0x43e3f:$a: NanoCore
        • 0x43e7f:$a: NanoCore
        • 0x769d7:$a: NanoCore
        • 0x769e7:$a: NanoCore
        • 0x76c1b:$a: NanoCore
        • 0x76c2f:$a: NanoCore
        • 0x76c6f:$a: NanoCore
        • 0xa97b7:$a: NanoCore
        • 0xa97c7:$a: NanoCore
        • 0xa99fb:$a: NanoCore
        • 0xa9a0f:$a: NanoCore
        • 0xa9a4f:$a: NanoCore
        • 0x43c46:$b: ClientPlugin
        • 0x43e48:$b: ClientPlugin
        • 0x43e88:$b: ClientPlugin
        • 0x76a36:$b: ClientPlugin
        • 0x76c38:$b: ClientPlugin
        • 0x76c78:$b: ClientPlugin
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            0.2.SFNM#U007e12345HBV-09876567.exe.372ecf2.3.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
            • 0xe0f5:$x1: NanoCore Client
            • 0xe105:$x1: NanoCore Client
            • 0xe34d:$x2: NanoCore.ClientPlugin
            • 0xe38d:$x3: NanoCore.ClientPluginHost
            • 0xe342:$i1: IClientApp
            • 0xe363:$i2: IClientData
            • 0xe36f:$i3: IClientNetwork
            • 0xe37e:$i4: IClientAppHost
            • 0xe3a7:$i5: IClientDataHost
            • 0xe3b7:$i6: IClientLoggingHost
            • 0xe3ca:$i7: IClientNetworkHost
            • 0xe3dd:$i8: IClientUIHost
            • 0xe3eb:$i9: IClientNameObjectCollection
            • 0xe407:$i10: IClientReadOnlyNameObjectCollection
            • 0xe154:$s1: ClientPlugin
            • 0xe356:$s1: ClientPlugin
            • 0xe84a:$s2: EndPoint
            • 0xe853:$s3: IPAddress
            • 0xe85d:$s4: IPEndPoint
            • 0x10293:$s6: get_ClientSettings
            • 0x10837:$s7: get_Connected