Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE	dll	2026-04-16 22:31:31	2026-04-16 22:36:15	284s
Reports	JSON

Analysis Log

2026-03-05 20:34:37,991 [root] INFO: Date set to: 20260416T22:32:03, timeout set to: 200
2026-04-16 22:32:03,149 [root] DEBUG: Starting analyzer from: C:\vdyc7mjt
2026-04-16 22:32:03,212 [root] DEBUG: Storing results at: C:\YGRKNQf
2026-04-16 22:32:03,228 [root] DEBUG: Pipe server name: \\.\PIPE\uCFsTXY
2026-04-16 22:32:03,243 [root] DEBUG: Python path: C:\Python310
2026-04-16 22:32:03,259 [root] INFO: analysis running as an admin
2026-04-16 22:32:03,290 [root] INFO: analysis package specified: "dll"
2026-04-16 22:32:03,306 [root] DEBUG: importing analysis package module: "modules.packages.dll"...
2026-04-16 22:32:03,306 [root] DEBUG: imported analysis package "dll"
2026-04-16 22:32:03,321 [root] DEBUG: initializing analysis package "dll"...
2026-04-16 22:32:03,321 [lib.common.common] INFO: wrapping
2026-04-16 22:32:03,493 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-16 22:32:03,588 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll
2026-04-16 22:32:03,634 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2026-04-16 22:32:03,665 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2026-04-16 22:32:03,665 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2026-04-16 22:32:03,681 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2026-04-16 22:32:03,728 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-04-16 22:32:03,837 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-04-16 22:32:03,931 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-04-16 22:32:04,056 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-04-16 22:32:04,165 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-04-16 22:32:04,306 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-04-16 22:32:04,353 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-04-16 22:32:05,728 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2026-04-16 22:32:05,728 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-04-16 22:32:05,744 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-04-16 22:32:05,744 [root] DEBUG: Initialized auxiliary module "Browser"
2026-04-16 22:32:05,744 [root] DEBUG: attempting to configure 'Browser' from data
2026-04-16 22:32:05,744 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-04-16 22:32:05,759 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-04-16 22:32:05,759 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-04-16 22:32:05,759 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-04-16 22:32:05,759 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-04-16 22:32:05,759 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-04-16 22:32:05,759 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-04-16 22:32:05,775 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-04-16 22:32:07,228 [modules.auxiliary.digisig] DEBUG: File is not signed
2026-04-16 22:32:07,228 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-04-16 22:32:07,228 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-04-16 22:32:07,228 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-04-16 22:32:07,228 [root] DEBUG: attempting to configure 'Disguise' from data
2026-04-16 22:32:07,228 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-04-16 22:32:07,228 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-04-16 22:32:07,275 [modules.auxiliary.disguise] INFO: Disguising GUID to bb0fe90a-e37e-4dd8-8abe-f76c8e7d5d3b
2026-04-16 22:32:07,275 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-04-16 22:32:07,290 [root] DEBUG: Initialized auxiliary module "Human"
2026-04-16 22:32:07,290 [root] DEBUG: attempting to configure 'Human' from data
2026-04-16 22:32:07,290 [root] DEBUG: module Human does not support data configuration, ignoring
2026-04-16 22:32:07,290 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-04-16 22:32:07,322 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-04-16 22:32:07,322 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-04-16 22:32:07,322 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-04-16 22:32:07,322 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-04-16 22:32:07,322 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-04-16 22:32:07,353 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-04-16 22:32:07,493 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-04-16 22:32:07,493 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-04-16 22:32:32,853 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-04-16 22:32:33,149 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-04-16 22:32:33,165 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644
2026-04-16 22:32:33,493 [lib.api.process] INFO: Monitor config for <Process 644 lsass.exe>: C:\vdyc7mjt\dll\644.ini
2026-04-16 22:32:33,509 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-04-16 22:32:33,587 [lib.api.process] INFO: 64-bit DLL to inject is C:\vdyc7mjt\dll\RXAYAOA.dll, loader C:\vdyc7mjt\bin\HApEBtjt.exe
2026-04-16 22:32:33,884 [root] DEBUG: Loader: Injecting process 644 with C:\vdyc7mjt\dll\RXAYAOA.dll.
2026-04-16 22:32:35,009 [root] DEBUG: 644: Python path set to 'C:\Python310'.
2026-04-16 22:32:35,196 [root] DEBUG: 644: Disabling sleep skipping.
2026-04-16 22:32:35,228 [root] DEBUG: 644: TLS secret dump mode enabled.
2026-04-16 22:32:35,368 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500
2026-04-16 22:32:35,384 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABC40000, thread 5020, image base 0x00007FF7C23E0000, stack from 0x0000008E4CCF2000-0x0000008E4CD00000
2026-04-16 22:32:35,399 [root] DEBUG: 644: Commandline: C:\Windows\system32\lsass.exe
2026-04-16 22:32:35,462 [root] DEBUG: 644: Hooked 5 out of 5 functions
2026-04-16 22:32:35,462 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\YGRKNQf\tlsdump\tlsdump.log
2026-04-16 22:32:35,478 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-16 22:32:35,493 [root] DEBUG: Successfully injected DLL C:\vdyc7mjt\dll\RXAYAOA.dll.
2026-04-16 22:32:35,493 [lib.api.process] INFO: Injected into 64-bit <Process 644 lsass.exe>
2026-04-16 22:32:35,493 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-04-16 22:32:41,415 [root] INFO: Restarting WMI Service
2026-04-16 22:32:41,525 [root] DEBUG: package modules.packages.dll does not support configure, ignoring
2026-04-16 22:32:41,525 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'
2026-04-16 22:32:41,540 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-04-16 22:32:41,634 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll",#1" with pid 6020
2026-04-16 22:32:41,634 [lib.api.process] INFO: Monitor config for <Process 6020 rundll32.exe>: C:\vdyc7mjt\dll\6020.ini
2026-04-16 22:32:41,649 [lib.api.process] INFO: 32-bit DLL to inject is C:\vdyc7mjt\dll\uhvbxn.dll, loader C:\vdyc7mjt\bin\gpQBarl.exe
2026-04-16 22:32:41,759 [root] DEBUG: Loader: Injecting process 6020 (thread 5812) with C:\vdyc7mjt\dll\uhvbxn.dll.
2026-04-16 22:32:41,806 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-16 22:32:41,822 [root] DEBUG: Successfully injected DLL C:\vdyc7mjt\dll\uhvbxn.dll.
2026-04-16 22:32:41,822 [lib.api.process] INFO: Injected into 32-bit <Process 6020 rundll32.exe>
2026-04-16 22:32:43,837 [lib.api.process] INFO: Successfully resumed <Process 6020 rundll32.exe>
2026-04-16 22:32:44,369 [root] DEBUG: 6020: Python path set to 'C:\Python310'.
2026-04-16 22:32:44,415 [root] DEBUG: 6020: Disabling sleep skipping.
2026-04-16 22:32:44,415 [root] DEBUG: 6020: Dropped file limit defaulting to 100.
2026-04-16 22:32:44,462 [root] DEBUG: 6020: YaraInit: Compiled 44 rule files
2026-04-16 22:32:44,462 [root] DEBUG: 6020: YaraInit: Compiled rules saved to file C:\vdyc7mjt\data\yara\capemon.yac
2026-04-16 22:32:44,478 [root] DEBUG: 6020: YaraScan: Scanning 0x00040000, size 0x136e8
2026-04-16 22:32:44,478 [root] DEBUG: 6020: Monitor initialised: 32-bit capemon loaded in process 6020 at 0x73bc0000, thread 5812, image base 0x40000, stack from 0x2172000-0x2180000
2026-04-16 22:32:44,478 [root] DEBUG: 6020: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll",#1
2026-04-16 22:32:44,743 [root] DEBUG: 6020: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress
2026-04-16 22:32:44,774 [root] DEBUG: 6020: hook_api: Warning - CreateProcessA export address 0x76AE2D90 differs from GetProcAddress -> 0x73F522A0 (AcLayers.DLL::0xfd4a22a0)
2026-04-16 22:32:44,774 [root] DEBUG: 6020: hook_api: Warning - CreateProcessW export address 0x76AC88E0 differs from GetProcAddress -> 0x73F524E0 (AcLayers.DLL::0xfd4a24e0)
2026-04-16 22:32:44,774 [root] DEBUG: 6020: hook_api: Warning - WinExec export address 0x76B0CF20 differs from GetProcAddress -> 0x73F527A0 (AcLayers.DLL::0xfd4a27a0)
2026-04-16 22:32:44,853 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-16 22:32:44,853 [root] DEBUG: 6020: set_hooks: Unable to hook GetCommandLineA
2026-04-16 22:32:44,868 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-16 22:32:44,868 [root] DEBUG: 6020: set_hooks: Unable to hook GetCommandLineW
2026-04-16 22:32:44,962 [root] DEBUG: 6020: Hooked 630 out of 632 functions
2026-04-16 22:32:44,962 [root] DEBUG: 6020: Syscall hook installed, syscall logging level 1
2026-04-16 22:32:44,978 [root] DEBUG: 6020: RestoreHeaders: Restored original import table.
2026-04-16 22:32:44,978 [root] INFO: Loaded monitor into process with pid 6020
2026-04-16 22:32:44,993 [root] DEBUG: 6020: caller_dispatch: Added region at 0x00040000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00045F1A, thread 5812).
2026-04-16 22:32:44,993 [root] DEBUG: 6020: YaraScan: Scanning 0x00040000, size 0x136e8
2026-04-16 22:32:44,993 [root] DEBUG: 6020: ProcessImageBase: Main module image at 0x00040000 unmodified (entropy change 0.000000e+00)
2026-04-16 22:32:45,134 [root] DEBUG: 6020: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 5812).
2026-04-16 22:32:45,134 [root] DEBUG: 6020: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-04-16 22:32:45,134 [root] DEBUG: 6020: Target DLL loaded at 0x04050000: C:\Users\cape\AppData\Local\Temp\ClientPlugin (0xa000 bytes).
2026-04-16 22:32:45,150 [root] DEBUG: 6020: YaraScan: Scanning 0x04050000, size 0x1f0
2026-04-16 22:32:45,275 [root] DEBUG: 6020: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 5812).
2026-04-16 22:32:45,290 [root] DEBUG: 6020: ProcessTrackedRegion: Region at 0x77150000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-04-16 22:32:45,353 [root] DEBUG: 6020: DLL loaded at 0x73B20000: C:\Windows\SYSTEM32\TextShaping (0x94000 bytes).
2026-04-16 22:32:45,556 [root] DEBUG: 6020: DLL loaded at 0x745D0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-04-16 22:32:45,681 [root] DEBUG: 6020: DLL loaded at 0x76BA0000: C:\Windows\System32\MSCTF (0xd4000 bytes).
2026-04-16 22:32:45,728 [root] DEBUG: 6020: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-04-16 22:32:45,728 [root] DEBUG: 6020: DLL loaded at 0x75250000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-04-16 22:32:45,728 [root] DEBUG: 6020: DLL loaded at 0x76D80000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-04-16 22:32:45,868 [root] DEBUG: 6020: DLL loaded at 0x73710000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2026-04-16 22:32:45,884 [root] DEBUG: 6020: DLL loaded at 0x73740000: C:\Windows\System32\CoreMessaging (0x9b000 bytes).
2026-04-16 22:32:45,884 [root] DEBUG: 6020: DLL loaded at 0x73630000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes).
2026-04-16 22:32:45,884 [root] DEBUG: 6020: DLL loaded at 0x737E0000: C:\Windows\System32\CoreUIComponents (0x27e000 bytes).
2026-04-16 22:32:45,884 [root] DEBUG: 6020: DLL loaded at 0x73A60000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes).
2026-04-16 22:36:04,857 [root] INFO: Analysis timeout hit, terminating analysis
2026-04-16 22:36:04,857 [lib.api.process] INFO: Terminate event set for <Process 6020 rundll32.exe>
2026-04-16 22:36:04,857 [root] DEBUG: 6020: Terminate Event: Attempting to dump process 6020
2026-04-16 22:36:04,873 [root] DEBUG: 6020: VerifyCodeSection: Executable code does not match, 0x18f2 of 0x18f3 matching
2026-04-16 22:36:04,888 [root] DEBUG: 6020: DoProcessDump: Code modification detected, dumping Imagebase at 0x04050000.
2026-04-16 22:36:04,888 [root] DEBUG: 6020: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-04-16 22:36:04,888 [root] DEBUG: 6020: DumpProcess: Instantiating PeParser with address: 0x04050000.
2026-04-16 22:36:04,904 [root] DEBUG: 6020: DumpProcess: Module entry point VA is 0x040538EE.
2026-04-16 22:36:04,904 [root] DEBUG: 6020: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x04054000, section 2
2026-04-16 22:36:04,920 [root] DEBUG: 6020: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x04058000, section 3
2026-04-16 22:36:04,982 [lib.common.results] INFO: Uploading file C:\YGRKNQf\CAPE\6020_377204361916442026 to procdump\9d7c7de83cb3527f377d51220f8a046ac9c72bce4389ade3d7d133b7a31ea3d3; Size is 7680; Max size: 100000000
2026-04-16 22:36:04,982 [root] DEBUG: 6020: DumpProcess: Module image dump success - dump size 0x1e00.
2026-04-16 22:36:04,998 [lib.api.process] INFO: Termination confirmed for <Process 6020 rundll32.exe>
2026-04-16 22:36:05,013 [root] INFO: Terminate event set for process 6020
2026-04-16 22:36:05,013 [root] INFO: Created shutdown mutex
2026-04-16 22:36:05,013 [root] DEBUG: 6020: Terminate Event: monitor shutdown complete for process 6020
2026-04-16 22:36:06,029 [root] INFO: Shutting down package
2026-04-16 22:36:06,029 [root] INFO: Stopping auxiliary modules
2026-04-16 22:36:06,029 [root] INFO: Stopping auxiliary module: Browser
2026-04-16 22:36:06,029 [root] INFO: Stopping auxiliary module: Human
2026-04-16 22:36:09,138 [root] INFO: Stopping auxiliary module: Screenshots
2026-04-16 22:36:09,919 [root] INFO: Finishing auxiliary modules
2026-04-16 22:36:09,919 [root] INFO: Shutting down pipe server and dumping dropped files
2026-04-16 22:36:09,919 [root] WARNING: Folder at path "C:\YGRKNQf\debugger" does not exist, skipping
2026-04-16 22:36:09,919 [root] INFO: Uploading files at path "C:\YGRKNQf\tlsdump"
2026-04-16 22:36:09,919 [lib.common.results] INFO: Uploading file C:\YGRKNQf\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 19728; Max size: 100000000
2026-04-16 22:36:09,935 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10x64	win10x64	KVM	2026-04-16 22:31:31	2026-04-16 22:36:15

File Details

Show Parent File

Parent File Info

File Information

File Name	f9cef6944196d5d27ca99a9c6287d9718b658add797e9cb770789a0c4dbf2bcd
File Size	13850813 bytes
MD5	a17189d956c6d1975717256a6e6418cb
SHA1	970e16de1d07a90dd285e84b59c0a77e8992ed9f
SHA256	f9cef6944196d5d27ca99a9c6287d9718b658add797e9cb770789a0c4dbf2bcd VT MWDB Bazaar
CRC32	97AFA081
Ssdeep	None

Tools: Gen Strings Gen BinGraph

File Information

File Name	ClientPlugin.dll
File Type	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File Size	19968 bytes
MD5	bdc8945f1d799c845408522e372d1dbd
SHA1	874b7c3c97cc5b13b9dd172fec5a54bc1f258005
SHA256	61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403 VT MWDB Bazaar
SHA3-384	34e76812c5bbcc4e39114f9560b049a9e8ac0f74800b55f33641134edf5dfb32ff8a420a55be3ca4c294e8d1f69db255
CRC32	BE3B83AB
TLSH	T1CA924D1362CE7DE6E5B916303B3387C1C72DDE041653DA2E16D87629E97E2833A523D8
Ssdeep	192:VYLQui6h6p5WW3tZVTnlYJL/eLYLTr2/C8:VYLQu/6/fKqLYLTR
Yara	DITEKSHEN_MALWARE_Win_Nanocore - Detects NanoCore (ditekSHen) Windows_Trojan_Nanocore_d8c4e3c5 - (Elastic Security) Nanocore_RAT_Gen_2 - Detetcs the Nanocore RAT (Florian Roth) NETDLLMicrosoft - (malware-lu) IsPE32 - IsNET_DLL - IsDLL - IsWindowsGUI - Microsoft_Visual_Studio_NET - Microsoft_Visual_C_v70_Basic_NET_additional - Microsoft_Visual_C_Basic_NET - Microsoft_Visual_Studio_NET_additional - Microsoft_Visual_C_v70_Basic_NET - NET_executable_ - NET_executable -

Tools: PE Strings Gen BinGraph

Strings

System.CodeDom.Compiler
get_ClientSettings
RestoreProtection
mscoree.dll
EntryExists
params
Assembly Version
ClientPlugin.dll
SendToServer
RebuildHostCache
m_Context
KeyValuePair`2
GetObjectValue
set_Value
TargetMethod
My.Application
1.2.0.0
NanoCore.My
IDATx
Microsoft.VisualBasic.CompilerServices
InternalName
message
System
#Blob
_CorDllMain
System.Diagnostics
MulticastDelegate
ClientPlugin
ComVisibleAttribute
MyApplication
IClientNameObjectCollection
MyGroupCollectionAttribute
EditorBrowsableAttribute
pipeName
AddHostEntry
ParamArrayAttribute
MyComputer
BeginInvoke
.ctor
MyProject
compress
ThreadSafeObjectProvider`1
LogClientException
ConnectionStateChanged
DebuggerHiddenAttribute
System.ComponentModel
ToString
DelegateCallback
instance
wwwwwwwwwwwwww
VarFileInfo
LegalCopyright
My.Computer
get_Connected
GetEntries
AsyncCallback
MyTemplate
m_AppObjectProvider
Restart
System.Runtime.CompilerServices
<Module>
GetInstance
Uninstall
get_GetInstance
Equals
IAsyncResult
wwwwww
ClientSettingChanged
EndInvoke
My.User
FileVersion
ClientInvokeDelegate
ContextValue`1
SetValue
IClientNetwork
get_WebServices
PipeCreated
`.rsrc
.text
AssemblyFileVersionAttribute
WebServices
Invoke
StringFileInfo
LogClientMessage
GuidAttribute
NanoCore
AssemblyTrademarkAttribute
DelegateAsyncState
v2.0.50727
ProductVersion
#Strings
System.Collections.Generic
System.ComponentModel.Design
Microsoft.VisualBasic
AssemblyProductAttribute
ClientSettings
FileDescription
@.reloc
ConnectionFailed
IClientUIHost
$d6e3c4d8-8560-4021-a765-fad7362f3388
VariableChanged
MyWebServices
!This program cannot be run in DOS mode.
ClosePipe
My.WebServices
Variables
IClientLoggingHost
GetHashCode
IClientNetworkHost
TargetObject
AssemblyCompanyAttribute
BuildingHostCache
GetValue
m_UserObjectProvider
Connected
IClientApp
RuntimeCompatibilityAttribute
Dispose__Instance__
8.0.0.0
CompilationRelaxationsAttribute
get_Application
IClientData
Activator
000004b0
PipeExists
state
PluginUninstalling
Application
Translation
mscorlib
OriginalFilename
RuntimeHelpers
RemoveValue
IClientReadOnlyNameObjectCollection
get_User
CreateInstance
IClientAppHost
HideModuleNameAttribute
connected
ReadPacket
System.Runtime.InteropServices
value
VS_VERSION_INFO
HelpKeywordAttribute
get_Variables
Create__Instance__
Computer
Disconnect
Exception
AssemblyTitleAttribute
defaultValue
ApplicationBase
#GUID
ClientUninstalling
AssemblyDescriptionAttribute
NanoCore.ClientPlugin
IClientDataHost
Object
get_BuilderSettings
method
System.Reflection
AssemblyCopyrightAttribute
DisableProtection
get_Value
Microsoft.VisualBasic.Devices
4System.Web.Services.Protocols.SoapHttpClientProtocol
m_MyWebServicesObjectProvider
m_ComputerObjectProvider
BuilderSettings
GeneratedCodeAttribute
NanoCore.ClientPluginHost
Shutdown
DelegateAsyncResult
RuntimeTypeHandle
WrapNonExceptionThrows
get_Computer
.cctor
GetType
StandardModuleAttribute
GetTypeFromHandle
PipeClosed
EditorBrowsableState
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.MyServices.Internal

PE Information

Image Base

0x00400000

Entry Point

0x000038ee

Min OS

4.0

Compile Time

2014-11-23 01:09:01

Import Hash

dae02f32a21e03ce65412f6e56942daa

Icon Hash

f66c7c86e9ab59ef3f289acd613a3738

Translation	0x0000 0x04b0
FileDescription
FileVersion	1.2.0.0
InternalName	ClientPlugin.dll
LegalCopyright
OriginalFilename	ClientPlugin.dll
ProductVersion	1.2.0.0
Assembly Version	1.2.0.0

Name	RAW Addr	Virt Addr	Virt Size	Raw Size	Characteristics	Entropy
.text	0x00000200	0x00002000	0x000018f4	0x00001a00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.26
.rsrc	0x00001c00	0x00004000	0x00002f58	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.31
.reloc	0x00004c00	0x00008000	0x0000000c	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	0.08

Name	Offset	Size	Language	Entropy	Type
RT_ICON	0x00004468	0x000002e8	LANG_NEUTRAL	1.71	None
RT_ICON	0x00004750	0x00000128	LANG_NEUTRAL	2.08	None
RT_ICON	0x00004878	0x000008a8	LANG_NEUTRAL	1.72	None
RT_ICON	0x00005120	0x00000568	LANG_NEUTRAL	1.05	None
RT_ICON	0x00005688	0x00000353	LANG_NEUTRAL	4.05	None
RT_ICON	0x000059e0	0x000010a8	LANG_NEUTRAL	2.72	None
RT_ICON	0x00006a88	0x00000468	LANG_NEUTRAL	2.76	None
RT_GROUP_ICON	0x00006ef0	0x00000068	LANG_NEUTRAL	2.69	None
RT_VERSION	0x00004208	0x0000025c	LANG_NEUTRAL	3.23	None

Address	Name
0x402000	_CorDllMain

Processing 31.50s

15.184s NetworkAnalysis
9.715s Suricata
6.55s CAPE
0.044s AnalysisInfo
0.011s BehaviorAnalysis
0.001s Debug

Signatures 0.12s

0.032s network_cnc_http
0.011s network_http
0.008s network_dns_url_shortener
0.006s antiav_detectreg
0.006s suspicious_tld
0.006s ransomware_files
0.004s antiav_detectfile
0.004s ransomware_extensions_known
0.003s network_dyndns
0.003s infostealer_ftp
0.003s territorial_disputes_sigs
0.002s antianalysis_detectfile
0.002s antivm_vbox_files
0.002s infostealer_bitcoin
0.002s infostealer_im
0.002s infostealer_mail
0.002s masquerade_process_name
0.001s banker_zeus_url
0.001s network_ip_exe
0.001s network_open_proxy
0.001s network_torgateway
0.001s antianalysis_detectreg
0.001s antidebug_devices
0.001s antivm_vbox_keys
0.001s geodo_banking_trojan
0.001s browser_security
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s azorult_mutexes
0.001s echelon_files
0.001s poullight_files
0.001s network_dns_opennic
0.001s network_dns_paste_site
0.001s network_dns_temp_file_storage
0.001s revil_mutexes
0.001s recon_fingerprint
0.001s ursnif_behavior

Reporting 0.00s

0.001s JsonDump

Signatures

Network activity detected but not expressed in monitor API logs

ip: 20.93.72.182

ip: 128.75.237.176

ip: 46.149.110.67

ip: 72.154.7.16

ip: 72.154.7.108

ip: 72.154.7.100

ip: 72.154.7.105

ip: 72.154.7.102

ip: 72.154.7.98

ip: 72.154.7.101

ip: 72.154.7.107

ip: 72.154.7.109

ip: 13.107.6.156

ip: 84.47.178.41

ip: 20.165.94.54

ip: 150.171.27.11

ip: 173.194.73.94

ip: 20.42.65.93

ip: 84.47.178.56

ip: 84.47.178.49

ip: 52.123.242.97

ip: 40.126.53.14

ip: 4.207.247.139

ip: 20.189.173.2

domain: i.pki.goog

HTTP traffic contains suspicious features which may be indicative of malware related traffic

ip_hostname: HTTP connection was made to an IP address rather than domain name

suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

suspicious_request: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

suspicious_request: http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com

Performs some HTTP requests

url: http://i.pki.goog/gsr1.crt

url: http://i.pki.goog/r4.crt

url: http://i.pki.goog/we2.crt

url: http://i.pki.goog/gsr4.crt

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com

url: http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

url: http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com

Binary file triggered multiple YARA rules

Binary triggered YARA rule: DITEKSHEN_MALWARE_Win_Nanocore

Binary triggered YARA rule: Windows_Trojan_Nanocore_d8c4e3c5

Binary triggered YARA rule: Nanocore_RAT_Gen_2

Binary triggered YARA rule: NETDLLMicrosoft

Binary triggered YARA rule: IsPE32

Binary triggered YARA rule: IsNET_DLL

Binary triggered YARA rule: IsDLL

Binary triggered YARA rule: IsWindowsGUI

Binary triggered YARA rule: Microsoft_Visual_Studio_NET

Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET_additional

Binary triggered YARA rule: Microsoft_Visual_C_Basic_NET

Binary triggered YARA rule: Microsoft_Visual_Studio_NET_additional

Binary triggered YARA rule: Microsoft_Visual_C_v70_Basic_NET

Binary triggered YARA rule: NET_executable_

Binary triggered YARA rule: NET_executable

Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext

url: http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

url: http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6020 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientApp', 'IClientData', 'IClientNetwork', 'IClientAppHost', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings', 'get_Connected']'

Hit: PID 6020 triggered the Yara rule 'Windows_Trojan_Nanocore_d8c4e3c5' with data '['NanoCore.ClientPluginHost', 'NanoCore.ClientPlugin', 'get_BuilderSettings', 'IClientAppHost', 'AddHostEntry', 'LogClientException', 'PipeExists', 'IClientLoggingHost']'

Hit: PID 6020 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'

Hit: PID 6020 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'

Hit: PID 6020 triggered the Yara rule 'IsPE32' with data '[]'

Hit: PID 6020 triggered the Yara rule 'IsNET_DLL' with data '[]'

Hit: PID 6020 triggered the Yara rule 'IsDLL' with data '[]'

Hit: PID 6020 triggered the Yara rule 'IsWindowsGUI' with data '[]'

Hit: PID 6020 triggered the Yara rule 'Microsoft_Visual_Studio_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6020 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6020 triggered the Yara rule 'Microsoft_Visual_C_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6020 triggered the Yara rule 'Microsoft_Visual_Studio_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6020 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6020 triggered the Yara rule 'NET_executable_' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Hit: PID 6020 triggered the Yara rule 'NET_executable' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'

Screenshots

Hosts

Direct	IP	Country Name
Y	20.93.72.182 [VT]	unknown
Y	128.75.237.176 [VT]	unknown
Y	46.149.110.67 [VT]	unknown
Y	72.154.7.16 [VT]	unknown
Y	72.154.7.108 [VT]	unknown
Y	72.154.7.100 [VT]	unknown
Y	72.154.7.105 [VT]	unknown
Y	72.154.7.102 [VT]	unknown
Y	72.154.7.98 [VT]	unknown
Y	72.154.7.101 [VT]	unknown
Y	72.154.7.107 [VT]	unknown
Y	72.154.7.109 [VT]	unknown
Y	13.107.6.156 [VT]	unknown
Y	84.47.178.41 [VT]	unknown
Y	20.165.94.54 [VT]	unknown
Y	150.171.27.11 [VT]	unknown
N	173.194.73.94 [VT]	unknown
Y	20.42.65.93 [VT]	unknown
Y	84.47.178.56 [VT]	unknown
Y	84.47.178.49 [VT]	unknown
Y	52.123.242.97 [VT]	unknown
Y	40.126.53.14 [VT]	unknown
Y	4.207.247.139 [VT]	unknown
Y	20.189.173.2 [VT]	unknown

DNS

Name	Response	Post-Analysis Lookup
i.pki.goog [VT]	A 173.194.73.94 [VT] CNAME pki-goog.l.google.com [VT]	142.251.143.131 [VT]

Summary

Accessed Files Registry Keys Read Registry Keys

C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll
C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll.123.Manifest
C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll.124.Manifest
C:\Users\cape\AppData\Local\Temp\ClientPlugin.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\rundll32.exe.mui

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

Parent File Info

File Information

File Information

Strings

PE Information

Version Info

Sections

Resources

Imports

mscoree

Statistics 31.62s

Signatures

Screenshots

Hosts

DNS

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP