Name:

Roll number:
Submitted to:
Problem Statement
The following report will investigate a file that has been acquired from a
MalwareBazaar and that may contain malicious content. The main goal is to
determine whether the file is in fact malicious, looking closely at its characteristics
such as the signatures used, the date of compilation, any methods that may conceal
it, and other possible signs of compromise. This is important to understand to
evaluate the risks posed by this document and how to effectively counter the risks
posed by it.
Link to file:
https://bazaar.abuse.ch/sample/790387361f487e66a55f12ded347eb0acf00be6aae4
571b6e110b8c44b89bb47/
Introduction
Information security is grappling with one of its most troubling aspects today,
especially as new threats like malicious documents become more complex. These
files tend to depend on some flaws in the software to allow the installation of
malware to compromise and facilitate access to a system. In this paper, I focused on
examining a document file that was suspected of infection from NanoCore Remote
Access Trojan RAT variant.

This accounts plan provides the file properties and behaviour analysis and offers a
closer look into the risks that the particular type of malware poses along with its
detection and response recommendations.
1.Do either file match any existing antivirus signatures?
In the course of analysis, it was observed that numerous antivirus engines rated the
sample as one of the known variants of NanoCore RAT, which implies that it
conforms to recognized patterns in the antivirus databases. Examples of frequent
classifications are:
• Type of malware: Remote Access Trojan (RAT)
• Detection confidence: High, due to the presence of several AVs detection of
the same sample
• Signatures observed: NanoCore RAT-specific Yara and Sigma signatures
• Other Dectection methods: Suricata IDS marked this sample due to C2
activities, which shows it had network-related traffic.
NanoCore RAT:
This NanoCore RAT displays customary characteristics of remote access while also
engaging in data exfiltration and comes with features to avoid detection and ensure
persistence. Host-based indicators such as certain directories and registry keys
together with network indicators especially the command and control server ip
address present obvious detection points for surveillance and defense against this
malicious software.

2. When were these files compiled?

It referenced metadata within the compile date of the suspicious file document to
look for 2024-10-29 at 08:51:13 UTC. It really seems a pretty intriguing one in the
fact it seems to attempt to strike known vulnerabilities like CVE-2017-11882
through the Microsoft Office Equation Editor. This had been issued way back in
November of last year, but happened several times now as well with malware so
this likely again is old software or rather not a hole and also not fixed.

3. Are there any indications that either of these files is packed or obfuscated?
- Obfuscation Evidence: The provided malware was reported as an obfuscated RTF
file that conceals additional malicious code in Office-compatible file formats with the
intent of escaping antivirus detection. This kind of obfuscation is common in many
variations of malware that have been created to evade detection.
- Packing Indicators: In the report, the specific regions exhibit high entropy values
characteristic of packing, a fact due to the increase in entropy values when data
that is either compressed or encrypted is present.
• Entropy Value: The Entropy indicator of 3.0 (geared out of a possible 8.0) is quite
small, which is out of the ordinary for compressed forms. Nonetheless, signs of
concealment might also surface in other forms like peculiar writing systems (cited
here as International EBCDIC text).
• File Type and Category: The file describes itself as 'text in international ebcdic
encoding no carriage returns with overprinting' which is not the case with normal
exe files. This may point towards some effort to conceal data in some non-standard
encoding that is likely to avoid some detection.
• File Category: Crossed as ‘dropped’ and ‘malicious’ per Yara, implies this file is a
likely payload dropped by the ranger malware, containing encoded or disguised
instructions.
4. Do any imports hint at what this malware does? If so, which imports are they?
The malicious software has a number of API imports which are characteristic of
remote access and extraction of information:
Essentially Importing:
• InternetConnect, HttpOpenRequest: These are utilized to establish network
communications mostly with remote computers.
• CreateProcess, ShellExecute: This raises possibilities of opening other
processes.
 Sigma Patterns: Use of Base64 encoded PowerShell commands in

obfuscated code execution.

PowerShell exe files:

•_File Locations and Operations:_
• File in PowerShell: The file nkvqjkt1jb1.ps1 is accessible in the directory
C:\Users\user\AppData\Local\Temp and it is executed with the help of
powershell.exe. The fact that there is a .ps1 file reveals the intention of the
malware to run commands over the PowerShell interface which is primarily
used to aid the execution of malicious agendas through concealment and
automating activity.
• XML Configuration Document: The file tmp69AD.tmp contains an xml
file which is assumed to be a configuration file perhaps for task scheduling or
for any other means of persistence assets.
• Indicators:
• PowerShell Execution: While this can be understood as tough shield, it also
suggests enhanced redundancy as a great propagation deciding factor.
Where malware would use PowerShell scripts for execution of actions doing
away with the need of additional executables being written to the disk, this is
indicative of obfuscation and great use of PowerShell.
 • XML-Kniga Details- in Grids II: Content in XML so the configuration is quite
likely suggesting its suitable for a task specific parameters (for example,
RunLevel, StopIfGoingOnBatteries, AllowHardTerminate). These settings may be
utilized to implement persistence via creation or management of the scheduled
tasks within the infected environment.

5. Are there any other files or host-based indicators that you could look for on
infected systems?
All computer security threats leave some traces on the target system:
File Proof:
• C:\Users\user\AppData\Roaming\jduerlkcat23021.exe: this file is the core
executable which the virus would drop on the target system.
• Also Drop Files: A few files from the Temp folder and their types which include .ps1
and .tmp file types that show the presence of prepared scripts and information that
will be furthers placed in the system.
Registry Keys Modified:
• Scheduled Tasks: XML file formatted scheduled task entries stored in the Temp
folder that were created to ensure that the malware is always restarted after it has
been turned off.
6. What network-based indicators could be used to find this malware on infected
machines?
This Piece of Malware has a strong network-based characteristics making it
easy to be detected: a
Command and Control (C2) IP which is the fixed IP address 66.63.187.113
reached through port 1664 all the time.
Network Protocol: A TCP connection was set up with the C2 server.
IDS Alerts: Suricata alerts also notify for the presence of C2 connections
which are malicious in nature along with abnormal HTTP traffic that exposes
the malware’s use of C2.
7. What would you guess is the purpose of these files?
On the basis of the gathered information, it can be stated with a high degree of
confidence that this malware variant is most probably intended for the following
tasks:
Cyber Espionage and/or Data Exfiltration: The predominant purpose of
NanoCore RAT is the unauthorized data collection of sensitive information such as
passwords and identification details.
Remote Access: This type of RAT is often used for the purposes of administration,
allowing the user to issue commands, perform operations within an infected unit.
Entrenchment Strategies: Scheduled tasks and changes to the Windows Registry
ensure that the malicious software survives reboots.
8. Are there any indications that this file is packed or obfuscated? If so,
Supported Evidence for Obfuscation: The malware sample is detected as an
obfuscated RRTF document, where malicious code is concealed within office-
compatible formats to avoid getting flagged by antivirus programs. Such
obfuscation is typically seen in malware infections that seek to avoid detection.
Indicators of Packing: In the report, entropy values are elevated in some regions,
which is a good indicator of packing because packing or using encrypted data raises
the entropy values.

9 What are these indicators? If the file is packed, unpack it if possible.

Entropy Value: An entropy measurement of only 3.0 out of a possible 8.0 seems
rather inappropriate for a compressed file, which is rare. On the other hand, signs of
obfuscation can also be exhibited differently, such as through odd language
encoding (highlighted here—International EBCDIC text).
File Type and Category: In a phrase described as ‘International EBCDIC text,
crisp, overstriking, no line terminators‘, yet again this is not how typical a primary
executable file will be. This may imply a strategy to conceal something in an
encoded non-standard way to escape some detection systems.
File Category: Referred to as "dropped" and "malicious" meaning this file is
probably a payload of the main malware executable that is designed to be carried
inside of it and may come with code that is encoded or obfuscated.
10. What host- or network-based indicators could be used to identify this malware
on infected machines?

The following are some host-based indicators of the invoked behavior.

- Executable Path: C:\Users\User\AppData\Roaming\jdulrkat23021.exe
- Resolved Endpoint: The Temp folder contains tasks created under various names
such as “SMTP Service Task” containing XML files.
- Resolved Endpoint: The Temp directory contains .ps1 files.
Network-Based Indicators:
- C2 IP address and port number - 66.63.187.113:1664 which is usually blocked by
firewalls or detected by IDS.
- C2 TCP Connections behavior: The constant connection attempts to the IP and Port
proves the existence of C2, which can be further investigated for unusual traffic.
This set of Indicators also includes IP logs, corresponding registry paths, and makes
references to scheduled tasks.
Host based indicators:
11. This file has one resource in the resource section. Use Resource Hacker to
examine that resource, and then use it to extract the resource.
Accomplished Actions:
1. Accessing the document: The dubious document file was accessed within
Resource Hacker capable of opening the built-in resources, which include images,
icons, coded dialogs, and their respective codes.
2. Locating the resource: The resource section exhibits one primary resource
class categories with [Type], (e.g. RCDATA, BITMAP etc…), which is a concern.
3. Taking out the resource: the resource in question, was pulled from Resource
Hacker extracted and stored for controlled analysis. Conclusions arrive at:
• File Names: C:\Users\user\AppData\Roaming\jduerlkcat23021.exe, shows the path
of the primary executable.
• Powershell Shell Scripts: script available in user profile are C:\Users\user\AppData\
Local\Temp\nkvqjkt1jb1.ps1 and may be used for delivery of commands or other
payloads.
• Registry Changes: Evidence of persistence methods in the form of altered registry
entries or Helm Scheduling has been shown.
• Command line Options: Information about the interaction of the malware with its
own C2 server.
• URLs or IPs embedded: They play a basic role for the presence of connections
external to the virus/malware including any control server residing such as
66.63.187.113.

12.What can you learn from the resource?

The document on malware itself contains many resources, and if we use Resource
Hacker to analyze these resources, we are likely to discover something important
that helps to comprehend its operation and the threat it poses. You might be able to
get the following out of it:
1. Malicious Payloads: The resource can also store payloads that the malware
uses whenever it wants to carry out its malicious activities. This can consist of
executable files, scripts, and other malicious contents embedded within.
2. Configuration Settings: When embedded in resources, configuration files
can help identify malware behavior, such as commands that may be executed and
what communication with command and control (C2) server entails.
3. User Interface Elements: Should the file have any pictures or UI resources,
their study would reveal how the worm could use the victim or try to use the victim
to perform harmful acts.
4. Obfuscation Techniques: The internal arrangements of resources collected
may also shed light on how the malware has convoluted its program to prevent easy
detection and analysis.
5. Indicators of Compromise: The resource in question can also be dissected
and further IOCs can be uncovered, such as particular file names, locations, or
actions ready to deploy within an organization for further prevention and detection.
6. Links to Other Malicious Activities: The resource can include IP addresses
or other links to active threats, which can provide a clearer picture regarding the
overall threat and even other malware campaigns that could be related to it.
Conclusion
This episode of analysis of the suspicious document file has determined it to be a
modified version of NanoCore Remote Access Trojan (RAT) which is a serious threat
to the system and information protection. This file has given several antivirus
engines such as JoeSandbox, CyberFortress, File Scan IO malware signatures, which
means it is suspected to be malicious. In addition, the examination of the metadata
has showed that the file was compiled recently, which means that it might be part
of a larger operation of infection through this malware.
The document in question has other signs of obfuscation, one of them being an
indication that the file is an obfuscated RTF file designed to avoid detection from
normal security provisions. This reinforces the notion of a primary and secondary
exploitation vector as the document also contains PowerShell scripts and
configuration files.
Importantly, detection indicators include known file paths, registry keys alterations,
and contacts made with Command and Control (C2) servers. The results highlight
that in order to lessen the threats posed by such malware, there is a need for
organizations to have strong security systems with real time monitoring and threat
detection.
In the end, this study in particular illustrates the timely need for a system of
measures that go beyond simply addressing the issues raised by the existing
malware and its vectors, such as encouraging users to change passwords regularly,
installing security software on schedules or other means and performing threat
analysis – against malware strains such as NanoCore RAT.