Search in progress...
Analysis Report
Overview
General Information |
|---|
| Analysis ID: | 51561 |
| Start time: | 13:40:36 |
| Start date: | 20/04/2015 |
| Overall analysis duration: | 0h 2m 35s |
| Report type: | full |
| Sample file name: | virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe (renamed file extension from vir to exe) |
| Cookbook file name: | default.jbs |
| Analysis system description: | XP SP3, up to date 08.10.2013 (Office 2003 SP3, Java 1.7.0_25, Acrobat Reader 10.1.8, Flash 11.8.800.168, Internet Explorer 8.0.6001, Firefox 24, Chrome 30.0.1599.69)) |
| Number of analysed new started processes analysed: | 1 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| HCA enabled: | true |
| HCA success: |
|
Detection |
|---|
| Strategy | Score | Range | Reporting | Detection | |
|---|---|---|---|---|---|
| Threshold | 56 | 0 - 100 | Report FP / FN |  | |
Signature Overview |
|---|
Networking: |   |
|---|
| Urls found in memory or binary data | Show sources | ||
| Source: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe, virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun | String found in binary or memory: | ||
| Source: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe, virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun | String found in binary or memory: | ||
| Contains functionality to download additional files from the internet | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00409270 | |
| Found API chain matching a thread downloading files from the Internet | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Internet file download: | ||
Data Obfuscation: | |
|---|
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00406E00 | |
| Entry point lies outside standard sections | Show sources | ||
| Source: initial sample | Static PE information: | ||
| PE file contains an invalid checksum | Show sources | ||
| Source: initial sample | Static PE information: | ||
Spreading: | |
|---|
| Found possible USB drive infection routine | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | USB drive infection routine: | ||
System Summary: | |
|---|
| Contains functionality to adjust token privileges (e.g. debug / backup) | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00409900 | |
| Contains functionality to enum processes or threads | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00409510 | |
Anti Debugging: | |
|---|
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00406E00 | |
| Creates guard pages, often used to prevent reverse engineering and debugging | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Memory protected: | ||
| Program does not show much activity (idle) | Show sources | ||
| Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Checks for debuggers (window names) | Show sources | ||
| Source: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun | Binary or memory string: | ||
| Found API chain indicative of termination of specific processes | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Termination of specific process: | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Termination of specific process: | ||
Malware Analysis System Evasion: | |
|---|
| May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources | ||
| Source: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun | Binary or memory string: | ||
| Found API chain indicative of evasive behavior | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Evasive API call chain: | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Evasive API call chain: | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Evasive API call chain: | ||
| Found decision node followed by non-executed suspicious APIs | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Decision node followed by non-executed suspicious API: | ||
| Found large amount of non-executed APIs | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | API coverage: | ||
| Program does not show much activity (idle) | Show sources | ||
| Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
Language, Device and Operating System Detection: | |
|---|
| Contains functionality to query local / system time | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_0040912A | |
| Contains functionality to query the account / user name | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00406E70 | |
| Contains functionality to query windows version | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_004070C0 | |
| Uses the system / local time for branch decision (may execute only at specific dates) | Show sources | ||
| Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_0040912A | |
Yara Overview |
|---|
| No Yara matches |
|---|
Startup |
|---|
|
Created / dropped Files |
|---|
| No created / dropped files found |
|---|
Contacted Domains/Contacted IPs |
|---|
Static File Info |
|---|
General | |
|---|---|
| File type: | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| TrID: |
|
| File name: | virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun |
| File size: | 204372 |
| MD5: | 0af4ef5069f47a371a0caf22ae2006a6 |
| SHA1: | ad75972ed87ca3f167c442765c0969b19dae4761 |
| SHA256: | b51bed35b874ba43ba186f1b8c40e98d0eb5bb9b6ab60a1539206ef37f95baee |
| SHA512: | a371e920b2e2f3bbb56844939ff705a5cf4e8a45d411da225c6ad125ea05ecd4c30c2549bf7bfa0dd86ae3310912aa44918ba6bb3b40f7b00091c9fcafae744d |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x40a42f |
| Entrypoint Section: | .data |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui 40 |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x4C444631 [Mon Jul 19 12:33:53 2010 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| push FFFFFFFFh |
| push 00402568h |
| push 0040A5B0h |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| mov dword ptr fs:[00000000h], esp |
| sub esp, 68h |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [ebp-18h], esp |
| xor ebx, ebx |
| mov dword ptr [ebp-04h], ebx |
| push 00000002h |
| call dword ptr [004010E8h] |
| pop ecx |
| or dword ptr [04E6D908h], FFFFFFFFh |
| or dword ptr [04E6D90Ch], FFFFFFFFh |
| call dword ptr [004010ECh] |
| mov ecx, dword ptr [0040A5F8h] |
| mov dword ptr [eax], ecx |
| call dword ptr [004010F0h] |
| mov ecx, dword ptr [0040A5F4h] |
| mov dword ptr [eax], ecx |
| mov eax, dword ptr [004010F4h] |
| mov eax, dword ptr [eax] |
| mov dword ptr [04E6D904h], eax |
| call 0FC80FC6h |
| cmp dword ptr [00406820h], ebx |
| jne 0FC80EBEh |
| push 0040A5ACh |
| call dword ptr [004010F8h] |
| pop ecx |
| call 0FC80F98h |
| push 0040300Ch |
| push 00403008h |
| call 0FC80F83h |
| mov eax, dword ptr [0040A5F0h] |
| mov dword ptr [ebp-6Ch], eax |
| lea eax, dword ptr [ebp-6Ch] |
| push eax |
| push dword ptr [0040A5ECh] |
| lea eax, dword ptr [ebp-64h] |
| push eax |
| lea eax, dword ptr [ebp-70h] |
| push eax |
| lea eax, dword ptr [ebp-60h] |
| push eax |
| call dword ptr [00401100h] |
| push 00403004h |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2574 | 0xc8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4a6e000 | 0x458 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1c8 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .rdata | 0x1000 | 0x1e3a | 0x2000 | 6.96092703302 | False | 0.765014648438 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3000 | 0x4a6a910 | 0x7600 | 6.32074066653 | False | 0.506190413136 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x4a6e000 | 0x458 | 0x600 | 2.6360548432 | False | 0.3203125 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
|---|---|---|---|---|---|---|---|
| RT_VERSION | 0x4a6e060 | 0x3f4 | ump; data | English | United States | 0 | False |
Imports |
|---|
| DLL | Import |
|---|---|
| USER32.dll | EnumWindows, GetWindowTextA, GetWindowThreadProcessId, CharUpperA, MessageBoxA, GetWindowTextLengthA |
| SHELL32.dll | ShellExecuteA |
| dbghelp.dll | MakeSureDirectoryPathExists |
| urlmon.dll | URLDownloadToFileA |
| MSVCRT.dll | _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, fwrite, srand, rand, strstr, _splitpath, atoi, tolower, fopen, fclose, strchr, sprintf, _strlwr, _strrev, _strupr |
| WININET.dll | InternetGetConnectedState |
| WSOCK32.dll | connect, gethostbyname, recv, shutdown, closesocket, WSACleanup, htons, socket, WSAStartup, __WSAFDIsSet, select, WSAGetLastError, inet_ntoa, send |
| ADVAPI32.dll | RegCreateKeyA, AdjustTokenPrivileges, RegOpenKeyExA, RegQueryValueExA, GetUserNameA, RegCloseKey, LookupPrivilegeValueA, OpenProcessToken, RegSetValueExA |
| KERNEL32.dll | WinExec, GetCurrentThread, SetThreadPriority, ExitThread, CreateThread, Sleep, GetVersionExA, GetComputerNameA, FreeLibrary, LoadLibraryA, GetProcAddress, GetModuleFileNameA, GetSystemDirectoryA, GetWindowsDirectoryA, GetTempPathA, CreateSemaphoreA, ReleaseSemaphore, CreateEventA, ExitProcess, CreateMutexA, GetLastError, lstrlenA, GetTickCount, lstrcpyA, GetCurrentProcess, GetModuleHandleA, GetCurrentProcessId, CreateToolhelp32Snapshot, Process32First, OpenProcess, TerminateProcess, Process32Next, GetSystemTime, CreateProcessA, WritePrivateProfileStringA, CreateDirectoryA, CreateFileA, CloseHandle, GlobalFree, GlobalAlloc, GetStartupInfoA, SetFileAttributesA, CopyFileA, ReleaseMutex, GetDriveTypeA |
Version Infos |
|---|
| Description | Data |
|---|---|
| LegalCopyright | Copyright (C) Microsoft Corp. 1981-2000 |
| InternalName | servicess |
| FileVersion | 5.50.4134.100 |
| CompanyName | Microsoft Corporation |
| PrivateBuild | |
| LegalTrademarks | |
| Comments | |
| ProductName | Microsoft(R) Windows(R) 2000 Operating System |
| SpecialBuild | |
| ProductVersion | 5.50.4134.100 |
| FileDescription | Microsoft (R) Windows Explorer |
| OriginalFilename | servicess.exe |
| Translation | 0x0419 0x04b0 |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creationNetwork Behavior |
|---|
| No network behavior found |
|---|
Hooks - Code Manipulation Behavior |
|---|
Statistics |
|---|
System Behavior |
|---|
General |
|---|
| Start time: | 13:40:59 |
| Start date: | 30/12/2014 |
| Path: | C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe |
| Wow64 process (32bit): | false |
| Commandline: | unknown |
| Imagebase: | 0x400000 |
| File size: | 204372 bytes |
| MD5 hash: | 0AF4EF5069F47A371A0CAF22AE2006A6 |
Disassembly |
|---|
Code Analysis |
|---|
Execution Graph |
|---|
| Execution Coverage: | 3.3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 14.3% |
| Total number of Nodes: | 322 |
| Total number of Limit Nodes: | 2 |
Executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
Non-executed Functions |
|---|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|