Analysis Report
Overview
General Information |
---|
Analysis ID: | 51561 |
Start time: | 13:40:36 |
Start date: | 20/04/2015 |
Overall analysis duration: | 0h 2m 35s |
Report type: | full |
Sample file name: | virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe (renamed file extension from vir to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | XP SP3, up to date 08.10.2013 (Office 2003 SP3, Java 1.7.0_25, Acrobat Reader 10.1.8, Flash 11.8.800.168, Internet Explorer 8.0.6001, Firefox 24, Chrome 30.0.1599.69)) |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
HCA enabled: | true |
HCA success: |
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 56 | 0 - 100 | Report FP / FN |
Signature Overview |
---|
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe, virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun | String found in binary or memory: | ||
Source: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe, virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun | String found in binary or memory: |
Contains functionality to download additional files from the internet | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00409270 |
Found API chain matching a thread downloading files from the Internet | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Internet file download: |
Data Obfuscation: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00406E00 |
Entry point lies outside standard sections | Show sources |
Source: initial sample | Static PE information: |
PE file contains an invalid checksum | Show sources |
Source: initial sample | Static PE information: |
Spreading: |
---|
Found possible USB drive infection routine | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | USB drive infection routine: |
System Summary: |
---|
Contains functionality to adjust token privileges (e.g. debug / backup) | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00409900 |
Contains functionality to enum processes or threads | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00409510 |
Anti Debugging: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00406E00 |
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Memory protected: |
Program does not show much activity (idle) | Show sources |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: |
Checks for debuggers (window names) | Show sources |
Source: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun | Binary or memory string: |
Found API chain indicative of termination of specific processes | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Termination of specific process: | ||
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Termination of specific process: |
Malware Analysis System Evasion: |
---|
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun | Binary or memory string: |
Found API chain indicative of evasive behavior | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Evasive API call chain: | ||
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Evasive API call chain: | ||
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Evasive API call chain: |
Found decision node followed by non-executed suspicious APIs | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Decision node followed by non-executed suspicious API: |
Found large amount of non-executed APIs | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | API coverage: |
Program does not show much activity (idle) | Show sources |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query local / system time | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_0040912A |
Contains functionality to query the account / user name | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_00406E70 |
Contains functionality to query windows version | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_004070C0 |
Uses the system / local time for branch decision (may execute only at specific dates) | Show sources |
Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe | Code function: | 0_1_0040912A |
Yara Overview |
---|
No Yara matches |
---|
Startup |
---|
|
Created / dropped Files |
---|
No created / dropped files found |
---|
Contacted Domains/Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
TrID: |
|
File name: | virussign.com_0af4ef5069f47a371a0caf22ae2006a6.dontrun |
File size: | 204372 |
MD5: | 0af4ef5069f47a371a0caf22ae2006a6 |
SHA1: | ad75972ed87ca3f167c442765c0969b19dae4761 |
SHA256: | b51bed35b874ba43ba186f1b8c40e98d0eb5bb9b6ab60a1539206ef37f95baee |
SHA512: | a371e920b2e2f3bbb56844939ff705a5cf4e8a45d411da225c6ad125ea05ecd4c30c2549bf7bfa0dd86ae3310912aa44918ba6bb3b40f7b00091c9fcafae744d |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x40a42f |
Entrypoint Section: | .data |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui 40 |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x4C444631 [Mon Jul 19 12:33:53 2010 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Entrypoint Preview |
---|
Instruction |
---|
push ebp |
mov ebp, esp |
push FFFFFFFFh |
push 00402568h |
push 0040A5B0h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
sub esp, 68h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-18h], esp |
xor ebx, ebx |
mov dword ptr [ebp-04h], ebx |
push 00000002h |
call dword ptr [004010E8h] |
pop ecx |
or dword ptr [04E6D908h], FFFFFFFFh |
or dword ptr [04E6D90Ch], FFFFFFFFh |
call dword ptr [004010ECh] |
mov ecx, dword ptr [0040A5F8h] |
mov dword ptr [eax], ecx |
call dword ptr [004010F0h] |
mov ecx, dword ptr [0040A5F4h] |
mov dword ptr [eax], ecx |
mov eax, dword ptr [004010F4h] |
mov eax, dword ptr [eax] |
mov dword ptr [04E6D904h], eax |
call 0FC80FC6h |
cmp dword ptr [00406820h], ebx |
jne 0FC80EBEh |
push 0040A5ACh |
call dword ptr [004010F8h] |
pop ecx |
call 0FC80F98h |
push 0040300Ch |
push 00403008h |
call 0FC80F83h |
mov eax, dword ptr [0040A5F0h] |
mov dword ptr [ebp-6Ch], eax |
lea eax, dword ptr [ebp-6Ch] |
push eax |
push dword ptr [0040A5ECh] |
lea eax, dword ptr [ebp-64h] |
push eax |
lea eax, dword ptr [ebp-70h] |
push eax |
lea eax, dword ptr [ebp-60h] |
push eax |
call dword ptr [00401100h] |
push 00403004h |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2574 | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4a6e000 | 0x458 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x1c8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
---|---|---|---|---|---|---|---|---|
.rdata | 0x1000 | 0x1e3a | 0x2000 | 6.96092703302 | False | 0.765014648438 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0x4a6a910 | 0x7600 | 6.32074066653 | False | 0.506190413136 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x4a6e000 | 0x458 | 0x600 | 2.6360548432 | False | 0.3203125 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
---|---|---|---|---|---|---|---|
RT_VERSION | 0x4a6e060 | 0x3f4 | ump; data | English | United States | 0 | False |
Imports |
---|
DLL | Import |
---|---|
USER32.dll | EnumWindows, GetWindowTextA, GetWindowThreadProcessId, CharUpperA, MessageBoxA, GetWindowTextLengthA |
SHELL32.dll | ShellExecuteA |
dbghelp.dll | MakeSureDirectoryPathExists |
urlmon.dll | URLDownloadToFileA |
MSVCRT.dll | _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, fwrite, srand, rand, strstr, _splitpath, atoi, tolower, fopen, fclose, strchr, sprintf, _strlwr, _strrev, _strupr |
WININET.dll | InternetGetConnectedState |
WSOCK32.dll | connect, gethostbyname, recv, shutdown, closesocket, WSACleanup, htons, socket, WSAStartup, __WSAFDIsSet, select, WSAGetLastError, inet_ntoa, send |
ADVAPI32.dll | RegCreateKeyA, AdjustTokenPrivileges, RegOpenKeyExA, RegQueryValueExA, GetUserNameA, RegCloseKey, LookupPrivilegeValueA, OpenProcessToken, RegSetValueExA |
KERNEL32.dll | WinExec, GetCurrentThread, SetThreadPriority, ExitThread, CreateThread, Sleep, GetVersionExA, GetComputerNameA, FreeLibrary, LoadLibraryA, GetProcAddress, GetModuleFileNameA, GetSystemDirectoryA, GetWindowsDirectoryA, GetTempPathA, CreateSemaphoreA, ReleaseSemaphore, CreateEventA, ExitProcess, CreateMutexA, GetLastError, lstrlenA, GetTickCount, lstrcpyA, GetCurrentProcess, GetModuleHandleA, GetCurrentProcessId, CreateToolhelp32Snapshot, Process32First, OpenProcess, TerminateProcess, Process32Next, GetSystemTime, CreateProcessA, WritePrivateProfileStringA, CreateDirectoryA, CreateFileA, CloseHandle, GlobalFree, GlobalAlloc, GetStartupInfoA, SetFileAttributesA, CopyFileA, ReleaseMutex, GetDriveTypeA |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright (C) Microsoft Corp. 1981-2000 |
InternalName | servicess |
FileVersion | 5.50.4134.100 |
CompanyName | Microsoft Corporation |
PrivateBuild | |
LegalTrademarks | |
Comments | |
ProductName | Microsoft(R) Windows(R) 2000 Operating System |
SpecialBuild | |
ProductVersion | 5.50.4134.100 |
FileDescription | Microsoft (R) Windows Explorer |
OriginalFilename | servicess.exe |
Translation | 0x0419 0x04b0 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Hooks - Code Manipulation Behavior |
---|
Statistics |
---|
System Behavior |
---|
General |
---|
Start time: | 13:40:59 |
Start date: | 30/12/2014 |
Path: | C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x400000 |
File size: | 204372 bytes |
MD5 hash: | 0AF4EF5069F47A371A0CAF22AE2006A6 |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 3.3% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 14.3% |
Total number of Nodes: | 322 |
Total number of Limit Nodes: | 2 |
Executed Functions |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|