Search in progress...
Analysis Report
Overview
General Information |
|---|
| Analysis ID: | 58913 |
| Start time: | 19:34:25 |
| Start date: | 20/04/2015 |
| Overall analysis duration: | 0h 4m 2s |
| Report type: | full |
| Sample file name: | 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe |
| Cookbook file name: | VM Aware.jbs |
| Analysis system description: | Windows 7 (Office 2003 SP1, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8) |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 2 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| HCA enabled: | true |
| HCA success: |
|
| Warnings: | Show All
|
Detection |
|---|
| Strategy | Score | Range | Reporting | Detection | |
|---|---|---|---|---|---|
| Threshold | 60 | 0 - 100 | Report FP / FN |  | |
Signature Overview |
|---|
Networking: |   |
|---|
| Urls found in memory or binary data | Show sources | ||
| Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | String found in binary or memory: | ||
| Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | String found in binary or memory: | ||
| Contains functionality to download additional files from the internet | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00161470 | |
Remote Access Functionality: | |
|---|
| Contains strings related to BOT control commands | Show sources | ||
| Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | String found in binary or memory: | ||
Data Obfuscation: | |
|---|
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_0016243C | |
| Generates new code (likely due to unpacking of malware or shellcode) | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code execution: | ||
| PE file contains sections with non-standard names | Show sources | ||
| Source: initial sample | Static PE information: | ||
| Source: initial sample | Static PE information: | ||
System Summary: | |
|---|
| Contains functionality to enum processes or threads | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00163268 | |
| PE file has an executable .text section and no other executable section | Show sources | ||
| Source: initial sample | Static PE information: | ||
| Contains functionality to call native functions | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_0040100D | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_0040113F | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00401000 | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00162087 | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00162A28 | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00163D6C | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_001630B0 | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_001620A8 | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00162958 | |
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| May try to detect the Windows Explorer process (often used for injection) | Show sources | ||
| Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Binary or memory string: | ||
| Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Binary or memory string: | ||
| Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Binary or memory string: | ||
| Contains functionality to inject code into explorer (shared memory section, SetWindowLong, SendNotifyMessage technique) | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00162A26 | |
Anti Debugging: | |
|---|
| Contains functionality to register its own exception handler | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_001645FA | |
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00163A14 | |
| Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_001633E7 | |
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_0016243C | |
| Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00161470 | |
| Program does not show much activity (idle) | Show sources | ||
| Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
Malware Analysis System Evasion: | |
|---|
| May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources | ||
| Source: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Binary or memory string: | ||
| Contains capabilities to detect virtual machines | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Registry key queried: | ||
| Found decision node followed by non-executed suspicious APIs | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Decision node followed by non-executed suspicious API: | graph_2-2063 | ||
| Found evasive API chain (may stop execution after accessing registry keys) | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Evasive API call chain: | graph_2-2283 | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Evasive API call chain: | graph_2-2283 | ||
| Found large amount of non-executed APIs | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | API coverage: | ||
| May sleep (evasive loops) to hinder dynamic analysis | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe TID: 3220 | Thread sleep count: | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe TID: 3220 | Thread sleep time: | ||
| Program does not show much activity (idle) | Show sources | ||
| Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Contains functionality to generate a fingerprint of the current system | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00161B96 | |
| Found evasive API chain (may stop execution after checking a module file name) | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Evasive API call chain: | graph_2-1925 | ||
| Found evasive API chain (may stop execution after checking volume information) | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Evasive API call chain: | graph_2-1928 | ||
Language, Device and Operating System Detection: | |
|---|
| Contains functionality to query windows version | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Code function: | 2_2_00163588 | |
| Queries the volume information (name, serial number etc) of a device | Show sources | ||
| Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe | Qeruies volume information: | ||
Yara Overview |
|---|
| No Yara matches |
|---|
Startup |
|---|
|
Created / dropped Files |
|---|
| No created / dropped files found |
|---|
Contacted Domains/Contacted IPs |
|---|
Static File Info |
|---|
General | |
|---|---|
| File type: | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| TrID: |
|
| File name: | 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe |
| File size: | 121856 |
| MD5: | d80e956259c858eaccb53c1affaf8141 |
| SHA1: | 7358e2d4879d4109c89400a4361ba8bb8e71b357 |
| SHA256: | 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7 |
| SHA512: | eeda45b97914e7a00e6166f2e46070faabbff45eb6957dc0052383d17d0e5137b81ba268974f34bdc4c617397ad6e5cf0e241054145cd9dff93477b30a0660c1 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x40b3c9 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui 40 |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x4D6622A4 [Thu Feb 24 09:19:32 2011 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| cmp ecx, 0000011Ch |
| je 0E2B23E5h |
| jmp 0E2B23E3h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| std |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [esi], bl |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| int3 |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| dec esp |
| add byte ptr [esi], bl |
| add byte ptr [eax], al |
| add byte ptr [ebx+00D10000h], al |
| add byte ptr [eax], al |
| mov dword ptr [004144ACh], edx |
| cmp esi, A4600200h |
| jnbe 0E2B23F2h |
| jmp 0E2B23F0h |
| add byte ptr [eax], al |
| add byte ptr [esi+00000000h], bh |
| add al, ah |
| add byte ptr [eax+00h], dh |
| arpl word ptr [eax], ax |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| inc esp |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax+eax+1F000000h], bh |
| add byte ptr [eax], al |
| arpl word ptr [eax], ax |
| jle 0E2B23C2h |
| jnc 0E2B23C2h |
| add byte ptr [eax], al |
| iretd |
| add byte ptr [eax], al |
| add byte ptr [ebx+4146C83Dh], cl |
| add byte ptr [ebx], bh |
| cmp eax, 0041433Ch |
| je 0E2B23E5h |
| jmp 0E2B23E3h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [esi], cl |
| add byte ptr [eax], al |
| add byte ptr [eax+eax], ah |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| stosb |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| pop dword ptr [eax] |
| add byte ptr [esi+5C000000h], cl |
| add byte ptr [eax], al |
| insd |
| add byte ptr [eax], al |
| mov ebx, dword ptr [00415228h] |
| cmp ebx, dword ptr [00415228h] |
| jnbe 0E2B23C2h |
| cmp edi, 00000000h |
| jnbe 0E2B23E5h |
| jmp 0E2B23E3h |
| add cl, bh |
| add byte ptr [eax], al |
| xchg dword ptr [eax], eax |
| add byte ptr [eax], al |
| add byte ptr [edi+00h], ch |
| mov dl, 00h |
| test al, 00h |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x325ec | 0x154 | .rdataW |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x37000 | 0x3a4 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x192ac | 0x70 | .dataG |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x32000 | 0x5ec | .rdataW |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xeb4c | 0xec00 | 6.58454534451 | False | 0.685248940678 | ump; data | IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
| .dataG | 0x10000 | 0x21810 | 0x9a00 | 6.17317294259 | False | 0.72653713474 | ump; data | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
| .rdataW | 0x32000 | 0x4d19 | 0x4e00 | 3.58893178542 | False | 0.214643429487 | ump; data | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_LNK_OVER, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ |
| .rsrc | 0x37000 | 0x3a4 | 0x400 | 3.13216794898 | False | 0.462890625 | ump; data | IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
|---|---|---|---|---|---|---|---|
| RT_VERSION | 0x37058 | 0x34c | ump; data | English | Australia | 0 | False |
Imports |
|---|
| DLL | Import |
|---|---|
| IMM32.dll | ImmConfigureIMEW, ImmIsUIMessageA, ImmRegisterWordA, ImmGetIMEFileNameW, ImmEscapeW, ImmUnlockIMC, ImmLockIMC, ImmGetCandidateListCountA, ImmSetConversionStatus, ImmGetRegisterWordStyleW, ImmNotifyIME, ImmGetCompositionFontW, ImmGetIMEFileNameA, ImmSetCompositionFontA, ImmGetCandidateListW, ImmGetImeMenuItemsW, ImmShowSoftKeyboard, ImmRequestMessageA, ImmGetCandidateWindow, ImmGetConversionListA, ImmSetCompositionFontW, ImmAssociateContextEx, ImmSetOpenStatus, ImmGetStatusWindowPos, ImmReleaseContext |
| ADVPACK.dll | ExecuteCab, GetVersionFromFile, RegSaveRestore, RegSaveRestoreOnINF, IsNTAdmin, FileSaveMarkNotExist, ExtractFiles, LaunchINFSectionEx, TranslateInfStringEx, FileSaveRestore, RunSetupCommand, SetPerUserSecValues, AddDelBackupEntry, NeedRebootInit, DoInfInstall |
| NTDLL.dll | NtReplyWaitReplyPort, RtlSetSecurityObject, RtlCheckRegistryKey, NtOpenSymbolicLinkObject, RtlInitializeCriticalSectionAndSpinCount, DbgUiConnectToDbg, NtSetIoCompletion, ZwDuplicateObject, ZwOpenEvent, ZwQueryKey, ZwSetSystemInformation, RtlAddAuditAccessAce, NtSetDefaultLocale, RtlLargeIntegerNegate, ZwOpenMutant, RtlSetUserFlagsHeap, RtlInitCodePageTable, RtlUpperString, RtlGetLongestNtPathLength, RtlDumpResource, ZwUnmapViewOfSection, NtCreateNamedPipeFile, NtFlushVirtualMemory, RtlPrefixUnicodeString, RtlFormatMessage, ZwSetInformationFile, ZwRegisterThreadTerminatePort, ZwCreateEvent, ZwSetIntervalProfile, NtAreMappedFilesTheSame, ZwQuerySemaphore, NtReadVirtualMemory |
| WINSTA.dll | _WinStationBreakPoint, WinStationServerPing, WinStationGetProcessSid, _WinStationWaitForConnect, WinStationTerminateProcess, WinStationDisconnect, WinStationConnectW, _WinStationReadRegistry, WinStationNameFromLogonIdW, WinStationQueryInformationW, WinStationQueryLicense, WinStationOpenServerW, WinStationEnumerateA, WinStationFreeMemory, _WinStationNotifyNewSession, _WinStationShadowTargetSetup, _WinStationNotifyLogon, WinStationReset, WinStationQueryInformationA, WinStationEnumerateLicenses, ServerGetInternetConnectorStatus, LogonIdFromWinStationNameW, WinStationOpenServerA, _WinStationCallback, WinStationRenameA |
| KERNEL32.dll | ExitProcess, _lwrite, IsDBCSLeadByteEx, ContinueDebugEvent, FindResourceExW, EnumResourceLanguagesW |
| SECUR32.dll | LsaLogonUser, EncryptMessage, AcquireCredentialsHandleW, EnumerateSecurityPackagesW, InitSecurityInterfaceW, LsaDeregisterLogonProcess, ExportSecurityContext, EnumerateSecurityPackagesA, SaslEnumerateProfilesA, SaslInitializeSecurityContextA, LsaUnregisterPolicyChangeNotification, CompleteAuthToken, InitializeSecurityContextA, FreeCredentialsHandle, LsaFreeReturnBuffer, SaslInitializeSecurityContextW, LsaCallAuthenticationPackage, SaslGetProfilePackageW, AcquireCredentialsHandleA, GetComputerObjectNameA, QuerySecurityPackageInfoW, GetComputerObjectNameW, QueryContextAttributesW, TranslateNameW |
| USER32.dll | ImpersonateDdeClientWindow |
| NETAPI32.dll | NetFileGetInfo, NetServerTransportEnum, NetMessageNameEnum, NetDfsEnum, NetWkstaUserEnum, NetQueryDisplayInformation, NetWkstaUserSetInfo, NetLocalGroupDel, NetReplSetInfo, NetConfigGetAll, NetGroupDelUser, NetUserEnum, NetUserModalsSet, NetAlertRaise, NetGroupEnum, I_BrowserQueryStatistics, NetUserSetGroups, NetLocalGroupSetInfo, NetLocalGroupDelMembers, NetLocalGroupEnum, NetDfsGetDcAddress, NetReplImportDirLock, NetWkstaTransportAdd, NetGroupDel, NetServerTransportDel, NetScheduleJobAdd, NetApiBufferAllocate, NetUserGetGroups, DsEnumerateDomainTrustsW |
| MSCMS.dll | GetColorProfileFromHandle, CheckBitmapBits, CreateProfileFromLogColorSpaceW, InternalGetPS2CSAFromLCS, InternalGetPS2PreviewCRD, SelectCMM, GetColorProfileElementTag, IsColorProfileValid, EnumColorProfilesA, GetPS2ColorSpaceArray, SetStandardColorSpaceProfileW, SetColorProfileElementSize, RegisterCMMA, GetPS2ColorRenderingDictionary, EnumColorProfilesW, GetColorDirectoryW, UninstallColorProfileW, UnregisterCMMA, SpoolerCopyFileEvent, IsColorProfileTagPresent, GetStandardColorSpaceProfileA, ConvertColorNameToIndex, OpenColorProfileA, SetColorProfileElement, GetColorDirectoryA, CreateColorTransformA, DisassociateColorProfileFromDeviceA, CreateProfileFromLogColorSpaceA |
| PDH.dll | PdhVbAddCounter, PdhGetDefaultPerfObjectA, PdhVbCreateCounterPathList, PdhBrowseCountersW, PdhGetRawCounterValue, PdhGetCounterInfoW, PdhGetFormattedCounterArrayA, PdhGetCounterInfoA, PdhVbGetCounterPathElements, PdhLookupPerfNameByIndexW, PdhOpenQueryA, PdhExpandCounterPathA, PdhParseInstanceNameW, PdhEnumObjectsA, PdhIsRealTimeQuery, PdhRemoveCounter, PdhCloseLog, PdhComputeCounterStatistics, PdhGetDataSourceTimeRangeA, PdhParseInstanceNameA, PdhUpdateLogFileCatalog, PdhEnumObjectItemsA, PdhVbIsGoodStatus, PdhSetQueryTimeRange, PdhCollectQueryData |
| WINSPOOL.drv | FindFirstPrinterChangeNotification, DeletePortA, EnumFormsA, PlayGdiScriptOnPrinterIC, QueryColorProfile, AddPrinterDriverA, EnumPrintersW, GetSpoolFileHandle, SetPortW, SetFormA, QueryRemoteFonts, DocumentPropertySheets, GetDefaultPrinterW, DeviceMode, SetPrinterDataExW, DeletePrinterDriverExA, OpenPrinterA, DeletePrinter, SetJobA, StartPagePrinter, SpoolerDevQueryPrintW, GetPrintProcessorDirectoryA, AddFormW, DeleteMonitorW, StartDocDlgA, AddPrinterDriverExW, EnumPortsW, FreePrinterNotifyInfo, DeletePrinterKeyA, DeletePrinterDataW, DevQueryPrint |
| SHLWAPI.dll | SHOpenRegStreamA, SHDeleteOrphanKeyA, PathStripPathA, PathIsSystemFolderW, SHEnumValueA, PathMakePrettyA, UrlCompareW, PathGetCharTypeW, SHRegCloseUSKey, StrFormatKBSizeA, SHEnumKeyExA, StrCatW, PathFileExistsW, StrNCatA, PathIsDirectoryW, StrFromTimeIntervalW, PathIsUNCA, PathAddExtensionA, PathSearchAndQualifyW, PathCommonPrefixW, SHQueryValueExA, PathRemoveBackslashA, StrCmpIW, ChrCmpIA, AssocQueryStringByKeyA, PathCommonPrefixA, StrSpnW, StrChrIW, StrStrIW, StrCmpW, SHDeleteOrphanKeyW |
| QUERY.dll | CICreateCommand, DoneCIPerformanceData, LocateCatalogsA, SetupCacheEx, BindIFilterFromStorage, InitializeCIPerformanceData, CIState, CITextToSelectTreeEx, CITextToFullTree, SetupCache, CITextToSelectTree, BeginCacheTransaction, SvcEntry_CiSvc, CollectCIISAPIPerformanceData, SetCatalogState, InitializeFILTERPerformanceData, CITextToFullTreeEx, BindIFilterFromStream, CIBuildQueryNode, InitializeCIISAPIPerformanceData, LoadTextFilter |
| MPR.dll | WNetGetUserW, WNetEnumResourceA, WNetGetUserA, WNetGetUniversalNameW, WNetGetConnectionA, WNetGetConnectionW, WNetEnumResourceW, WNetGetResourceParentA, WNetCancelConnectionA, WNetConnectionDialog, WNetGetResourceInformationW, WNetGetLastErrorW, WNetGetNetworkInformationA, WNetCancelConnection2W, WNetCancelConnectionW, WNetCancelConnection2A, WNetDisconnectDialog, WNetOpenEnumW, WNetAddConnection3A, WNetGetLastErrorA, WNetCloseEnum, WNetAddConnectionW, WNetOpenEnumA |
| CLUSAPI.dll | ClusterNetworkControl, GetClusterNetInterface, ClusterNetworkEnum, CreateClusterNotifyPort, CreateClusterGroup, ClusterResourceOpenEnum, ClusterRegEnumValue, ClusterRegCloseKey, RegisterClusterNotify, ClusterRegQueryInfoKey, GetClusterNetworkKey, GetClusterNodeId, ClusterOpenEnum, GetClusterGroupState, GetClusterNodeKey |
| WINMM.dll | mmioSetInfo, midiInReset, midiInGetErrorTextW, midiOutGetID, auxGetDevCapsW, mmioAscend, mciSendCommandA, midiOutGetErrorTextA, midiOutGetVolume, mmioAdvance, mixerGetControlDetailsA, mciGetDriverData, joyGetPosEx, NotifyCallbackData, midiDisconnect, DrvGetModuleHandle, SendDriverMessage, mixerMessage, mciDriverYield, waveOutGetPitch, joyConfigChanged, mmioSeek, PlaySoundA, waveOutGetErrorTextA, waveOutGetID, waveOutGetVolume, midiInGetErrorTextA, mixerClose, mciLoadCommandResource, joySetThreshold, waveInGetNumDevs, mixerGetLineControlsW |
Version Infos |
|---|
| Description | Data |
|---|---|
| LegalCopyright | 1999 |
| InternalName | Obyhi |
| FileVersion | 4, 8, 2 |
| CompanyName | Max Secure Software www.maxpcsecure.com |
| LegalTrademarks | Ejecogu Vor Yjydo Efab Bam Ocadode Yzamop |
| ProductName | Avukab |
| ProductVersion | 4 |
| FileDescription | Yfak Ehocaqi Adimy |
| OriginalFilename | Gdgkcdowg.exe |
| Translation | 0x0409 0x04b0 |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | Australia |  |
Key Decision
Richest Path
Thread / callback creationNetwork Behavior |
|---|
| No network behavior found |
|---|
Hooks - Code Manipulation Behavior |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
System Behavior |
|---|
General |
|---|
| Start time: | 19:35:28 |
| Start date: | 10/03/2015 |
| Path: | C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe |
| Wow64 process (32bit): | false |
| Commandline: | unknown |
| Imagebase: | 0x755d0000 |
| File size: | 121856 bytes |
| MD5 hash: | D80E956259C858EACCB53C1AFFAF8141 |
Disassembly |
|---|
Code Analysis |
|---|
Execution Graph |
|---|
| Execution Coverage: | 8.7% |
| Dynamic/Decrypted Code Coverage: | 99% |
| Signature Coverage: | 33% |
| Total number of Nodes: | 775 |
| Total number of Limit Nodes: | 2 |
Executed Functions |
|---|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
Non-executed Functions |
|---|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|