Joe Sandbox Desktop Analysis Report

Loading ...

General Information

Analysis ID:34483
Start time:10:16:55
Start date:22/08/2013
Overall analysis duration:0h 3m 16s
Report type:full
Sample file name:45c0598e3db3b7a0a194bf6de78c8454bca2b5895a1bc511665d0e22243397e4
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
HCA enabled:true
HCA success:true, ratio: 100%


Detection

StrategyDetectionIndexReport FP/FN
Threshold clean0


Signature Overview

Data Obfuscation:

Binary may include packed or encrypted dataShow sources
PE file contains an invalid checksumShow sources
PE sections with suspicious entropy foundShow sources

System Summary:

Contains functionality to enum processes or threadsShow sources

Anti Debugging:

Checks if the current process is being debuggedShow sources
Contains functionality for execution timing, often used to detect debuggersShow sources
Program does not show much activity (idle)Show sources

Virtual Machine Detection:

Queries a list of all running processesShow sources
Program does not show much activity (idle)Show sources
Contains capabilities to detect virtual machinesShow sources

Screenshot

Startup

  • system is xp
  • cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:
File name:45c0598e3db3b7a0a194bf6de78c8454bca2b5895a1bc511665d0e22243397e4
File size:17920
MD5:cc9fab2465a279b9424da3a09df7c8d5
SHA1:de0fca6f868d48ccf6b5580301d73a44ebe07669
SHA256:45c0598e3db3b7a0a194bf6de78c8454bca2b5895a1bc511665d0e22243397e4
SHA512:fdc478b37449ad98609fe311a86053ac107d1c76be6f2062386f0bed2696fff38675c80773693aac846e138d29238bd01f79d0d189aed66720fa1aba9fd07b29

Static PE Info

General
Entrypoint:0x401b0e
Entrypoint Section:.text
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x520BC2BC [Wed Aug 14 17:47:40 2013 UTC]
TLS Callbacks:
Imports
DLLImport
kernel32.dllCloseHandle
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000x41f20x42007.89478992105
.rdata0x60000x540x2000.597307255749

Network Behavior

No network behavior found

Code Manipulation Behavior

System Behavior

Analysis Process: 45c0598e3db3b7a0a194bf6de78c8454bca2b5895a1bc511665d0e22243397e4.exe PID: 208 Parent PID: 1876

General
Start time:09:49:58
Start date:24/01/2012
Path:C:\45c0598e3db3b7a0a194bf6de78c8454bca2b5895a1bc511665d0e22243397e4.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:17920 bytes
MD5 hash:CC9FAB2465A279B9424DA3A09DF7C8D5

Chronological Activities

Disassembly

Code Analysis

< >

    Analysis Process: 45c0598e3db3b7a0a194bf6de78c8454bca2b5895a1bc511665d0e22243397e4.exe PID: 208 Parent PID: 1876

    Executed Functions
    Function 00401B60, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 259
    APIs
    • SetErrorMode.KERNEL32 ref: 00401B87
    • VirtualAlloc.KERNEL32 ref: 00401BAB
    • GetVolumeInformationA.KERNEL32 ref: 00401BDF
      • Part of subcall function 00401C0A: GetModuleHandleA.KERNEL32 ref: 00401C0F
      • Part of subcall function 00401C0A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401C3F
      • Part of subcall function 00401C0A: Process32First.KERNEL32(?,?), ref: 00401C58
      • Part of subcall function 00401C0A: Process32Next.KERNEL32(?,?), ref: 00401CFE
      • Part of subcall function 00401C0A: CloseHandle.KERNEL32(?), ref: 00401D0C
      • Part of subcall function 00401C0A: LoadLibraryA.KERNEL32 ref: 00401D4A
      • Part of subcall function 00401C0A: RegQueryValueExA.ADVAPI32(?,A9290135,?,B039ADFE,?,C13A7AD3), ref: 00401E23
      • Part of subcall function 00401C0A: RegCloseKey.ADVAPI32(?), ref: 00401E4B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.653635290.00401000.00000040.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.653604917.00400000.00000002.sdmp
    • Associated: 00000000.00000002.653655057.00402000.00000080.sdmp
    • Associated: 00000000.00000002.653686326.00406000.00000002.sdmp
    Function 00401C0A, Relevance: 22.4, APIs: 8, Strings: 3, Instructions: 201
    APIs
    • GetModuleHandleA.KERNEL32 ref: 00401C0F
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401C3F
    • Process32First.KERNEL32(?,?), ref: 00401C58
    • Process32Next.KERNEL32(?,?), ref: 00401CFE
    • CloseHandle.KERNEL32(?), ref: 00401D0C
      • Part of subcall function 00401D20: LoadLibraryA.KERNEL32 ref: 00401D4A
      • Part of subcall function 00401D20: RegQueryValueExA.ADVAPI32(?,A9290135,?,B039ADFE,?,C13A7AD3), ref: 00401E23
      • Part of subcall function 00401D20: RegCloseKey.ADVAPI32(?), ref: 00401E4B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.652144056.00401000.00000080.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.652122657.00400000.00000002.sdmp
    • Associated: 00000000.00000000.652176789.00406000.00000002.sdmp
    Function 00401D45, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122
    APIs
    • LoadLibraryA.KERNEL32 ref: 00401D4A
      • Part of subcall function 00401DD4: RegQueryValueExA.ADVAPI32(?,A9290135,?,B039ADFE,?,C13A7AD3), ref: 00401E23
      • Part of subcall function 00401DD4: RegCloseKey.ADVAPI32(?), ref: 00401E4B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.652144056.00401000.00000080.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.652122657.00400000.00000002.sdmp
    • Associated: 00000000.00000000.652176789.00406000.00000002.sdmp
    Function 00401DD4, Relevance: 10.3, APIs: 2, Strings: 3, Instructions: 63
    APIs
    • RegQueryValueExA.ADVAPI32(?,A9290135,?,B039ADFE,?,C13A7AD3), ref: 00401E23
    • RegCloseKey.ADVAPI32(?), ref: 00401E4B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.652144056.00401000.00000080.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.652122657.00400000.00000002.sdmp
    • Associated: 00000000.00000000.652176789.00406000.00000002.sdmp
    Non-executed Functions
    Function 00401D20, Relevance: 12.3, APIs: 3, Strings: 3, Instructions: 128
    Strings
    Memory Dump Source
    • Source File: 00000000.00000000.652144056.00401000.00000080.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000000.652122657.00400000.00000002.sdmp
    • Associated: 00000000.00000000.652176789.00406000.00000002.sdmp