Joe Sandbox Desktop - Analysis Report 34362

Loading ...

General Information

Analysis ID:	34362
Start time:	15:53:33
Start date:	19/08/2013
Overall analysis duration:	0h 3m 49s
Report type:	full
Sample file name:	cc9fab2465a279b9424da3a09df7c8d5_undefined.exe
Cookbook file name:	Do not randomize VM detection artifacts.jbs
Analysis system description:	XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
HCA enabled:	true
HCA success:	true, ratio: 66%

Detection

Strategy	Detection	Index	Report FP/FN
Threshold	malicious	0.040

Signature Overview

Boot Survival:

Creates an autostart registry key			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched

Remote Access Functionality:

Opens a port and listens for incoming connection (possibly a backdoor)			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	Socket bind: port: 8000

Persistence and Installation Behavior:

Drops PE files			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	File created: C:\Documents and Settings\All Users\svchost.exe
Drops PE files to the user directory (C:\Documents and Settings\)			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	File created: C:\Documents and Settings\All Users\svchost.exe

Data Obfuscation:

Binary may include packed or encrypted data			Show sources
Source: initial sample	Static PE information: section name: .text entropy: 7.89478992105
PE file contains an invalid checksum			Show sources
Source: initial sample	Static PE information: real checksum: 0x0 should be: 0x140ee
PE sections with suspicious entropy found			Show sources
Source: initial sample	Static PE information: section name: .text entropy: 7.89478992105 raw section size: 0x4200

Spreading:

Contains functionality to enumerate / list files inside a directory			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	Code function: 0_2_00401878 FindFirstFileA,FindNextFileA,LoadLibraryA,FindClose,		0_2_00401878

System Summary:

Creates files inside the user directory			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	File created: C:\Documents and Settings\All Users\svchost.exe

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	Code function: 0_2_00401DD4 rdtsc		0_2_00401DD4
Found dropped PE file which has not been started or loaded			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	Dropped PE file which has not been started: C:\Documents and Settings\All Users\svchost.exe

Virtual Machine Detection:

Contains functionality to enumerate / list files inside a directory			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	Code function: 0_2_00401878 FindFirstFileA,FindNextFileA,LoadLibraryA,FindClose,		0_2_00401878
Queries a list of all running processes			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	Process information queried: ProcessInformation
Contains capabilities to detect virtual machines			Show sources
Source: C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0

Screenshot

Startup

system is xp

cc9fab2465a279b9424da3a09df7c8d5_undefined.exe (PID: 1840 MD5: CC9FAB2465A279B9424DA3A09DF7C8D5)

cleanup

Created / dropped Files

File Path	Hashes
C:\Documents and Settings\All Users\svchost.exe	MD5: CC9FAB2465A279B9424DA3A09DF7C8D5 SHA: DE0FCA6F868D48CCF6B5580301D73A44EBE07669 SHA-256: 45C0598E3DB3B7A0A194BF6DE78C8454BCA2B5895A1BC511665D0E22243397E4 SHA-512: FDC478B37449AD98609FE311A86053AC107D1C76BE6F2062386F0BED2696FFF38675C80773693AAC846E138D29238BD01F79D0D189AED66720FA1ABA9FD07B29

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:	Users\admin\Desktop\34362\sample/cc9fab2465a279b9424da3a09df7c8d5_undefined.exe; PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name:	cc9fab2465a279b9424da3a09df7c8d5_undefined.exe
File size:	17920
MD5:	cc9fab2465a279b9424da3a09df7c8d5
SHA1:	de0fca6f868d48ccf6b5580301d73a44ebe07669
SHA256:	45c0598e3db3b7a0a194bf6de78c8454bca2b5895a1bc511665d0e22243397e4
SHA512:	fdc478b37449ad98609fe311a86053ac107d1c76be6f2062386f0bed2696fff38675c80773693aac846e138d29238bd01f79d0d189aed66720fa1aba9fd07b29

Static PE Info

General
Entrypoint:	0x401b0e
Entrypoint Section:	.text
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x520BC2BC [Wed Aug 14 17:47:40 2013 UTC]
TLS Callbacks:

Imports

DLL	Import
kernel32.dll	CloseHandle

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy
.text	0x1000	0x41f2	0x4200	7.89478992105
.rdata	0x6000	0x54	0x200	0.597307255749

Network Behavior

No network behavior found

Code Manipulation Behavior

System Behavior

Analysis Process: cc9fab2465a279b9424da3a09df7c8d5_undefined.exe PID: 1840 Parent PID: 964

General

Start time:	09:49:58
Start date:	24/01/2012
Path:	C:\cc9fab2465a279b9424da3a09df7c8d5_undefined.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	17920 bytes
MD5 hash:	CC9FAB2465A279B9424DA3A09DF7C8D5

Chronological Activities

Disassembly

Code Analysis

< >

Analysis Process: cc9fab2465a279b9424da3a09df7c8d5_undefined.exe PID: 1840 Parent PID: 964

Executed Functions

Function 00401DD4, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 63

APIs

RegQueryValueExA.ADVAPI32(?,A9290135,?,B039ADFE,?,C13A7AD3), ref: 00401E23
RegCloseKey.ADVAPI32(?), ref: 00401E4B

Strings

vmwa, xrefs: 00401E4E
vbox, xrefs: 00401E5A
qemu, xrefs: 00401E66
Ph7$@, xrefs: 00401E95

Memory Dump Source

Source File: 00000000.00000002.1116336410.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1116323972.00400000.00000002.sdmp
Associated: 00000000.00000002.1116349927.00403000.00000080.sdmp
Associated: 00000000.00000002.1116365858.00406000.00000002.sdmp

Function 00401878, Relevance: 7.7, APIs: 4, Instructions: 135

APIs

FindFirstFileA.KERNEL32 ref: 00401998
FindNextFileA.KERNEL32 ref: 004019AD
LoadLibraryA.KERNEL32(?), ref: 004019EE
FindClose.KERNEL32(?), ref: 00401A07

Memory Dump Source

Source File: 00000000.00000002.1116336410.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1116323972.00400000.00000002.sdmp
Associated: 00000000.00000002.1116349927.00403000.00000080.sdmp
Associated: 00000000.00000002.1116365858.00406000.00000002.sdmp

Function 7FFA00A0, Relevance: 7.6, Strings: 6, Instructions: 126

Strings

%ALLUSERSPROFILE%\svchost.exe, xrefs: 7FFA00F4
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 7FFA012F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 7FFA014E
SunJavaUpdateSched, xrefs: 7FFA0173
D, xrefs: 7FFA0205
cmd.exe, xrefs: 7FFA0236

Memory Dump Source

Source File: 00000000.00000002.1116938755.7FFA0000.00000040.sdmp, Offset: 7FFA0000, based on PE: false

Non-executed Functions

Function 00401DC9, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 67

APIs

RegQueryValueExA.ADVAPI32(?,A9290135,?,B039ADFE,?,C13A7AD3), ref: 00401E23
RegCloseKey.ADVAPI32(?), ref: 00401E4B

Strings

vmwa, xrefs: 00401E4E
vbox, xrefs: 00401E5A
qemu, xrefs: 00401E66
Ph7$@, xrefs: 00401E95

Memory Dump Source

Source File: 00000000.00000000.653846084.00401000.00000080.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000000.653825209.00400000.00000002.sdmp
Associated: 00000000.00000000.653876204.00406000.00000002.sdmp