|Overall analysis duration:||0h 2m 35s|
|Graph type:||Execution Graph|
|Sample file name:||virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe (renamed file extension from vir to exe)|
|Cookbook file name:||default.jbs|
|Analysis system description:||XP SP3, up to date 08.10.2013 (Office 2003 SP3, Java 1.7.0_25, Acrobat Reader 10.1.8, Flash 11.8.800.168, Internet Explorer 8.0.6001, Firefox 24, Chrome 30.0.1599.69))|
- Key Decision
- Not Executed
- Signature Matched
- Richest Path
- Thread / callback entry
- Thread / callback creation
- Show Help
|Found API chain matching a thread downloading files from the Internet||Show sources|
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||Internet file download: CreateThread, URLDownloadToFile|
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||USB drive infection routine: GetDriveType, CopyFile, SetFileAttributes|
|Found API chain indicative of termination of specific processes||Show sources|
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||Termination of specific process: EnumWindows, GetWindowText, GetCurrentProcessId, OpenProcess, TerminateProcess|
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||Termination of specific process: CreateThread, CreateToolhelp32Snapshot, OpenProcess, TerminateProcess|
Malware Analysis System Evasion:
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||Evasive API call chain: RegOpenKey,...,DecisionNode,Sleep|
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||Evasive API call chain: GetSystemTime,DecisionNodes,ExitProcess|
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep|
|Found decision node followed by non-executed suspicious APIs||Show sources|
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)|
|Source: C:\virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe||API coverage: 5.7 %|
Graph for Process: virussign.com_0af4ef5069f47a371a0caf22ae2006a6.exe PID: 1188 Parent PID: 736
|Dynamic/Decrypted Code Coverage:||0%|
|Total number of Nodes:||322|
|Total number of Limit Nodes:||2|
Execution Graphs are highly condensed control flow graphs which give the user a synthetic view of the code detected during Hybrid Code Analysis. They include additional runtime information such as the execution status which is highlighted with different colors and shapes.
Program entry point, most likely the entry point of the PE file.
A code location where a decision has been made to avoid execution of potentially malicious behavior.
Dynamic / Decrypted
Code which has been generated at runtime, often referred to as unpacked or self-modifying code.
Unpacker / Decrypter
Code section which is responsible for unpacking or decrypting a portion of dynamic code.
Code which has been executed at runtime.
Code which has not been executed at runtime.
Code for which it is unknown if it has been executed or not at runtime.
Code which matches a behavioral signature.
Path through the execution graph which shows a lot of behavior (e.g. with respect to called API functions).
Thread / callback entry
Code corresponding to a thread or callback entry point.
Thread / callback creation
Edges denoting either a thread creation (e.g. using CreateThread) or a callback registration (e.g. EnumWindows).