Loading ...

Play interactive tourEdit tour

Analysis Report evatest2.exe

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:881802
Start date:11.06.2019
Start time:14:48:08
Joe Sandbox Product:Cloud
Overall analysis duration:0h 6m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:evatest2.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:SUS
Classification:sus25.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 6
  • Number of non-executed functions: 5
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold250 - 100Report FP / FNfalsesuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Winlogon Helper DLLPort MonitorsSoftware Packing1Credential DumpingSystem Time Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.evatest2.exe.1090000.0.unpackJoe Sandbox ML: detected
Source: 0.1.evatest2.exe.1090000.0.unpackJoe Sandbox ML: detected
Source: 0.2.evatest2.exe.1090000.0.unpackJoe Sandbox ML: detected

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091C990_2_01091C99
Yara signature matchShow sources
Source: evatest2.exe, type: SAMPLEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000001.1662073315.01090000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.1671247806.01090000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000000.1660532969.01090000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.evatest2.exe.1090000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.evatest2.exe.1090000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.evatest2.exe.1090000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.evatest2.exe.1090000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Classification labelShow sources
Source: classification engineClassification label: sus25.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: evatest2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\evatest2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: evatest2.exeStatic file information: File size 6677504 > 1048576
PE file has a big raw sectionShow sources
Source: evatest2.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x651200
PE file contains a mix of data directories often seen in goodwareShow sources
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: evatest2.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: evatest2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\UnTroueCunTroueKhouya\Release\UnTroueCunTroueKhouya.pdb source: evatest2.exe
PE file contains a valid data directory to section mappingShow sources
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: evatest2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091000 OutputDebugStringW,GetKeyboardLayout,lstrlenA,lstrlenA,_malloc,GetModuleHandleA,GetProcAddress,_malloc,VirtualProtect,LoadLibraryA,GetProcAddress,0_2_01091000
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_010922A5 push ecx; ret 0_2_010922B8

Malware Analysis System Evasion:

barindex
Country aware sample found (crashes after keyboard check)Show sources
Source: c:\users\user\desktop\evatest2.exeEvent Logs and Signature results: Application crash and keyboard check
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\evatest2.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-3409
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)Show sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091000 GetKeyboardLayout followed by cmp: cmp al, 09h and CTI: je 01091023h country: English (en)0_2_01091000
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091000 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: jne 0109102Dh country: Russian (ru)0_2_01091000

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\evatest2.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\evatest2.exeProcess queried: DebugPortJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01093B64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01093B64
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01091000 OutputDebugStringW,GetKeyboardLayout,lstrlenA,lstrlenA,_malloc,GetModuleHandleA,GetProcAddress,_malloc,VirtualProtect,LoadLibraryA,GetProcAddress,0_2_01091000
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_01093B64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01093B64
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_0109120D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0109120D
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_010960B7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_010960B7

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: GetLocaleInfoA,0_2_01096D2C
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\evatest2.exeCode function: 0_2_010938DB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_010938DB

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 881802 Sample: evatest2.exe Startdate: 11/06/2019 Architecture: WINDOWS Score: 25 7 Country aware sample found (crashes after keyboard check) 2->7 9 Antivirus or Machine Learning detection for unpacked file 2->9 5 evatest2.exe 2->5         started        process3

Simulations

Behavior and APIs

TimeTypeDescription
14:50:07API Interceptor274x Sleep call for process: evatest2.exe modified

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.evatest2.exe.1090000.0.unpack100%Joe Sandbox MLDownload File
0.1.evatest2.exe.1090000.0.unpack100%Joe Sandbox MLDownload File
0.2.evatest2.exe.1090000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

SourceRuleDescriptionAuthor
evatest2.exeEmbedded_PEunknownunknown

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000000.00000001.1662073315.01090000.00000002.sdmpEmbedded_PEunknownunknown
00000000.00000002.1671247806.01090000.00000002.sdmpEmbedded_PEunknownunknown
00000000.00000000.1660532969.01090000.00000002.sdmpEmbedded_PEunknownunknown

Unpacked PEs

SourceRuleDescriptionAuthor
0.1.evatest2.exe.1090000.0.raw.unpackEmbedded_PEunknownunknown
0.2.evatest2.exe.1090000.0.raw.unpackEmbedded_PEunknownunknown
0.0.evatest2.exe.1090000.0.raw.unpackEmbedded_PEunknownunknown
0.0.evatest2.exe.1090000.0.unpackEmbedded_PEunknownunknown
0.1.evatest2.exe.1090000.0.unpackEmbedded_PEunknownunknown
0.2.evatest2.exe.1090000.0.unpackEmbedded_PEunknownunknown

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.