Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:450586
Start time:10:50:59
Joe Sandbox Product:Cloud
Start date:05.12.2017
Overall analysis duration:0h 4m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:uRL6wUtNbn.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal48.winEXE@1/0@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 98.3% (good quality ratio 56.9%)
  • Quality average: 40.6%
  • Quality standard deviation: 41.9%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe, WmiApSrv.exe, WerFault.exe, WMIADAP.exe, dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold480 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: uRL6wUtNbn.exevirustotal: Detection: 74%Perma Link

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00406773 push 86005701h; ret 1_2_00406778
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_0040633C pushad ; ret 1_2_0040634B
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00403177 push eax; ret 1_2_00403194
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00401000 push eax; retf 1_2_00401078
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00406060 push 0000000Fh; ret 1_2_0040606B
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00401741 push edi; iretd 1_2_004017B3
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_0040491A push ecx; retn 0000h1_2_00404941
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00405347 push 00000057h; ret 1_2_00405377
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00401036 push eax; retf 1_2_00401078
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_004048CC push ecx; ret 1_2_004048DC

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: uRL6wUtNbn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: uRL6wUtNbn.exeVirustotal: hash found
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: uRL6wUtNbn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: uRL6wUtNbn.exeBinary or memory string: Progman
Source: uRL6wUtNbn.exeBinary or memory string: Program Manager
Source: uRL6wUtNbn.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeProcess queried: DebugPort
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeThread delayed: delay time: 30000
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exe TID: 3444Thread sleep time: -600s >= -60s
Source: C:\Users\user\Desktop\uRL6wUtNbn.exe TID: 3436Thread sleep time: -30000s >= -60s
Source: C:\Users\user\Desktop\uRL6wUtNbn.exe TID: 3444Thread sleep time: -100s >= -60s
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Simulations

Behavior and APIs

TimeTypeDescription
10:53:18API Interceptor1x Sleep call for process: uRL6wUtNbn.exe modified from: 30000ms to: 500ms

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
uRL6wUtNbn.exe75%virustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot