Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:450586
Start time:10:50:59
Joe Sandbox Product:Cloud
Start date:05.12.2017
Overall analysis duration:0h 4m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:uRL6wUtNbn.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal48.winEXE@1/0@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 98.3% (good quality ratio 56.9%)
  • Quality average: 40.6%
  • Quality standard deviation: 41.9%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe, WmiApSrv.exe, WerFault.exe, WMIADAP.exe, dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold480 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: uRL6wUtNbn.exevirustotal: Detection: 74%Perma Link

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00406773 push 86005701h; ret 1_2_00406778
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_0040633C pushad ; ret 1_2_0040634B
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00403177 push eax; ret 1_2_00403194
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00401000 push eax; retf 1_2_00401078
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00406060 push 0000000Fh; ret 1_2_0040606B
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00401741 push edi; iretd 1_2_004017B3
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_0040491A push ecx; retn 0000h1_2_00404941
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00405347 push 00000057h; ret 1_2_00405377
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_00401036 push eax; retf 1_2_00401078
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeCode function: 1_2_004048CC push ecx; ret 1_2_004048DC

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: uRL6wUtNbn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: uRL6wUtNbn.exeVirustotal: hash found
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: uRL6wUtNbn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: uRL6wUtNbn.exeBinary or memory string: Progman
Source: uRL6wUtNbn.exeBinary or memory string: Program Manager
Source: uRL6wUtNbn.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeProcess queried: DebugPort
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exeThread delayed: delay time: 30000
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\uRL6wUtNbn.exe TID: 3444Thread sleep time: -600s >= -60s
Source: C:\Users\user\Desktop\uRL6wUtNbn.exe TID: 3436Thread sleep time: -30000s >= -60s
Source: C:\Users\user\Desktop\uRL6wUtNbn.exe TID: 3444Thread sleep time: -100s >= -60s
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Simulations

Behavior and APIs

TimeTypeDescription
10:53:18API Interceptor1x Sleep call for process: uRL6wUtNbn.exe modified from: 30000ms to: 500ms

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
uRL6wUtNbn.exe75%virustotalBrowse

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot

windows-stand

Startup

  • System is w7_1
  • uRL6wUtNbn.exe (PID: 3432 cmdline: 'C:\Users\user\Desktop\uRL6wUtNbn.exe' MD5: 52540F430C060A7E5753C999891514A1)
  • cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:uRL6wUtNbn.exe
File size:80384
MD5:52540f430c060a7e5753c999891514a1
SHA1:041ffae5b7aeb43377ce81b63a9a6ef8ab832d5f
SHA256:256946520472b89a39e066ff88560a8c1967fd1d46ba888129856046c5a012be
SHA512:3a437b0ab306a31b0e12d1086a5cdf5bff3c209f376d5833b33b510c06c15ea1612628a23e9a585bd485f3c3dd82a69126235b7cccf3e681af343f36f4750739
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,v.{B%.{B%.{B%..,%.{B%..:%.{B%Rich.{B%........PE..L......Y.....................b....................@........................

File Icon

Static PE Info

General

Entrypoint:0x408bd1
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:NO_SEH
Time Stamp:0x59A1C217 [Sat Aug 26 18:46:47 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:128ba6233557df307ea00583ae9ec636

Entrypoint Preview

Instruction
call 00007F526D3FA471h
push eax
call 00007F526D3FA3F4h
jmp dword ptr [0040F048h]
jmp dword ptr [0040F028h]
jmp dword ptr [0040F04Ch]
jmp dword ptr [0040F038h]
jmp dword ptr [0040F010h]
test dword ptr [esi+edi*8+7589FEFEh], edi
and al, 04h
jne 00007F526D3FA425h
add byte ptr [esi-39h], ah
add byte ptr [ebp-77h], al
mov dword ptr [eax], F7FF0B00h
or byte ptr [esi+7BC78945h], dh
shr dword ptr [eax+78h], 45h
pop ebx
add byte ptr [esi-76h], ah
pcmpgtd mm4, mm1
or byte ptr [esp+eax*4+66082FC7h], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xf1780xb4.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xd2e20xd400False0.826650943396data6.53318347591IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0xf0000xa0d0xc00False0.438802083333data4.64008190649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x100000x54e90x5600False0.768577398256data5.53777830882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.DLLSystemTimeToFileTime, VirtualLock, InitializeCriticalSection, GetAtomNameW, Sleep, GetVersionExA, GetEnvironmentVariableW, GetCPInfo, SetCurrentDirectoryW, GlobalReAlloc, GetCommandLineW, GetOEMCP, GetUserDefaultUILanguage, GetCurrentProcessId, GetProcAddress, SetConsoleCtrlHandler, WriteFile, InterlockedExchangeAdd, CreateThread, GetModuleHandleA, GetPrivateProfileStringW
USER32.DLLGetTopWindow, TranslateAcceleratorW, DrawEdge, WaitForInputIdle, UpdateWindow, GetKeyState, CharLowerBuffW, WindowFromDC, GetWindowRgnBox, GetDlgItemTextW, LoadCursorFromFileW, SetDlgItemInt, wsprintfW, SendMessageW, CopyIcon, MapWindowPoints, GetWindowRgn, AppendMenuW, OemToCharBuffW, DrawStateW, GetNextDlgGroupItem, TrackPopupMenu, IsWindow, ValidateRgn, IsMenu, GetQueueStatus, IsDialogMessageW, ScrollDC, LoadBitmapW, OpenClipboard, GetPropW, GetOpenClipboardWindow
SHELL32.DLLSHGetFileInfoW, DragFinish
GDI32.DLLEndPage, CreateDCW, AngleArc, DeleteObject, SetWindowExtEx, RealizePalette, RectInRegion, CreatePolygonRgn, OffsetWindowOrgEx, SetBitmapDimensionEx, ExtTextOutW, BeginPath, SetPixelV, SelectClipRgn, GetViewportExtEx, GetObjectType, SetColorAdjustment, SelectClipPath
ADVAPI32.DLLCryptReleaseContext, RegDeleteKeyW, RegEnumValueW
OLE32.DLLCLSIDFromString, StringFromGUID2, CreateBindCtx, CoCreateInstance
COMDLG32.DLLGetSaveFileNameW, GetOpenFileNameW, ChooseFontW
SHLWAPI.DLLPathRemoveExtensionW, PathIsUNCW, PathFindExtensionW

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: uRL6wUtNbn.exe PID: 3432 Parent PID: 3036

General

Start time:10:53:17
Start date:05/12/2017
Path:C:\Users\user\Desktop\uRL6wUtNbn.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\uRL6wUtNbn.exe'
Imagebase:0x77390000
File size:80384 bytes
MD5 hash:52540F430C060A7E5753C999891514A1
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: uRL6wUtNbn.exe PID: 3432 Parent PID: 3036

    Execution Graph

    Execution Coverage:3.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:0%
    Total number of Nodes:8
    Total number of Limit Nodes:0

    Graph

    Executed Functions

    Function 00408B6B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 408b6b-408bce CreateThread Sleep
    C-Code - Quality: 100%
    			E00408B6B() {
				void _v8;
				void* _v12;
				unsigned int _v16;
				void* _t23;

				_v8 = 0;
				_t23 = CreateThread(0, 0, E00408B56,  &_v8, 0, 0); // executed
				_v12 = _t23;
				_v16 = 0x4e20;
				Sleep((_v16 >> 1) + _v16); // executed
				return  *((intOrPtr*)(0x40b917 + _v8 * 0x64 / _v16 * 0x247c - 0x54d9))(_v12);
			}







    0x00408b71
    0x00408b89
    0x00408b8e
    0x00408b91
    0x00408ba1
    0x00408bce

    APIs
    • CreateThread.KERNEL32(00000000,00000000,00408B56,00000000,00000000,00000000), ref: 00408B89
    • Sleep.KERNEL32(00004E20), ref: 00408BA1
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.776607173.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.776598893.00400000.00000002.sdmp
    • Associated: 00000001.00000002.776616726.0040F000.00000002.sdmp
    • Associated: 00000001.00000002.776625438.00410000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_uRL6wUtNbn.jbxd
    Function 00408BD1, Relevance: 1.5, APIs: 1, Instructions: 4

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2 408bd1-408bdc GetCommandLineW call 408b6b
    APIs
    • GetCommandLineW.KERNEL32 ref: 00408BD1
      • Part of subcall function 00408B6B: CreateThread.KERNEL32(00000000,00000000,00408B56,00000000,00000000,00000000), ref: 00408B89
      • Part of subcall function 00408B6B: Sleep.KERNEL32(00004E20), ref: 00408BA1
    Memory Dump Source
    • Source File: 00000001.00000002.776607173.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.776598893.00400000.00000002.sdmp
    • Associated: 00000001.00000002.776616726.0040F000.00000002.sdmp
    • Associated: 00000001.00000002.776625438.00410000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_uRL6wUtNbn.jbxd
    Function 00408B56, Relevance: 1.3, APIs: 1, Instructions: 7

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5 408b56-408b57 6 408b59-408b65 Sleep 5->6 6->6
    C-Code - Quality: 100%
    			E00408B56(intOrPtr* _a4) {

				L1:
				 *_a4 =  *_a4 + 1;
				Sleep(0x64); // executed
				goto L1;
			}



    0x00408b59
    0x00408b5c
    0x00408b60
    0x00000000

    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.776607173.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.776598893.00400000.00000002.sdmp
    • Associated: 00000001.00000002.776616726.0040F000.00000002.sdmp
    • Associated: 00000001.00000002.776625438.00410000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_uRL6wUtNbn.jbxd

    Non-executed Functions

    Function 004088BA, Relevance: 6.1, APIs: 4, Instructions: 74

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 7 4088ba-4089ec GetModuleHandleA GetProcAddress * 3
    C-Code - Quality: 58%
    			E004088BA(intOrPtr _a4) {
				intOrPtr _v0;
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void _v552;
				struct HINSTANCE__* _v556;
				_Unknown_base(*)()* _v560;
				_Unknown_base(*)()* _v564;
				void* _v568;
				_Unknown_base(*)()* _t32;
				void* _t38;
				CHAR* _t54;
				CHAR* _t55;
				CHAR* _t56;

				_v12 = E00401000;
				_v16 = 0x9500;
				_v32 = E004088BA;
				_v36 = 0x340;
				_v40 = 0x40a500;
				_v24 = 0x40a4c9;
				_v28 = 0x3e19;
				_v20 = _v24 - _v12 + _v28;
				_v0 = 0x406114;
				_v556 = GetModuleHandleA(_t54);
				_t55 =  &(_t54[0x10]);
				_t32 = GetProcAddress(_v556, _t55);
				 *_t32(_a4, 0, 0x6d726554, 0x74616e69, 0x72685465, 0x646165, 0x6e72654b, 0x32336c65, 0x6c6c642e, 0);
				_t56 =  &(_t55[0x10]);
				_v560 = GetProcAddress(_v556, _t56);
				_v564 = GetProcAddress(_v556,  &(_t56[0x10]));
				_v560(_v12, _v20, 0x40,  &_v8, 0x74726956, 0x416c6175, 0x636f6c6c, 0, 0x74726956, 0x506c6175, 0x65746f72, 0x7463);
				_t38 = _v564(0, 0x62, 0x1000, 0x40);
				_v568 = _t38;
				memcpy(_t38, 0x4089f4, 0x62);
				memcpy( &_v552, 0x408a56, 0x100);
				goto _v568;
			}























    0x004088c3
    0x004088ca
    0x004088d1
    0x004088d8
    0x004088df
    0x004088e6
    0x004088ed
    0x004088fd
    0x00408900
    0x0040891e
    0x00408924
    0x00408942
    0x0040894c
    0x0040894e
    0x00408971
    0x00408997
    0x004089ac
    0x004089c0
    0x004089c6
    0x004089d8
    0x004089ec
    0x004089ee

    APIs
    • GetModuleHandleA.KERNEL32(?,6E72654B,32336C65,6C6C642E,00000000), ref: 00408919
    • GetProcAddress.KERNEL32(?,?,6D726554,74616E69,72685465,00646165), ref: 00408942
    • GetProcAddress.KERNEL32(?,?,74726956,506C6175,65746F72,00007463), ref: 0040896C
    • GetProcAddress.KERNEL32(?,?,74726956,416C6175,636F6C6C,00000000), ref: 00408992
    Memory Dump Source
    • Source File: 00000001.00000002.776607173.00401000.00000020.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000001.00000002.776598893.00400000.00000002.sdmp
    • Associated: 00000001.00000002.776616726.0040F000.00000002.sdmp
    • Associated: 00000001.00000002.776625438.00410000.00000008.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_400000_uRL6wUtNbn.jbxd