Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:591783
Start time:15:11:28
Joe Sandbox Product:Cloud
Start date:26.06.2018
Overall analysis duration:0h 10m 58s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:e369b301bb8ff397_jaureg.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 x64 (Office 2003 SP3, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.mine.troj.winEXE@4/7@3/1
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Connection to analysis system has been lost
  • Exclude process from analysis (whitelisted): mscorsvw.exe, WmiPrvSE.exe, conhost.exe, WMIADAP.exe, dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Too many dropped files, some of them have not been restored

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARMHelper.exeAvira: Label: TR/BitCoinMiner.Gen8
Source: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARM.exeAvira: Label: TR/BitCoinMiner.Gen8
Source: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\ReaderUpdater.exeAvira: Label: TR/BitCoinMiner.Gen8
Source: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AcrobatUpdater.exeAvira: Label: TR/BitCoinMiner.Gen8
Source: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AB0000000001}\setup.exeAvira: Label: TR/BitCoinMiner.Gen8
Source: C:\Windows\svchost.exeAvira: Label: HEUR/AGEN.1005018
Antivirus detection for submitted fileShow sources
Source: e369b301bb8ff397_jaureg.exeAvira: Label: TR/BitCoinMiner.Gen8
Multi AV Scanner detection for submitted fileShow sources
Source: e369b301bb8ff397_jaureg.exevirustotal: Detection: 70%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 2.0.svchost.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1005018
Source: 2.0.svchost.exe.400000.1.unpackAvira: Label: HEUR/AGEN.1005018
Source: 1.0.e369b301bb8ff397_jaureg.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1025421
Source: 2.0.svchost.exe.400000.2.unpackAvira: Label: HEUR/AGEN.1005018
Source: 2.0.svchost.exe.400000.3.unpackAvira: Label: HEUR/AGEN.1005018
Source: 2.0.svchost.exe.400000.4.unpackAvira: Label: HEUR/AGEN.1005018
Source: 3.0.e369b301bb8ff397_jaureg.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1025421
Source: 2.1.svchost.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1005018
Yara signature matchShow sources
Source: 00000002.00000001.12988257074.00000000004AB000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings author = Florian Roth, description = Detects mining pool protocol string in Executable, date = 2018-01-04, score = https://minergate.com/faq/what-pool-address
Source: 00000002.00000000.12960029313.00000000004AB000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings author = Florian Roth, description = Detects mining pool protocol string in Executable, date = 2018-01-04, score = https://minergate.com/faq/what-pool-address
Source: 00000002.00000000.12958666594.00000000004AB000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings author = Florian Roth, description = Detects mining pool protocol string in Executable, date = 2018-01-04, score = https://minergate.com/faq/what-pool-address
Source: 00000002.00000000.12958266442.00000000004AB000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings author = Florian Roth, description = Detects mining pool protocol string in Executable, date = 2018-01-04, score = https://minergate.com/faq/what-pool-address
Source: 00000002.00000000.12960606754.00000000004AB000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings author = Florian Roth, description = Detects mining pool protocol string in Executable, date = 2018-01-04, score = https://minergate.com/faq/what-pool-address
Source: 00000002.00000000.12959251395.00000000004AB000.00000002.sdmp, type: MEMORYMatched rule: CoinMiner_Strings author = Florian Roth, description = Detects mining pool protocol string in Executable, date = 2018-01-04, score = https://minergate.com/faq/what-pool-address
Source: C:\Windows\config.json, type: DROPPEDMatched rule: XMRIG_Monero_Miner_Config author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Auto-generated rule - from files config.json, config.json, date = 2018-01-04, hash1 = 031333d44a3a917f9654d7e7257e00c9d961ada3bee707de94b7c7d06234909a, hash2 = 409b6ec82c3bdac724dae702e20cb7f80ca1e79efa4ff91212960525af016c41
Source: C:\Windows\svchost.exe, type: DROPPEDMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 2.1.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 2.0.svchost.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 2.0.svchost.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 2.0.svchost.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 2.0.svchost.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 2.0.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 1.0.e369b301bb8ff397_jaureg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 1.1.e369b301bb8ff397_jaureg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 3.2.e369b301bb8ff397_jaureg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5
Source: 3.0.e369b301bb8ff397_jaureg.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: XMRIG_Monero_Miner author = Florian Roth, reference = https://github.com/xmrig/xmrig/releases, description = Detects Monero mining software, date = 2018-01-04, hash1 = 5c13a274adb9590249546495446bb6be5f2a08f9dcd2fc8a2049d9dc471135c0, hash4 = 0972ea3a41655968f063c91a6dbd31788b20e64ff272b27961d12c681e40b2d2, hash2 = 08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7, hash3 = f3f2703a7959183b010d808521b531559650f6f347a5830e47f8e3831b10bad5

Bitcoin Miner:

barindex
Found strings related to Crypto-MiningShow sources
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12986978414.0000000004D10000.00000004.sdmpString found in binary or memory: stratum+tcp://
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12986978414.0000000004D10000.00000004.sdmpString found in binary or memory: <script type="text/javascript" src="https://coinhive.com/lib/coinhive.min.js"></script>
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12986978414.0000000004D10000.00000004.sdmpString found in binary or memory: stratum+tcp://
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12986978414.0000000004D10000.00000004.sdmpString found in binary or memory: "algo": "cryptonight", // cryptonight (default) or cryptonight-lite
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12986978414.0000000004D10000.00000004.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.13:49189 -> 222.187.232.9:5555
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mine.ppxxmr.com
Urls found in memory or binary dataShow sources
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmpString found in binary or memory: HTTP://
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmpString found in binary or memory: HTTP://)
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmpString found in binary or memory: HTTPS://
Source: e369b301bb8ff397_jaureg.exeString found in binary or memory: file://
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmpString found in binary or memory: file://CArchiveExceptionx:E
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: file://CFile
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12976173023.00000000052FD000.00000004.sdmpString found in binary or memory: file://CFileException
Source: e369b301bb8ff397_jaureg.exeString found in binary or memory: file://p
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: ftp://http://
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmpString found in binary or memory: http://Port
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12976173023.00000000052FD000.00000004.sdmpString found in binary or memory: http://java.com
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12956777819.000000000034F000.00000004.sdmpString found in binary or memory: http://java.com/
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12955250182.0000000000361000.00000004.sdmpString found in binary or memory: http://java.com/help
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12955250182.0000000000361000.00000004.sdmpString found in binary or memory: http://java.com/helphttp://java.com/helpB
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12957234322.0000000000380000.00000004.sdmpString found in binary or memory: http://java.com/http://java.com/B
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpString found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpString found in binary or memory: http://java.sun.com/products/autodl/j2seWindowstest
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpString found in binary or memory: http://java.sun.com/products/autodl/j2sejavawbin%s%c%s%c%s-Jcom.sun.javaws.Main-localfiletotal
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://sc.symcb.com/sc.crl0
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://sc.symcb.com/sc.crt0
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://sc.symcd.com0&
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: http://www.symauth.com/rpa04
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12987733288.0000000005097000.00000004.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: e369b301bb8ff397_jaureg.exeString found in binary or memory: https://H
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmpString found in binary or memory: https://IDS_ACTION_CONNECTINGDownloadFileAndWait:
Source: e369b301bb8ff397_jaureg.exeString found in binary or memory: https://L
Source: e369b301bb8ff397_jaureg.exeString found in binary or memory: https://coinhive.com/lib/coinhive.min.js
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: e369b301bb8ff397_jaureg.exeString found in binary or memory: https://gcc.gnu.org/bugs/):
Source: e369b301bb8ff397_jaureg.exeString found in binary or memory: https://github.com/xmrig/xmrig/wiki/API

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value created or modified: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows RunJump to behavior
Changes image file execution optionsShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Image File Execution Options\Taskmgr.exe DebuggerJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Image File Execution Options\ZhuDongFangYu.exe DebuggerJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Image File Execution Options\QQPCTray.exe DebuggerJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Image File Execution Options\360Safe.exe DebuggerJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Image File Execution Options\360Tray.exe DebuggerJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Image File Execution Options\regedit.exe DebuggerJump to behavior

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeExecutable created and started: C:\Windows\svchost.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AB0000000001}\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\ReaderUpdater.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AcrobatUpdater.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\Windows\svchost.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARMHelper.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARM.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AB0000000001}\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\ReaderUpdater.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AcrobatUpdater.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARMHelper.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARM.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\Windows\svchost.exeJump to dropped file

Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: e369b301bb8ff397_jaureg.exeStatic PE information: section name: .imports
Source: svchost.exe.1.drStatic PE information: section name: .xdata
Source: AcrobatUpdater.exe.1.drStatic PE information: section name: .imports
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

System Summary:

barindex
Drops files with a known system name (to hide its detection)Show sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\Windows\svchost.exeJump to behavior
PE file contains more sections than normalShow sources
Source: svchost.exe.1.drStatic PE information: Number of sections : 12 > 10
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory allocated: 77080000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory allocated: 771A0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory allocated: 77080000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory allocated: 771A0000 page execute and read and writeJump to behavior
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile created: C:\Windows\config.jsonJump to behavior
PE file contains strange resourcesShow sources
Source: svchost.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12986978414.0000000004D10000.00000004.sdmpBinary or memory string: OriginalFilenamexmrig.exe, vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12987733288.0000000005097000.00000004.sdmpBinary or memory string: OriginalFilenameAdobe_Updater.exe< vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmpBinary or memory string: OriginalFilenameSetup.exeF vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12976173023.00000000052FD000.00000004.sdmpBinary or memory string: OriginalFilenamejaureg.exel& vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenameRegSvcs.exeT vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenamessvagent.exeN vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenametnameserv.exeN vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenamektab.exeN vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenamekinit.exeN vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenamermid.exeN vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenamejqs.exeN vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenamejavaws.exeN vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: OriginalFilenameA3DUtility.exe< vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12954664450.000000000032C000.00000004.sdmpBinary or memory string: OriginalFilenametwext.dll.muij% vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000001.12959600399.0000000002D00000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000001.12979803074.0000000003380000.00000002.sdmpBinary or memory string: OriginalFilenameimageres.DLLj% vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000001.12979639581.0000000002E90000.00000008.sdmpBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12956777819.000000000034F000.00000004.sdmpBinary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmpBinary or memory string: OriginalFilenameAdobeARM.exeb! vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000001.12959230280.0000000002CA0000.00000008.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000001.12959696880.0000000002E80000.00000008.sdmpBinary or memory string: OriginalFilenameacppage.dll.muij% vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12956693186.0000000000377000.00000004.sdmpBinary or memory string: OriginalFilenamentshrui.dll.muij% vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exe, 00000003.00000002.12960504416.000000000041D000.00000080.sdmpBinary or memory string: OriginalFilenamexmrig.exe, vs e369b301bb8ff397_jaureg.exe
Source: e369b301bb8ff397_jaureg.exeBinary or memory string: OriginalFilenamexmrig.exe, vs e369b301bb8ff397_jaureg.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile read: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.mine.troj.winEXE@4/7@3/1
Reads ini filesShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey opened: HKEY_USERS\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: e369b301bb8ff397_jaureg.exevirustotal: Detection: 70%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe 'C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe'
Source: unknownProcess created: C:\Windows\svchost.exe 'C:\Windows\svchost.exe'
Source: unknownProcess created: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe 'C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe'
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess created: C:\Windows\svchost.exe 'C:\Windows\svchost.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: e369b301bb8ff397_jaureg.exeStatic file information: File size 6454353 > 1048576
PE file has a big raw sectionShow sources
Source: e369b301bb8ff397_jaureg.exeStatic PE information: Raw size of UPX0 is bigger than: 0x100000 < 0x10b000
Source: e369b301bb8ff397_jaureg.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x109600
Binary contains paths to debug symbolsShow sources
Source: Binary string: RegSvcs.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp, AdobeARMHelper.exe.1.dr
Source: Binary string: c:\coretech\source\roxy\aum\public\aum\binaries\windows\release\Adobe_Updater.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12987733288.0000000005097000.00000004.sdmp
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\sun\launcher\kinit\obj\kinit.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp, AdobeARMHelper.exe.1.dr
Source: Binary string: f:\ARM\BuildResults\bin\Win32\Release\AdobeARM.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmp
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\sun\launcher\tnameserv\obj\tnameserv.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp, AdobeARMHelper.exe.1.dr
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\sun\launcher\ktab\obj\ktab.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp, AdobeARMHelper.exe.1.dr
Source: Binary string: f:\ARM\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12976173023.00000000052FD000.00000004.sdmp
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\deploy\jqs\jqs\jqs.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp
Source: Binary string: F:\CB\11X_Security\Acrobat\Installers\BootStrapExe_Small\Release\Setup.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmp
Source: Binary string: RegSvcs.pdb4zNz @z_CorExeMainmscoree.dll source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp
Source: Binary string: g:\Acro_root_ns\BuildResults\bin\Release\PDFPrevHndlrShim.pdbDPA source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp
Source: Binary string: C:\HUDSON\workspace\Autoupdate2.1-update\obj\jaureg\Release\jaureg.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12976173023.00000000052FD000.00000004.sdmp
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\ssvagent\obj\ssvagent.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp, AdobeARMHelper.exe.1.dr
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\deploy\jqs\jqs\jqs.pdb@Bl source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\sun\launcher\rmid\obj\rmid.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp, AdobeARMHelper.exe.1.dr
Source: Binary string: g:\Acro_root_ns\BuildResults\bin\Release\PDFPrevHndlrShim.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp, AdobeARMHelper.exe.1.dr
Source: Binary string: c:\coretech\source\roxy\aum\public\aum\binaries\windows\release\Adobe_Updater.pdb` source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12987733288.0000000005097000.00000004.sdmp
Source: Binary string: F:\CB\11X_Security\Acrobat\Installers\BootStrapExe_Small\Release\Setup.pdbD source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12982666363.0000000002EA1000.00000004.sdmp
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\deploy\jre-image\bin\javaws.pdb0 source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp
Source: Binary string: C:\jdk7_32P\jdk7\build\windows-i586\tmp\deploy\jre-image\bin\javaws.pdb source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmp

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory allocated: C:\Windows\svchost.exe base: 250000 protect: page read and writeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory written: C:\Windows\svchost.exe base: 250000Jump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory written: C:\Windows\svchost.exe base: 250020Jump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory written: C:\Windows\svchost.exe base: 7FFF5238Jump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeMemory written: C:\Windows\svchost.exe base: 7FFFFFD3368Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12971904068.00000000052FD000.00000004.sdmpBinary or memory string: FExitMaximize&Click to activateShell_TrayWndTrayNotifyWnd

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Windows\WinSxS\FileMaps\$$.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess token adjusted: DebugJump to behavior

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\svchost.exeWindow / User API: threadDelayed 4741Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeDropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AB0000000001}\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\ReaderUpdater.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AcrobatUpdater.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARMHelper.exeJump to dropped file
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARM.exeJump to dropped file
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe TID: 2652Thread sleep time: -60000s >= -60000sJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: .?AVCRegistryVirtualMachine@ATL@@
Source: e369b301bb8ff397_jaureg.exe, 00000001.00000003.12968442923.00000000048F2000.00000004.sdmpBinary or memory string: #B.?AVCRegistryVirtualMachine@ATL@@

Hooking and other Techniques for Hiding and Protection:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\svchost.exeNetwork Connect: 222.187.232.9 179Jump to behavior
Creates PE files with a name equal or similiar to existing files in WindowsShow sources
Source: C:\Windows\svchost.exeFile created: Name: svchost.exe in C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeJump to dropped file
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 591783 Sample: e369b301bb8ff397_jaureg.exe Startdate: 26/06/2018 Architecture: WINDOWS Score: 100 26 Antivirus detection for dropped file 2->26 28 Antivirus detection for submitted file 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 4 other signatures 2->32 6 e369b301bb8ff397_jaureg.exe 9 3 2->6         started        10 e369b301bb8ff397_jaureg.exe 2->10         started        process3 file4 16 C:\Windows\svchost.exe, PE32+ 6->16 dropped 18 C:\ProgramData\Adobe\Setup\...\setup.exe, PE32 6->18 dropped 20 C:\ProgramData\Adobe\...\ReaderUpdater.exe, PE32 6->20 dropped 22 3 other malicious files 6->22 dropped 34 Creates an undocumented autostart registry key 6->34 36 Drops files with a known system name (to hide its detection) 6->36 38 Drops executables to the windows directory (C:\Windows) and starts them 6->38 40 2 other signatures 6->40 12 svchost.exe 6->12         started        signatures5 process6 dnsIp7 24 mine.ppxxmr.com 222.187.232.9, 49190, 49191, 5555 CHINANET-BACKBONENo31Jin-rongStreetCN China 12->24 42 Antivirus detection for dropped file 12->42 44 System process connects to network (likely due to code injection or exploit) 12->44 signatures8 46 Detected TCP or UDP traffic on non-standard ports 24->46

Simulations

Behavior and APIs

TimeTypeDescription
15:13:01AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
e369b301bb8ff397_jaureg.exe70%virustotalBrowse
e369b301bb8ff397_jaureg.exe100%AviraTR/BitCoinMiner.Gen8

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARMHelper.exe100%AviraTR/BitCoinMiner.Gen8
C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARM.exe100%AviraTR/BitCoinMiner.Gen8
C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\ReaderUpdater.exe100%AviraTR/BitCoinMiner.Gen8
C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AcrobatUpdater.exe100%AviraTR/BitCoinMiner.Gen8
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AB0000000001}\setup.exe100%AviraTR/BitCoinMiner.Gen8
C:\Windows\svchost.exe100%AviraHEUR/AGEN.1005018

Unpacked PE Files

SourceDetectionScannerLabelLink
2.0.svchost.exe.400000.0.unpack100%AviraHEUR/AGEN.1005018
2.0.svchost.exe.400000.1.unpack100%AviraHEUR/AGEN.1005018
1.0.e369b301bb8ff397_jaureg.exe.400000.0.unpack100%AviraHEUR/AGEN.1025421
2.0.svchost.exe.400000.2.unpack100%AviraHEUR/AGEN.1005018
2.0.svchost.exe.400000.3.unpack100%AviraHEUR/AGEN.1005018
2.0.svchost.exe.400000.4.unpack100%AviraHEUR/AGEN.1005018
3.0.e369b301bb8ff397_jaureg.exe.400000.0.unpack100%AviraHEUR/AGEN.1025421
2.1.svchost.exe.400000.0.unpack100%AviraHEUR/AGEN.1005018

Domains

SourceDetectionScannerLabelLink
mine.ppxxmr.com4%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthor
C:\Windows\config.jsonXMRIG_Monero_Miner_ConfigAuto-generated rule - from files config.json, config.jsonFlorian Roth
C:\Windows\svchost.exeXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth

Memory Dumps

SourceRuleDescriptionAuthor
00000002.00000001.12988257074.00000000004AB000.00000002.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
00000002.00000000.12960029313.00000000004AB000.00000002.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
00000002.00000000.12958666594.00000000004AB000.00000002.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
00000002.00000000.12958266442.00000000004AB000.00000002.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
00000002.00000000.12960606754.00000000004AB000.00000002.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
00000002.00000000.12959251395.00000000004AB000.00000002.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth

Unpacked PEs

SourceRuleDescriptionAuthor
2.1.svchost.exe.400000.0.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
2.0.svchost.exe.400000.3.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
2.0.svchost.exe.400000.4.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
2.0.svchost.exe.400000.1.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
2.0.svchost.exe.400000.2.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
2.0.svchost.exe.400000.0.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
1.0.e369b301bb8ff397_jaureg.exe.400000.0.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
1.1.e369b301bb8ff397_jaureg.exe.400000.0.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
3.2.e369b301bb8ff397_jaureg.exe.400000.0.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth
3.0.e369b301bb8ff397_jaureg.exe.400000.0.unpackXMRIG_Monero_MinerDetects Monero mining softwareFlorian Roth

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
mine.ppxxmr.comhttp://58.49.94.109:5693/Ming.exemaliciousBrowse
  • 222.187.254.221

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
CHINANET-BACKBONENo31Jin-rongStreetCN21youtube.execc3986a841a399c47d1d8c99c07c5ec013f9b11e174c9d9f71476b84ccf8a28fmaliciousBrowse
  • 183.54.139.215
26ghostviewer@youtube.exed900c32944f4bff36af7467f875ec89b8f5c46b50d4139796c986316b4e503ebmaliciousBrowse
  • 27.156.92.201
19mai.exe7e33f7d3d68e0eebb6bcb3b9e26160e97a6f6e5efba214656bde877081d476c7maliciousBrowse
  • 112.66.189.95
21youtube.execc3986a841a399c47d1d8c99c07c5ec013f9b11e174c9d9f71476b84ccf8a28fmaliciousBrowse
  • 125.78.178.63
HtKu6d52Coc0b2cdc1f62e24b7ddbe04aac22cfd3cf73ca0de7dff373a75223606f63fe533maliciousBrowse
  • 58.218.213.82
hFyu94wnFWab0bdec4dc684042cd98fbc63963493e51200e451613532e8cf6e89577420b69maliciousBrowse
  • 58.218.213.80
37documen.exe7e2e91024a573246032172f5503202f2a81773a02a996e9583ffa3974c369afcmaliciousBrowse
  • 112.66.189.95
yiBBUytXRfab0bdec4dc684042cd98fbc63963493e51200e451613532e8cf6e89577420b69maliciousBrowse
  • 58.218.213.80
RTtsyHPVnZc0b2cdc1f62e24b7ddbe04aac22cfd3cf73ca0de7dff373a75223606f63fe533maliciousBrowse
  • 58.218.213.82
1tex.exe457c87f4a2742edecaff42bcaaec9842a81990337234f72832ecc158851b479dmaliciousBrowse
  • 14.155.190.219
.exe8bd1fd97a84da16617ba77f978a77e94796242934378b3d3fdb21ef291fe1132maliciousBrowse
  • 125.79.43.66
45vyFq1d3pLv.exeef6d4446ca8d10d09f65da4fc7a1966f6df3420d80c863bb46a486fb743374bamaliciousBrowse
  • 112.66.184.29
15youtube.exea7f08b8d81e50ce5ca7746082a17ec878f797a3564007fce2b74451639a4efb7maliciousBrowse
  • 110.86.105.152
13attachmen.exee381a5b4a3fdf82b2852818585aed0911048aa66dab7264ed00b42174f7608e7maliciousBrowse
  • 220.160.25.231
51Delivery_Notification_00121801.doc.wsffaba2b71f4ae95ff92dd05aa0779624427197fafe4633750aae98c3320788e73maliciousBrowse
  • 222.178.3.161
67doc777283728299938273 PDF.exe0091503820eaee98418a22aa0b6a043a96ac8631d02f06d9b0b4a5f33f22526cmaliciousBrowse
  • 61.147.93.200
57youtube.exeb6964f23742607f3f20bf2caa7121593d188a64cbf40a06b791a75b8302ddda7maliciousBrowse
  • 120.38.51.218
PDFXCview.exe40050153dceec2c8fbb1912f8eeabe449d1e265f0c8198008be8b34e5403e731maliciousBrowse
  • 106.127.41.227
69dOC663536645637423.exe62f7f985e19f54a0132034c99a027693825ca0e088915ff7287ee44bd9303275maliciousBrowse
  • 61.147.93.200
47.htm .exe73d6419212602347af9e51c84892b7ef96b914c91b38727aeb35942df119790emaliciousBrowse
  • 27.153.8.69

Dropped Files

No context

Startup

  • System is w7x64
  • e369b301bb8ff397_jaureg.exe (PID: 2816 cmdline: 'C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe' MD5: 52E10C90700A37A33A132D8E67120F39)
    • svchost.exe (PID: 2920 cmdline: 'C:\Windows\svchost.exe' MD5: 4A87A4D6677558706DB4AFAEEEB58D20)
  • e369b301bb8ff397_jaureg.exe (PID: 1144 cmdline: 'C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe' MD5: 52E10C90700A37A33A132D8E67120F39)
  • cleanup

Created / dropped Files

C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AcrobatUpdater.exe
Process:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Size (bytes):65825354
Entropy (8bit):6.479419346409224
Encrypted:false
MD5:C236099B1FFE0AA02A63358D6698C5D6
SHA1:647106221D11465EFC7C2B3404FD15553292523B
SHA-256:534CD1D7C61268AAE99E9E54D16B45CA37509C5A00B8D363207410718247088E
SHA-512:4817481E23C86926C30E95E4BBEFB4BEF38657FBA9D57D9F47B4E1D93F95D617FE1E712E93D168083D1266F35F6BC9C563CB9452B6E36C746538E07C3E049311
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
Reputation:low
C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARM.exe
Process:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Size (bytes):67918378
Entropy (8bit):6.460050659924769
Encrypted:false
MD5:E4C008A1C63FEE1F83B2F09D931CF640
SHA1:B6F6EEB428A5D9D481116024C5C9F7FD61BAB4F2
SHA-256:141D98FD0A1978982CFC102A1DFE01A7B4F3BEEB87F618E95DE77693DAE330FF
SHA-512:4C41586173AA4546DE1591F23C18A14A848F1A4F62B026F4AB311DF0D59FF90FAA6370F4576B62835FC9CB102680500CCF6E7DC715CA84175E13B1A180D5ECA0
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
Reputation:low
C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\AdobeARMHelper.exe
Process:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Size (bytes):39687486
Entropy (8bit):6.479279456310962
Encrypted:false
MD5:9C6CE3AF87D4E200828D7229846C69B6
SHA1:850E6113D5C50C90F67BD76DC55CD51F22DE55DF
SHA-256:D78630253D115E52D5D6AAA9A4DE69EFD12B2BF237C264D8C6A38325D215FA61
SHA-512:7B5CE05E63092AB37B3E1FE5EAC6C855494F0846207E9E143E90726A1583EFD43852D2706E9B8A1A867069257F9B2DB5090DFB8C8F8AFD61541D642903E2E758
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
Reputation:low
C:\ProgramData\Adobe\ARM\Reader_10.1.0\7360\ReaderUpdater.exe
Process:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Size (bytes):39687486
Entropy (8bit):6.479279456310962
Encrypted:false
MD5:9C6CE3AF87D4E200828D7229846C69B6
SHA1:850E6113D5C50C90F67BD76DC55CD51F22DE55DF
SHA-256:D78630253D115E52D5D6AAA9A4DE69EFD12B2BF237C264D8C6A38325D215FA61
SHA-512:7B5CE05E63092AB37B3E1FE5EAC6C855494F0846207E9E143E90726A1583EFD43852D2706E9B8A1A867069257F9B2DB5090DFB8C8F8AFD61541D642903E2E758
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
Reputation:low
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AB0000000001}\setup.exe
Process:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Size (bytes):39819582
Entropy (8bit):6.473324092133047
Encrypted:false
MD5:AD4DA8E938149A0FE2C9AE106971B817
SHA1:A8CC57EAF4812DA8BCC4466E647336A4232C98F7
SHA-256:E72BB174DE460DE24D5E561C9BC8EFD9699367F93F157F5F19309CF4C77B633D
SHA-512:D377D00BEA1D0352EB09ACCFC1BF5021A7DC1C832FEA2DAA90B27A28BC926EF5A41EC1FC9457295C9F81B1187B176DAA2C0DC34158362501A55C6AF4E295A09C
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
Reputation:low
C:\Windows\config.json
Process:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):1953
Entropy (8bit):4.454711174366839
Encrypted:false
MD5:88C5C5706D2E237422EDA18490DC6A59
SHA1:BB8D12375F6B995301E756DE2EF4FA3A3F6EFD39
SHA-256:4756A234ED3D61FE187D9B6140792E54E7B757545EDFF82DF594A507E528ED8E
SHA-512:A417270A0D46DE5BB06A621C0383C893042A506524713F89BA55567DF6E5C3AC8B198BCE5A0300EC6E716897BB53FD3E8289A51240157DC743004517673D4AB7
Malicious:false
Yara Hits:
  • Rule: XMRIG_Monero_Miner_Config, Description: Auto-generated rule - from files config.json, config.json, Source: C:\Windows\config.json, Author: Florian Roth
Reputation:low
C:\Windows\svchost.exe
Process:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Size (bytes):852992
Entropy (8bit):6.444942215209034
Encrypted:false
MD5:4A87A4D6677558706DB4AFAEEEB58D20
SHA1:7738DC6A459F8415F0265D36C626B48202CD6764
SHA-256:08B55F9B7DAFC53DFC43F7F70CDD7048D231767745B76DC4474370FB323D7AE7
SHA-512:BEDD8ED4975DF3FCD4A0F575D6F38E3841E7A4B771BAAC4F72033102A070818B8539EB101C50563D89D4F3454899A1CEDB33047B02E421256DEDF9AAF258B594
Malicious:true
Yara Hits:
  • Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: C:\Windows\svchost.exe, Author: Florian Roth
Antivirus:
  • Antivirus: Avira, Detection: 100%, Browse
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mine.ppxxmr.com222.187.232.9truetrue4%, virustotal, Browseunknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
222.187.232.9China
4134CHINANET-BACKBONENo31Jin-rongStreetCNtrue

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Entropy (8bit):6.479955983167727
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.41%
  • Windows ActiveX control (116523/4) 1.15%
  • UPX compressed Win32 Executable (30571/9) 0.30%
  • Java Script embedded in Visual Basic Script (8000/0) 0.08%
  • Generic Win/DOS Executable (2004/3) 0.02%
File name:e369b301bb8ff397_jaureg.exe
File size:6454353
MD5:52e10c90700a37a33a132d8e67120f39
SHA1:f47c07fd0f12f32751c8485b9b0695709c935755
SHA256:e369b301bb8ff397a1773c3963491620623c9c811d174b47c7f2d7c8b616f47a
SHA512:a53830c265ab6d1dffb068b3824f4ea290d8551dd731d7c7eca2977d5f58d113117ba1ea2d6fd0e3ed74a934a434016eadc9fe9749c9e2f2017443a2739f4e31
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.~.-.~.-.~.B.u.$.~.B.t.+.~.V.r...~...!.(.~...p...~...t...~...#./.~...#.2.~.-.....~...u.D.~.-.~.,.~...u.<.~...x.,.~.Rich-.~

File Icon

Static PE Info

General

Entrypoint:0x409433
Entrypoint Section:UPX0
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:0x5A50A69C [Sat Jan 6 10:36:12 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:aa87db00eff03dc11398f903a07cd843

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041D2F0h
push 0040A84Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0041C18Ch]
xor edx, edx
mov dl, ah
mov dword ptr [0060F85Ch], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0060F858h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0060F854h], ecx
shr eax, 10h
mov dword ptr [0060F850h], eax
push 00000001h
call 00007FE23E8F22C9h
pop ecx
test eax, eax
jne 00007FE23E8EEB5Ah
push 0000001Ch
call 00007FE23E8EEC18h
pop ecx
call 00007FE23E8F2074h
test eax, eax
jne 00007FE23E8EEB5Ah
push 00000010h
call 00007FE23E8EEC07h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007FE23E8F1EA2h
call dword ptr [0041C1F0h]
mov dword ptr [00611058h], eax
call 00007FE23E8F1D60h
mov dword ptr [0060F818h], eax
call 00007FE23E8F1B09h
call 00007FE23E8F1A4Bh
call 00007FE23E8F0436h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0041C10Ch]
call 00007FE23E8F19DCh
mov dword ptr [ebp-64h], eax

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2170000xc8.imports
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2160000x318.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2165400xc.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
UPX00x10000x10b0000x10b000False0.467263211025data6.45254737276IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
UPX10x10c0000x10a0000x109600False0.357187279204data5.83154930285IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x2160000x10000x600False0.457682291667data4.65821979383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.imports0x2170000x20000x1200False0.372829861111data4.60104948291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_MANIFEST0x21605c0x2b9XML document textChineseChina

Imports

DLLImport
KERNEL32.DLLGlobalDeleteAtom, InterlockedIncrement, InterlockedDecrement, LocalFree, FlushFileBuffers, lstrcpynA, GetFullPathNameA, LocalAlloc, InitializeCriticalSection, TlsAlloc, DeleteCriticalSection, lstrcmpA, TlsFree, LeaveCriticalSection, GlobalReAlloc, EnterCriticalSection, TlsSetValue, LocalReAlloc, TlsGetValue, GlobalFlags, WritePrivateProfileStringA, GetCurrentDirectoryA, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, GetProcessVersion, FileTimeToSystemTime, FileTimeToLocalFileTime, SetErrorMode, GetCPInfo, GetOEMCP, GetStartupInfoA, RtlUnwind, RaiseException, HeapSize, GetACP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, InterlockedExchange, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, GetVersion, GetTimeZoneInformation, lstrcatA, SetLastError, GlobalAlloc, lstrcpyA, Sleep, OpenEventA, TerminateProcess, GetDriveTypeA, SetFilePointer, GlobalLock, GlobalUnlock, GlobalFree, WideCharToMultiByte, MultiByteToWideChar, GetLastError, GetVersionExA, GetWindowsDirectoryA, GetSystemDirectoryA, GetTempPathA, lstrlenA, LCMapStringA, LoadLibraryA, FreeLibrary, GetCommandLineA, GetFileSize, ReadFile, FindClose, FindFirstFileA, FindNextFileA, SetFileAttributesA, CreateFileA, WriteFile, CloseHandle, GetTickCount, GetModuleFileNameA, IsBadReadPtr, HeapFree, HeapReAlloc, HeapAlloc, ExitProcess, GetProcessHeap, lstrcpyn, GetProcAddress, GetModuleHandleA, SetProcessWorkingSetSize, SetWaitableTimer, CreateWaitableTimerA, CreateThread, GetCurrentProcess, OpenProcess, GetCurrentProcessId, Process32Next, Process32First, CreateToolhelp32Snapshot, CreateEventA, GlobalHandle
ADVAPI32.dllRegOpenKeyExA, RegOpenKeyA, LookupPrivilegeValueA, RegCreateKeyExA, RegSetValueExA, RegCloseKey, AdjustTokenPrivileges, OpenProcessToken
COMCTL32.dll
GDI32.dllPtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetClipBox, GetObjectA, GetStockObject, DeleteObject, DeleteDC, SelectObject, GetDeviceCaps, CreateBitmap, SaveDC, RestoreDC, SetBkColor, SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx
ole32.dllCoCreateInstance
SHELL32.dllShellExecuteA, SHGetSpecialFolderPathA, SHChangeNotify
SHLWAPI.dllPathFileExistsA
USER32.dllGetMenuItemID, GetSubMenu, GetMenu, RegisterClassA, GetClassInfoA, WinHelpA, GetCapture, GetTopWindow, CopyRect, GetClientRect, AdjustWindowRectEx, GetSysColor, MapWindowPoints, LoadIconA, LoadCursorA, GetSysColorBrush, LoadStringA, DestroyMenu, GetMenuItemCount, SetWindowTextA, GetDlgCtrlID, DestroyWindow, UnhookWindowsHookEx, GrayStringA, DrawTextA, TabbedTextOutA, CreateWindowExA, GetClassLongA, SetPropA, GetPropA, CallWindowProcA, RemovePropA, DefWindowProcA, GetMessageTime, GetMessagePos, RegisterWindowMessageA, ClientToScreen, IsIconic, GetWindowPlacement, SetFocus, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetKeyState, CallNextHookEx, ValidateRect, SetWindowsHookExA, GetLastActivePopup, SetCursor, PostMessageA, PostQuitMessage, GetWindow, PtInRect, GetWindowLongA, GetCursorPos, SetWindowLongA, GetDlgItem, SystemParametersInfoA, GetDC, ReleaseDC, SendMessageA, GetWindowRect, GetSystemMetrics, GetActiveWindow, GetForegroundWindow, IsWindowEnabled, GetParent, EnableWindow, PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, wsprintfA, MessageBoxA, MsgWaitForMultipleObjects, SetWindowPos, SetForegroundWindow, ShowWindow, GetClassNameA, GetWindowTextA, GetWindowThreadProcessId, IsWindowVisible, UnregisterClassA
WINSPOOL.DRVOpenPrinterA, ClosePrinter, DocumentPropertiesA

Possible Origin

Language of compilation systemCountry where language is spokenMap
ChineseChina

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 26, 2018 15:13:03.776777029 CEST6213053192.168.1.138.8.8.8
Jun 26, 2018 15:13:04.146056890 CEST53621308.8.8.8192.168.1.13
Jun 26, 2018 15:13:04.155695915 CEST491895555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:07.178725958 CEST491895555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:13.263602018 CEST491895555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:32.169164896 CEST6053553192.168.1.138.8.8.8
Jun 26, 2018 15:13:32.570549011 CEST53605358.8.8.8192.168.1.13
Jun 26, 2018 15:13:32.571928978 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:35.584577084 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:41.600712061 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:42.021239996 CEST555549190222.187.232.9192.168.1.13
Jun 26, 2018 15:13:42.021421909 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:44.369992971 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:44.994029045 CEST555549190222.187.232.9192.168.1.13
Jun 26, 2018 15:13:45.209480047 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:13:45.241833925 CEST555549190222.187.232.9192.168.1.13
Jun 26, 2018 15:13:45.241961002 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:12.708121061 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:13.130451918 CEST555549190222.187.232.9192.168.1.13
Jun 26, 2018 15:15:13.397293091 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:22.992439032 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:23.001430035 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:23.402199984 CEST555549190222.187.232.9192.168.1.13
Jun 26, 2018 15:15:23.402338982 CEST491905555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:29.031507015 CEST5172553192.168.1.138.8.8.8
Jun 26, 2018 15:15:29.405633926 CEST53517258.8.8.8192.168.1.13
Jun 26, 2018 15:15:29.407258987 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:32.459496975 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:38.521955967 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:38.925812006 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:15:38.925968885 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:38.929472923 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:15:39.334165096 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:15:39.538305044 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:15:39.790199995 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:15:39.790353060 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:16:39.549947023 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:16:40.100636959 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:16:40.318952084 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:17:40.120224953 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:17:40.727221012 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:17:40.928544044 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:18:07.627612114 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:18:07.928498983 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:19:07.640683889 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:19:08.092910051 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:19:08.218378067 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:19:08.428492069 CEST491915555192.168.1.13222.187.232.9
Jun 26, 2018 15:19:09.361215115 CEST555549191222.187.232.9192.168.1.13
Jun 26, 2018 15:19:09.361423016 CEST491915555192.168.1.13222.187.232.9

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 26, 2018 15:13:03.776777029 CEST6213053192.168.1.138.8.8.8
Jun 26, 2018 15:13:04.146056890 CEST53621308.8.8.8192.168.1.13
Jun 26, 2018 15:13:32.169164896 CEST6053553192.168.1.138.8.8.8
Jun 26, 2018 15:13:32.570549011 CEST53605358.8.8.8192.168.1.13
Jun 26, 2018 15:15:29.031507015 CEST5172553192.168.1.138.8.8.8
Jun 26, 2018 15:15:29.405633926 CEST53517258.8.8.8192.168.1.13

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jun 26, 2018 15:13:03.776777029 CEST192.168.1.138.8.8.80x1c13Standard query (0)mine.ppxxmr.comA (IP address)IN (0x0001)
Jun 26, 2018 15:13:32.169164896 CEST192.168.1.138.8.8.80x4aa3Standard query (0)mine.ppxxmr.comA (IP address)IN (0x0001)
Jun 26, 2018 15:15:29.031507015 CEST192.168.1.138.8.8.80xd60bStandard query (0)mine.ppxxmr.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jun 26, 2018 15:13:04.146056890 CEST8.8.8.8192.168.1.130x1c13No error (0)mine.ppxxmr.com222.187.232.9A (IP address)IN (0x0001)
Jun 26, 2018 15:13:32.570549011 CEST8.8.8.8192.168.1.130x4aa3No error (0)mine.ppxxmr.com222.187.232.9A (IP address)IN (0x0001)
Jun 26, 2018 15:15:29.405633926 CEST8.8.8.8192.168.1.130xd60bNo error (0)mine.ppxxmr.com222.187.232.9A (IP address)IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Start time:15:12:59
Start date:26/06/2018
Path:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
Wow64 process (32bit):
Commandline:'C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe'
Imagebase:
File size:6454353 bytes
MD5 hash:52E10C90700A37A33A132D8E67120F39
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low

General

Start time:15:13:01
Start date:26/06/2018
Path:C:\Windows\svchost.exe
Wow64 process (32bit):
Commandline:'C:\Windows\svchost.exe'
Imagebase:
File size:852992 bytes
MD5 hash:4A87A4D6677558706DB4AFAEEEB58D20
Has administrator privileges:
Programmed in:C, C++ or other language
Yara matches:
  • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000002.00000001.12988257074.00000000004AB000.00000002.sdmp, Author: Florian Roth
  • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000002.00000000.12960029313.00000000004AB000.00000002.sdmp, Author: Florian Roth
  • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000002.00000000.12958666594.00000000004AB000.00000002.sdmp, Author: Florian Roth
  • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000002.00000000.12958266442.00000000004AB000.00000002.sdmp, Author: Florian Roth
  • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000002.00000000.12960606754.00000000004AB000.00000002.sdmp, Author: Florian Roth
  • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000002.00000000.12959251395.00000000004AB000.00000002.sdmp, Author: Florian Roth
  • Rule: XMRIG_Monero_Miner, Description: Detects Monero mining software, Source: C:\Windows\svchost.exe, Author: Florian Roth
Antivirus matches:
  • Detection: 100%, Avira, Browse
Reputation:low

General

Start time:15:13:01
Start date:26/06/2018
Path:C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe
Wow64 process (32bit):
Commandline:'C:\Users\user\Desktop\e369b301bb8ff397_jaureg.exe'
Imagebase:
File size:6454353 bytes
MD5 hash:52E10C90700A37A33A132D8E67120F39
Has administrator privileges:
Programmed in:C, C++ or other language
Reputation:low

Disassembly

Code Analysis

Reset < >