Analysis Report
Overview
General Information |
---|
Analysis ID: | 89665 |
Start time: | 10:01:34 |
Start date: | 11/11/2015 |
Overall analysis duration: | 0h 3m 38s |
Report type: | full |
Sample file name: | yauz.bat |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 1 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
HCA enabled: | true |
EGA enabled: | true |
HDC enabled: | false |
HCA success: | true, ratio: 100% |
EGA success: | true, ratio: 100% |
HDC success: | false |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 52 | 0 - 100 | Report FP / FN |
Analysis Advice |
---|
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Signature Overview |
---|
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: yauz.bat | String found in binary or memory: |
Contains functionality to download additional files from the internet | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00807983 |
Found strings which match to known social media urls | Show sources |
Source: yauz.bat | String found in binary or memory: | ||
Source: yauz.bat | String found in binary or memory: | ||
Source: yauz.bat | String found in binary or memory: | ||
Source: yauz.bat | String found in binary or memory: |
Detected TCP or UDP traffic on non-standard ports | Show sources |
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: |
Boot Survival: |
---|
Creates an autostart registry key | Show sources |
Source: C:\yauz.bat | Registry value created or modified: | ||
Source: C:\yauz.bat | Registry value created or modified: |
Creates an autostart registry key pointing to binary in C:\Windows | Show sources |
Source: C:\yauz.bat | Registry value created or modified: |
Remote Access Functionality: |
---|
Contains functionality to open a port and listen for incoming connection (possibly a backdoor) | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00807D81 | |
Source: C:\yauz.bat | Code function: | 0_1_00807D81 |
Stealing of Sensitive Information: |
---|
Contains functionality to search for IE or Outlook window (often done to steal information) | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00802C72 | |
Source: C:\yauz.bat | Code function: | 0_1_00802C72 |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: C:\yauz.bat | File created: |
Drops PE files to the windows directory (C:\Windows) | Show sources |
Source: C:\yauz.bat | File created: |
Data Obfuscation: |
---|
Sample is packed with UPX | Show sources |
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00803108 |
PE file contains an invalid checksum | Show sources |
Source: lsass.exe.3304.dr | Static PE information: | ||
Source: yauz.bat | Static PE information: |
Uses code obfuscation techniques (call, push, ret) | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00807F0E | |
Source: C:\yauz.bat | Code function: | 0_1_00807F0E |
Spreading: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00804D32 | |
Source: C:\yauz.bat | Code function: | 0_1_00804D32 |
System Summary: |
---|
Creates temporary files | Show sources |
Source: C:\yauz.bat | File created: |
Reads software policies | Show sources |
Source: C:\yauz.bat | Key opened: |
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) | Show sources |
Source: yauz.bat | Static PE information: | ||
Source: lsass.exe.3304.dr | Static PE information: |
Creates files inside the system directory | Show sources |
Source: C:\yauz.bat | File created: |
Deletes Windows files | Show sources |
Source: C:\yauz.bat | File deleted: |
PE file contains strange resources | Show sources |
Source: yauz.bat | Static PE information: | ||
Source: lsass.exe.3304.dr | Static PE information: |
Sample reads its own file content | Show sources |
Source: C:\yauz.bat | File read: |
Drops files with a known system name (to hide its detection) | Show sources |
Source: C:\yauz.bat | File created: | ||
Source: C:\yauz.bat | File created: |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: yauz.bat | Binary or memory string: | ||
Source: yauz.bat | Binary or memory string: | ||
Source: yauz.bat | Binary or memory string: | ||
Source: yauz.bat | Binary or memory string: |
Anti Debugging: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00803108 |
Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_008036E5 |
Malware Analysis System Evasion: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00804D32 | |
Source: C:\yauz.bat | Code function: | 0_1_00804D32 |
Found decision node followed by non-executed suspicious APIs | Show sources |
Source: C:\yauz.bat | Decision node followed by non-executed suspicious API: | graph_0-2598 |
Found dropped PE file which has not been started or loaded | Show sources |
Source: C:\yauz.bat | Dropped PE file which has not been started: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\yauz.bat TID: 3308 | Thread sleep time: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query local / system time | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00802DB3 |
Contains functionality to query time zone information | Show sources |
Source: C:\yauz.bat | Code function: | 0_2_00802DB3 |
Yara Overview |
---|
No Yara matches |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name |
---|---|---|---|---|
15.238.20.130 | United States | 10782 | Hewlett-PackardCompany | |
15.228.71.140 | United States | 10782 | Hewlett-PackardCompany | |
141.240.12.247 | United States | 18454 | AugsburgCollege | |
15.246.57.42 | United States | 10782 | Hewlett-PackardCompany | |
15.228.173.71 | United States | 10782 | Hewlett-PackardCompany | |
16.102.50.60 | United States | 71 | unknown | |
167.193.151.116 | United States | 2897 | unknown | |
16.126.194.5 | United States | 71 | unknown | |
129.81.102.160 | United States | 10349 | TulaneUniversity | |
16.83.200.38 | United States | 71 | unknown | |
67.64.125.225 | United States | 7018 | unknown | |
166.77.111.50 | United States | 7256 | unknown |
Static File Info |
---|
General | |
---|---|
File type: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
TrID: |
|
File name: | yauz.bat |
File size: | 22024 |
MD5: | 6071a0cf7861302564bd4fc44396e7a4 |
SHA1: | d173820980584951b5739d67955ce453b4f39312 |
SHA256: | bf92618f847f4c9a8ed09a390030466ee9a48215618f9602130c52cd6529cae6 |
SHA512: | 751cf7c773dccb14a3d48e17219144b7012032e9a049c321b834b8b94f59c85d8f20e7e8bbf671d5e19bf8110e40e3e63dd2bb9218f75d9145ed7db6f66317bb |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x80b4a0 |
Entrypoint Section: | UPX1 |
Digitally signed: | false |
Imagebase: | 0x800000 |
Subsystem: | windows gui 40 |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | |
Subsystem Version Minor: | |
Import Hash: | 5d02f6de12eb07fb22fe87e05e50d6a0 |
Entrypoint Preview |
---|
Instruction |
---|
pushad |
mov esi, 00807000h |
lea edi, dword ptr [esi-00006000h] |
push edi |
or ebp, FFFFFFFFh |
jmp 00007F9D9CE8EEE2h |
nop |
nop |
nop |
nop |
nop |
nop |
mov al, byte ptr [esi] |
inc esi |
mov byte ptr [edi], al |
inc edi |
add ebx, ebx |
jne 00007F9D9CE8EED9h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F9D9CE8EEBFh |
mov eax, 00000001h |
add ebx, ebx |
jne 00007F9D9CE8EED9h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
add ebx, ebx |
jnc 00007F9D9CE8EEC1h |
jne 00007F9D9CE8EEDBh |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jnc 00007F9D9CE8EEB6h |
xor ecx, ecx |
sub eax, 03h |
jc 00007F9D9CE8EEDFh |
shl eax, 08h |
mov al, byte ptr [esi] |
inc esi |
xor eax, FFFFFFFFh |
je 00007F9D9CE8EF46h |
mov ebp, eax |
add ebx, ebx |
jne 00007F9D9CE8EED9h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
add ebx, ebx |
jne 00007F9D9CE8EED9h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
jne 00007F9D9CE8EEF2h |
inc ecx |
add ebx, ebx |
jne 00007F9D9CE8EED9h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
add ebx, ebx |
jnc 00007F9D9CE8EEC1h |
jne 00007F9D9CE8EEDBh |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jnc 00007F9D9CE8EEB6h |
add ecx, 02h |
cmp ebp, FFFFF300h |
adc ecx, 01h |
lea edx, dword ptr [edi+ebp] |
cmp ebp, FFFFFFFCh |
jbe 00007F9D9CE8EEE1h |
mov al, byte ptr [edx] |
inc edx |
mov byte ptr [edi], al |
inc edi |
dec ecx |
jne 00007F9D9CE8EEC9h |
jmp 00007F9D9CE8EE38h |
nop |
mov eax, dword ptr [edx] |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc514 | 0x130 | .rsrc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc000 | 0x514 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0x6000 | 0x0 | 0.0 | False | 0 | empty | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
UPX1 | 0x7000 | 0x5000 | 0x4600 | 7.89790234125 | False | 0.992410714286 | data | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xc000 | 0x1000 | 0x800 | 2.64956945519 | False | 0.2783203125 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
---|---|---|---|---|---|---|---|
RT_ICON | 0xc0d8 | 0x2e8 | data | English | United States | 0 | False |
RT_ICON | 0xc3c4 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States | 0 | False |
RT_GROUP_ICON | 0xc4f0 | 0x22 | MS Windows icon resource - 2 icons, 32x32, 16-colors | English | United States | 0 | False |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.DLL | LoadLibraryA, GetProcAddress, ExitProcess |
ADVAPI32.dll | RegCloseKey |
MSVCRT.dll | time |
USER32.dll | wsprintfA |
WS2_32.dll | gethostname |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 11, 2015 10:02:36.522761106 CET | 49167 | 1042 | 192.168.1.12 | 129.81.102.160 |
Nov 11, 2015 10:02:36.522792101 CET | 1042 | 49167 | 129.81.102.160 | 192.168.1.12 |
Nov 11, 2015 10:02:36.522880077 CET | 49167 | 1042 | 192.168.1.12 | 129.81.102.160 |
Nov 11, 2015 10:02:43.616199970 CET | 1042 | 49167 | 129.81.102.160 | 192.168.1.12 |
Nov 11, 2015 10:02:43.616286993 CET | 49167 | 1042 | 192.168.1.12 | 129.81.102.160 |
Nov 11, 2015 10:02:43.616370916 CET | 49167 | 1042 | 192.168.1.12 | 129.81.102.160 |
Nov 11, 2015 10:02:43.616391897 CET | 1042 | 49167 | 129.81.102.160 | 192.168.1.12 |
Nov 11, 2015 10:03:06.632709026 CET | 49171 | 1042 | 192.168.1.12 | 15.246.57.42 |
Nov 11, 2015 10:03:06.632744074 CET | 1042 | 49171 | 15.246.57.42 | 192.168.1.12 |
Nov 11, 2015 10:03:06.632796049 CET | 49171 | 1042 | 192.168.1.12 | 15.246.57.42 |
Nov 11, 2015 10:03:13.730776072 CET | 1042 | 49171 | 15.246.57.42 | 192.168.1.12 |
Nov 11, 2015 10:03:13.730999947 CET | 49171 | 1042 | 192.168.1.12 | 15.246.57.42 |
Nov 11, 2015 10:03:13.731173992 CET | 49171 | 1042 | 192.168.1.12 | 15.246.57.42 |
Nov 11, 2015 10:03:13.731205940 CET | 1042 | 49171 | 15.246.57.42 | 192.168.1.12 |
Nov 11, 2015 10:03:13.733666897 CET | 49173 | 1042 | 192.168.1.12 | 166.77.111.50 |
Nov 11, 2015 10:03:13.733711004 CET | 1042 | 49173 | 166.77.111.50 | 192.168.1.12 |
Nov 11, 2015 10:03:13.733896017 CET | 49173 | 1042 | 192.168.1.12 | 166.77.111.50 |
Nov 11, 2015 10:03:20.818639994 CET | 1042 | 49173 | 166.77.111.50 | 192.168.1.12 |
Nov 11, 2015 10:03:20.818861008 CET | 49173 | 1042 | 192.168.1.12 | 166.77.111.50 |
Nov 11, 2015 10:03:20.819017887 CET | 49173 | 1042 | 192.168.1.12 | 166.77.111.50 |
Nov 11, 2015 10:03:20.819047928 CET | 1042 | 49173 | 166.77.111.50 | 192.168.1.12 |
Nov 11, 2015 10:03:20.819505930 CET | 49174 | 1042 | 192.168.1.12 | 167.193.151.116 |
Nov 11, 2015 10:03:20.819530964 CET | 1042 | 49174 | 167.193.151.116 | 192.168.1.12 |
Nov 11, 2015 10:03:20.819674015 CET | 49174 | 1042 | 192.168.1.12 | 167.193.151.116 |
Nov 11, 2015 10:03:27.890386105 CET | 1042 | 49174 | 167.193.151.116 | 192.168.1.12 |
Nov 11, 2015 10:03:27.890486002 CET | 49174 | 1042 | 192.168.1.12 | 167.193.151.116 |
Nov 11, 2015 10:03:27.890561104 CET | 49174 | 1042 | 192.168.1.12 | 167.193.151.116 |
Nov 11, 2015 10:03:27.890579939 CET | 1042 | 49174 | 167.193.151.116 | 192.168.1.12 |
Nov 11, 2015 10:03:27.891585112 CET | 49176 | 1042 | 192.168.1.12 | 16.126.194.5 |
Nov 11, 2015 10:03:27.891601086 CET | 1042 | 49176 | 16.126.194.5 | 192.168.1.12 |
Nov 11, 2015 10:03:27.891670942 CET | 49176 | 1042 | 192.168.1.12 | 16.126.194.5 |
Nov 11, 2015 10:03:34.995457888 CET | 1042 | 49176 | 16.126.194.5 | 192.168.1.12 |
Nov 11, 2015 10:03:34.995536089 CET | 49176 | 1042 | 192.168.1.12 | 16.126.194.5 |
Nov 11, 2015 10:03:35.005238056 CET | 49176 | 1042 | 192.168.1.12 | 16.126.194.5 |
Nov 11, 2015 10:03:35.005254984 CET | 1042 | 49176 | 16.126.194.5 | 192.168.1.12 |
Nov 11, 2015 10:03:35.006877899 CET | 49179 | 1042 | 192.168.1.12 | 15.228.71.140 |
Nov 11, 2015 10:03:35.006895065 CET | 1042 | 49179 | 15.228.71.140 | 192.168.1.12 |
Nov 11, 2015 10:03:35.006946087 CET | 49179 | 1042 | 192.168.1.12 | 15.228.71.140 |
Nov 11, 2015 10:03:42.075124979 CET | 1042 | 49179 | 15.228.71.140 | 192.168.1.12 |
Nov 11, 2015 10:03:42.075191021 CET | 49179 | 1042 | 192.168.1.12 | 15.228.71.140 |
Nov 11, 2015 10:03:42.075270891 CET | 49179 | 1042 | 192.168.1.12 | 15.228.71.140 |
Nov 11, 2015 10:03:42.075287104 CET | 1042 | 49179 | 15.228.71.140 | 192.168.1.12 |
Nov 11, 2015 10:03:42.076817036 CET | 49180 | 1042 | 192.168.1.12 | 67.64.125.225 |
Nov 11, 2015 10:03:42.076850891 CET | 1042 | 49180 | 67.64.125.225 | 192.168.1.12 |
Nov 11, 2015 10:03:42.076909065 CET | 49180 | 1042 | 192.168.1.12 | 67.64.125.225 |
Nov 11, 2015 10:03:49.148072004 CET | 1042 | 49180 | 67.64.125.225 | 192.168.1.12 |
Nov 11, 2015 10:03:49.148324966 CET | 49180 | 1042 | 192.168.1.12 | 67.64.125.225 |
Nov 11, 2015 10:03:49.154516935 CET | 49180 | 1042 | 192.168.1.12 | 67.64.125.225 |
Nov 11, 2015 10:03:49.154555082 CET | 1042 | 49180 | 67.64.125.225 | 192.168.1.12 |
Nov 11, 2015 10:04:10.927279949 CET | 49184 | 1042 | 192.168.1.12 | 141.240.12.247 |
Nov 11, 2015 10:04:10.927323103 CET | 1042 | 49184 | 141.240.12.247 | 192.168.1.12 |
Nov 11, 2015 10:04:10.927367926 CET | 49184 | 1042 | 192.168.1.12 | 141.240.12.247 |
Nov 11, 2015 10:04:18.007769108 CET | 1042 | 49184 | 141.240.12.247 | 192.168.1.12 |
Nov 11, 2015 10:04:18.007874966 CET | 49184 | 1042 | 192.168.1.12 | 141.240.12.247 |
Nov 11, 2015 10:04:18.007952929 CET | 49184 | 1042 | 192.168.1.12 | 141.240.12.247 |
Nov 11, 2015 10:04:18.007967949 CET | 1042 | 49184 | 141.240.12.247 | 192.168.1.12 |
Nov 11, 2015 10:04:18.008326054 CET | 49185 | 1042 | 192.168.1.12 | 16.102.50.60 |
Nov 11, 2015 10:04:18.008346081 CET | 1042 | 49185 | 16.102.50.60 | 192.168.1.12 |
Nov 11, 2015 10:04:18.008434057 CET | 49185 | 1042 | 192.168.1.12 | 16.102.50.60 |
Nov 11, 2015 10:04:25.065514088 CET | 1042 | 49185 | 16.102.50.60 | 192.168.1.12 |
Nov 11, 2015 10:04:25.065643072 CET | 49185 | 1042 | 192.168.1.12 | 16.102.50.60 |
Nov 11, 2015 10:04:25.065741062 CET | 49185 | 1042 | 192.168.1.12 | 16.102.50.60 |
Nov 11, 2015 10:04:25.065761089 CET | 1042 | 49185 | 16.102.50.60 | 192.168.1.12 |
Nov 11, 2015 10:04:25.066190004 CET | 49186 | 1042 | 192.168.1.12 | 16.83.200.38 |
Nov 11, 2015 10:04:25.066216946 CET | 1042 | 49186 | 16.83.200.38 | 192.168.1.12 |
Nov 11, 2015 10:04:25.066308022 CET | 49186 | 1042 | 192.168.1.12 | 16.83.200.38 |
Nov 11, 2015 10:04:32.120498896 CET | 1042 | 49186 | 16.83.200.38 | 192.168.1.12 |
Nov 11, 2015 10:04:32.120680094 CET | 49186 | 1042 | 192.168.1.12 | 16.83.200.38 |
Nov 11, 2015 10:04:32.120836973 CET | 49186 | 1042 | 192.168.1.12 | 16.83.200.38 |
Nov 11, 2015 10:04:32.120867014 CET | 1042 | 49186 | 16.83.200.38 | 192.168.1.12 |
Nov 11, 2015 10:04:39.113207102 CET | 49187 | 1042 | 192.168.1.12 | 15.238.20.130 |
Nov 11, 2015 10:04:39.113261938 CET | 1042 | 49187 | 15.238.20.130 | 192.168.1.12 |
Nov 11, 2015 10:04:39.113383055 CET | 49187 | 1042 | 192.168.1.12 | 15.238.20.130 |
Nov 11, 2015 10:04:46.178421974 CET | 1042 | 49187 | 15.238.20.130 | 192.168.1.12 |
Nov 11, 2015 10:04:46.178494930 CET | 49187 | 1042 | 192.168.1.12 | 15.238.20.130 |
Nov 11, 2015 10:04:46.178570986 CET | 49187 | 1042 | 192.168.1.12 | 15.238.20.130 |
Nov 11, 2015 10:04:46.178586960 CET | 1042 | 49187 | 15.238.20.130 | 192.168.1.12 |
Nov 11, 2015 10:04:46.179630041 CET | 49189 | 1042 | 192.168.1.12 | 15.228.173.71 |
Nov 11, 2015 10:04:46.179647923 CET | 1042 | 49189 | 15.228.173.71 | 192.168.1.12 |
Nov 11, 2015 10:04:46.179697990 CET | 49189 | 1042 | 192.168.1.12 | 15.228.173.71 |
Nov 11, 2015 10:04:53.242748022 CET | 1042 | 49189 | 15.228.173.71 | 192.168.1.12 |
Nov 11, 2015 10:04:53.242872953 CET | 49189 | 1042 | 192.168.1.12 | 15.228.173.71 |
Nov 11, 2015 10:04:53.242935896 CET | 49189 | 1042 | 192.168.1.12 | 15.228.173.71 |
Nov 11, 2015 10:04:53.242949963 CET | 1042 | 49189 | 15.228.173.71 | 192.168.1.12 |
Hooks - Code Manipulation Behavior |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 10:02:35 |
Start date: | 11/11/2015 |
Path: | C:\yauz.bat |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x800000 |
File size: | 22024 bytes |
MD5 hash: | 6071A0CF7861302564BD4FC44396E7A4 |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 19.9% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 11% |
Total number of Nodes: | 711 |
Total number of Limit Nodes: | 20 |
Executed Functions |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|