Search in progress...
Analysis Report
Overview
General Information |
|---|
| Analysis ID: | 89665 |
| Start time: | 10:01:34 |
| Start date: | 11/11/2015 |
| Overall analysis duration: | 0h 3m 38s |
| Report type: | full |
| Sample file name: | yauz.bat |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
| Number of analysed new started processes analysed: | 4 |
| Number of new started drivers analysed: | 1 |
| Number of existing processes analysed: | 1 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| HCA enabled: | true |
| EGA enabled: | true |
| HDC enabled: | false |
| HCA success: | true, ratio: 100% |
| EGA success: | true, ratio: 100% |
| HDC success: | false |
| Cookbook Comments: |
|
| Warnings: | Show All
|
Detection |
|---|
| Strategy | Score | Range | Reporting | Detection | |
|---|---|---|---|---|---|
| Threshold | 52 | 0 - 100 | Report FP / FN |  | |
Analysis Advice |
|---|
| Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Signature Overview |
|---|
Networking: |   |
|---|
| Urls found in memory or binary data | Show sources | ||
| Source: yauz.bat | String found in binary or memory: | ||
| Contains functionality to download additional files from the internet | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00807983 | |
| Found strings which match to known social media urls | Show sources | ||
| Source: yauz.bat | String found in binary or memory: | ||
| Source: yauz.bat | String found in binary or memory: | ||
| Source: yauz.bat | String found in binary or memory: | ||
| Source: yauz.bat | String found in binary or memory: | ||
| Detected TCP or UDP traffic on non-standard ports | Show sources | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
| Source: global traffic | TCP traffic: | ||
Boot Survival: | |
|---|
| Creates an autostart registry key | Show sources | ||
| Source: C:\yauz.bat | Registry value created or modified: | ||
| Source: C:\yauz.bat | Registry value created or modified: | ||
| Creates an autostart registry key pointing to binary in C:\Windows | Show sources | ||
| Source: C:\yauz.bat | Registry value created or modified: | ||
Remote Access Functionality: | |
|---|
| Contains functionality to open a port and listen for incoming connection (possibly a backdoor) | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00807D81 | |
| Source: C:\yauz.bat | Code function: | 0_1_00807D81 | |
Stealing of Sensitive Information: | |
|---|
| Contains functionality to search for IE or Outlook window (often done to steal information) | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00802C72 | |
| Source: C:\yauz.bat | Code function: | 0_1_00802C72 | |
Persistence and Installation Behavior: | |
|---|
| Drops PE files | Show sources | ||
| Source: C:\yauz.bat | File created: | ||
| Drops PE files to the windows directory (C:\Windows) | Show sources | ||
| Source: C:\yauz.bat | File created: | ||
Data Obfuscation: | |
|---|
| Sample is packed with UPX | Show sources | ||
| Source: initial sample | Static PE information: | ||
| Source: initial sample | Static PE information: | ||
| Source: initial sample | Static PE information: | ||
| Source: initial sample | Static PE information: | ||
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00803108 | |
| PE file contains an invalid checksum | Show sources | ||
| Source: lsass.exe.3304.dr | Static PE information: | ||
| Source: yauz.bat | Static PE information: | ||
| Uses code obfuscation techniques (call, push, ret) | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00807F0E | |
| Source: C:\yauz.bat | Code function: | 0_1_00807F0E | |
Spreading: | |
|---|
| Contains functionality to enumerate / list files inside a directory | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00804D32 | |
| Source: C:\yauz.bat | Code function: | 0_1_00804D32 | |
System Summary: | |
|---|
| Creates temporary files | Show sources | ||
| Source: C:\yauz.bat | File created: | ||
| Reads software policies | Show sources | ||
| Source: C:\yauz.bat | Key opened: | ||
| PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) | Show sources | ||
| Source: yauz.bat | Static PE information: | ||
| Source: lsass.exe.3304.dr | Static PE information: | ||
| Creates files inside the system directory | Show sources | ||
| Source: C:\yauz.bat | File created: | ||
| Deletes Windows files | Show sources | ||
| Source: C:\yauz.bat | File deleted: | ||
| PE file contains strange resources | Show sources | ||
| Source: yauz.bat | Static PE information: | ||
| Source: lsass.exe.3304.dr | Static PE information: | ||
| Sample reads its own file content | Show sources | ||
| Source: C:\yauz.bat | File read: | ||
| Drops files with a known system name (to hide its detection) | Show sources | ||
| Source: C:\yauz.bat | File created: | ||
| Source: C:\yauz.bat | File created: | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| May try to detect the Windows Explorer process (often used for injection) | Show sources | ||
| Source: yauz.bat | Binary or memory string: | ||
| Source: yauz.bat | Binary or memory string: | ||
| Source: yauz.bat | Binary or memory string: | ||
| Source: yauz.bat | Binary or memory string: | ||
Anti Debugging: | |
|---|
| Contains functionality to dynamically determine API calls | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00803108 | |
| Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_008036E5 | |
Malware Analysis System Evasion: | |
|---|
| Contains functionality to enumerate / list files inside a directory | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00804D32 | |
| Source: C:\yauz.bat | Code function: | 0_1_00804D32 | |
| Found decision node followed by non-executed suspicious APIs | Show sources | ||
| Source: C:\yauz.bat | Decision node followed by non-executed suspicious API: | graph_0-2598 | ||
| Found dropped PE file which has not been started or loaded | Show sources | ||
| Source: C:\yauz.bat | Dropped PE file which has not been started: | ||
| May sleep (evasive loops) to hinder dynamic analysis | Show sources | ||
| Source: C:\yauz.bat TID: 3308 | Thread sleep time: | ||
Language, Device and Operating System Detection: | |
|---|
| Contains functionality to query local / system time | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00802DB3 | |
| Contains functionality to query time zone information | Show sources | ||
| Source: C:\yauz.bat | Code function: | 0_2_00802DB3 | |
Yara Overview |
|---|
| No Yara matches |
|---|
Startup |
|---|
|
Created / dropped Files |
|---|
| File Path | Type and Hashes |
|---|---|
| |
|
Contacted Domains/Contacted IPs |
|---|
Contacted Domains |
|---|
| No contacted domains info |
|---|
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Country | Flag | ASN | ASN Name |
|---|---|---|---|---|
| 15.238.20.130 | United States | 10782 | Hewlett-PackardCompany | |
| 15.228.71.140 | United States | 10782 | Hewlett-PackardCompany | |
| 141.240.12.247 | United States | 18454 | AugsburgCollege | |
| 15.246.57.42 | United States | 10782 | Hewlett-PackardCompany | |
| 15.228.173.71 | United States | 10782 | Hewlett-PackardCompany | |
| 16.102.50.60 | United States | 71 | unknown | |
| 167.193.151.116 | United States | 2897 | unknown | |
| 16.126.194.5 | United States | 71 | unknown | |
| 129.81.102.160 | United States | 10349 | TulaneUniversity | |
| 16.83.200.38 | United States | 71 | unknown | |
| 67.64.125.225 | United States | 7018 | unknown | |
| 166.77.111.50 | United States | 7256 | unknown |
Static File Info |
|---|
General | |
|---|---|
| File type: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| TrID: |
|
| File name: | yauz.bat |
| File size: | 22024 |
| MD5: | 6071a0cf7861302564bd4fc44396e7a4 |
| SHA1: | d173820980584951b5739d67955ce453b4f39312 |
| SHA256: | bf92618f847f4c9a8ed09a390030466ee9a48215618f9602130c52cd6529cae6 |
| SHA512: | 751cf7c773dccb14a3d48e17219144b7012032e9a049c321b834b8b94f59c85d8f20e7e8bbf671d5e19bf8110e40e3e63dd2bb9218f75d9145ed7db6f66317bb |
File Icon |
|---|
 |
Static PE Info |
|---|
General | |
|---|---|
| Entrypoint: | 0x80b4a0 |
| Entrypoint Section: | UPX1 |
| Digitally signed: | false |
| Imagebase: | 0x800000 |
| Subsystem: | windows gui 40 |
| Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | |
| Subsystem Version Minor: | |
| Import Hash: | 5d02f6de12eb07fb22fe87e05e50d6a0 |
Entrypoint Preview |
|---|
| Instruction |
|---|
| pushad |
| mov esi, 00807000h |
| lea edi, dword ptr [esi-00006000h] |
| push edi |
| or ebp, FFFFFFFFh |
| jmp 00007F9D9CE8EEE2h |
| nop |
| nop |
| nop |
| nop |
| nop |
| nop |
| mov al, byte ptr [esi] |
| inc esi |
| mov byte ptr [edi], al |
| inc edi |
| add ebx, ebx |
| jne 00007F9D9CE8EED9h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jc 00007F9D9CE8EEBFh |
| mov eax, 00000001h |
| add ebx, ebx |
| jne 00007F9D9CE8EED9h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc eax, eax |
| add ebx, ebx |
| jnc 00007F9D9CE8EEC1h |
| jne 00007F9D9CE8EEDBh |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jnc 00007F9D9CE8EEB6h |
| xor ecx, ecx |
| sub eax, 03h |
| jc 00007F9D9CE8EEDFh |
| shl eax, 08h |
| mov al, byte ptr [esi] |
| inc esi |
| xor eax, FFFFFFFFh |
| je 00007F9D9CE8EF46h |
| mov ebp, eax |
| add ebx, ebx |
| jne 00007F9D9CE8EED9h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc ecx, ecx |
| add ebx, ebx |
| jne 00007F9D9CE8EED9h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc ecx, ecx |
| jne 00007F9D9CE8EEF2h |
| inc ecx |
| add ebx, ebx |
| jne 00007F9D9CE8EED9h |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| adc ecx, ecx |
| add ebx, ebx |
| jnc 00007F9D9CE8EEC1h |
| jne 00007F9D9CE8EEDBh |
| mov ebx, dword ptr [esi] |
| sub esi, FFFFFFFCh |
| adc ebx, ebx |
| jnc 00007F9D9CE8EEB6h |
| add ecx, 02h |
| cmp ebp, FFFFF300h |
| adc ecx, 01h |
| lea edx, dword ptr [edi+ebp] |
| cmp ebp, FFFFFFFCh |
| jbe 00007F9D9CE8EEE1h |
| mov al, byte ptr [edx] |
| inc edx |
| mov byte ptr [edi], al |
| inc edi |
| dec ecx |
| jne 00007F9D9CE8EEC9h |
| jmp 00007F9D9CE8EE38h |
| nop |
| mov eax, dword ptr [edx] |
Data Directories |
|---|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc514 | 0x130 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc000 | 0x514 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
|---|
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
|---|---|---|---|---|---|---|---|---|
| UPX0 | 0x1000 | 0x6000 | 0x0 | 0.0 | False | 0 | empty | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| UPX1 | 0x7000 | 0x5000 | 0x4600 | 7.89790234125 | False | 0.992410714286 | data | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xc000 | 0x1000 | 0x800 | 2.64956945519 | False | 0.2783203125 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
Resources |
|---|
| Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
|---|---|---|---|---|---|---|---|
| RT_ICON | 0xc0d8 | 0x2e8 | data | English | United States | 0 | False |
| RT_ICON | 0xc3c4 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States | 0 | False |
| RT_GROUP_ICON | 0xc4f0 | 0x22 | MS Windows icon resource - 2 icons, 32x32, 16-colors | English | United States | 0 | False |
Imports |
|---|
| DLL | Import |
|---|---|
| KERNEL32.DLL | LoadLibraryA, GetProcAddress, ExitProcess |
| ADVAPI32.dll | RegCloseKey |
| MSVCRT.dll | time |
| USER32.dll | wsprintfA |
| WS2_32.dll | gethostname |
Possible Origin |
|---|
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creationNetwork Behavior |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 11, 2015 10:02:36.522761106 CET | 49167 | 1042 | 192.168.1.12 | 129.81.102.160 |
| Nov 11, 2015 10:02:36.522792101 CET | 1042 | 49167 | 129.81.102.160 | 192.168.1.12 |
| Nov 11, 2015 10:02:36.522880077 CET | 49167 | 1042 | 192.168.1.12 | 129.81.102.160 |
| Nov 11, 2015 10:02:43.616199970 CET | 1042 | 49167 | 129.81.102.160 | 192.168.1.12 |
| Nov 11, 2015 10:02:43.616286993 CET | 49167 | 1042 | 192.168.1.12 | 129.81.102.160 |
| Nov 11, 2015 10:02:43.616370916 CET | 49167 | 1042 | 192.168.1.12 | 129.81.102.160 |
| Nov 11, 2015 10:02:43.616391897 CET | 1042 | 49167 | 129.81.102.160 | 192.168.1.12 |
| Nov 11, 2015 10:03:06.632709026 CET | 49171 | 1042 | 192.168.1.12 | 15.246.57.42 |
| Nov 11, 2015 10:03:06.632744074 CET | 1042 | 49171 | 15.246.57.42 | 192.168.1.12 |
| Nov 11, 2015 10:03:06.632796049 CET | 49171 | 1042 | 192.168.1.12 | 15.246.57.42 |
| Nov 11, 2015 10:03:13.730776072 CET | 1042 | 49171 | 15.246.57.42 | 192.168.1.12 |
| Nov 11, 2015 10:03:13.730999947 CET | 49171 | 1042 | 192.168.1.12 | 15.246.57.42 |
| Nov 11, 2015 10:03:13.731173992 CET | 49171 | 1042 | 192.168.1.12 | 15.246.57.42 |
| Nov 11, 2015 10:03:13.731205940 CET | 1042 | 49171 | 15.246.57.42 | 192.168.1.12 |
| Nov 11, 2015 10:03:13.733666897 CET | 49173 | 1042 | 192.168.1.12 | 166.77.111.50 |
| Nov 11, 2015 10:03:13.733711004 CET | 1042 | 49173 | 166.77.111.50 | 192.168.1.12 |
| Nov 11, 2015 10:03:13.733896017 CET | 49173 | 1042 | 192.168.1.12 | 166.77.111.50 |
| Nov 11, 2015 10:03:20.818639994 CET | 1042 | 49173 | 166.77.111.50 | 192.168.1.12 |
| Nov 11, 2015 10:03:20.818861008 CET | 49173 | 1042 | 192.168.1.12 | 166.77.111.50 |
| Nov 11, 2015 10:03:20.819017887 CET | 49173 | 1042 | 192.168.1.12 | 166.77.111.50 |
| Nov 11, 2015 10:03:20.819047928 CET | 1042 | 49173 | 166.77.111.50 | 192.168.1.12 |
| Nov 11, 2015 10:03:20.819505930 CET | 49174 | 1042 | 192.168.1.12 | 167.193.151.116 |
| Nov 11, 2015 10:03:20.819530964 CET | 1042 | 49174 | 167.193.151.116 | 192.168.1.12 |
| Nov 11, 2015 10:03:20.819674015 CET | 49174 | 1042 | 192.168.1.12 | 167.193.151.116 |
| Nov 11, 2015 10:03:27.890386105 CET | 1042 | 49174 | 167.193.151.116 | 192.168.1.12 |
| Nov 11, 2015 10:03:27.890486002 CET | 49174 | 1042 | 192.168.1.12 | 167.193.151.116 |
| Nov 11, 2015 10:03:27.890561104 CET | 49174 | 1042 | 192.168.1.12 | 167.193.151.116 |
| Nov 11, 2015 10:03:27.890579939 CET | 1042 | 49174 | 167.193.151.116 | 192.168.1.12 |
| Nov 11, 2015 10:03:27.891585112 CET | 49176 | 1042 | 192.168.1.12 | 16.126.194.5 |
| Nov 11, 2015 10:03:27.891601086 CET | 1042 | 49176 | 16.126.194.5 | 192.168.1.12 |
| Nov 11, 2015 10:03:27.891670942 CET | 49176 | 1042 | 192.168.1.12 | 16.126.194.5 |
| Nov 11, 2015 10:03:34.995457888 CET | 1042 | 49176 | 16.126.194.5 | 192.168.1.12 |
| Nov 11, 2015 10:03:34.995536089 CET | 49176 | 1042 | 192.168.1.12 | 16.126.194.5 |
| Nov 11, 2015 10:03:35.005238056 CET | 49176 | 1042 | 192.168.1.12 | 16.126.194.5 |
| Nov 11, 2015 10:03:35.005254984 CET | 1042 | 49176 | 16.126.194.5 | 192.168.1.12 |
| Nov 11, 2015 10:03:35.006877899 CET | 49179 | 1042 | 192.168.1.12 | 15.228.71.140 |
| Nov 11, 2015 10:03:35.006895065 CET | 1042 | 49179 | 15.228.71.140 | 192.168.1.12 |
| Nov 11, 2015 10:03:35.006946087 CET | 49179 | 1042 | 192.168.1.12 | 15.228.71.140 |
| Nov 11, 2015 10:03:42.075124979 CET | 1042 | 49179 | 15.228.71.140 | 192.168.1.12 |
| Nov 11, 2015 10:03:42.075191021 CET | 49179 | 1042 | 192.168.1.12 | 15.228.71.140 |
| Nov 11, 2015 10:03:42.075270891 CET | 49179 | 1042 | 192.168.1.12 | 15.228.71.140 |
| Nov 11, 2015 10:03:42.075287104 CET | 1042 | 49179 | 15.228.71.140 | 192.168.1.12 |
| Nov 11, 2015 10:03:42.076817036 CET | 49180 | 1042 | 192.168.1.12 | 67.64.125.225 |
| Nov 11, 2015 10:03:42.076850891 CET | 1042 | 49180 | 67.64.125.225 | 192.168.1.12 |
| Nov 11, 2015 10:03:42.076909065 CET | 49180 | 1042 | 192.168.1.12 | 67.64.125.225 |
| Nov 11, 2015 10:03:49.148072004 CET | 1042 | 49180 | 67.64.125.225 | 192.168.1.12 |
| Nov 11, 2015 10:03:49.148324966 CET | 49180 | 1042 | 192.168.1.12 | 67.64.125.225 |
| Nov 11, 2015 10:03:49.154516935 CET | 49180 | 1042 | 192.168.1.12 | 67.64.125.225 |
| Nov 11, 2015 10:03:49.154555082 CET | 1042 | 49180 | 67.64.125.225 | 192.168.1.12 |
| Nov 11, 2015 10:04:10.927279949 CET | 49184 | 1042 | 192.168.1.12 | 141.240.12.247 |
| Nov 11, 2015 10:04:10.927323103 CET | 1042 | 49184 | 141.240.12.247 | 192.168.1.12 |
| Nov 11, 2015 10:04:10.927367926 CET | 49184 | 1042 | 192.168.1.12 | 141.240.12.247 |
| Nov 11, 2015 10:04:18.007769108 CET | 1042 | 49184 | 141.240.12.247 | 192.168.1.12 |
| Nov 11, 2015 10:04:18.007874966 CET | 49184 | 1042 | 192.168.1.12 | 141.240.12.247 |
| Nov 11, 2015 10:04:18.007952929 CET | 49184 | 1042 | 192.168.1.12 | 141.240.12.247 |
| Nov 11, 2015 10:04:18.007967949 CET | 1042 | 49184 | 141.240.12.247 | 192.168.1.12 |
| Nov 11, 2015 10:04:18.008326054 CET | 49185 | 1042 | 192.168.1.12 | 16.102.50.60 |
| Nov 11, 2015 10:04:18.008346081 CET | 1042 | 49185 | 16.102.50.60 | 192.168.1.12 |
| Nov 11, 2015 10:04:18.008434057 CET | 49185 | 1042 | 192.168.1.12 | 16.102.50.60 |
| Nov 11, 2015 10:04:25.065514088 CET | 1042 | 49185 | 16.102.50.60 | 192.168.1.12 |
| Nov 11, 2015 10:04:25.065643072 CET | 49185 | 1042 | 192.168.1.12 | 16.102.50.60 |
| Nov 11, 2015 10:04:25.065741062 CET | 49185 | 1042 | 192.168.1.12 | 16.102.50.60 |
| Nov 11, 2015 10:04:25.065761089 CET | 1042 | 49185 | 16.102.50.60 | 192.168.1.12 |
| Nov 11, 2015 10:04:25.066190004 CET | 49186 | 1042 | 192.168.1.12 | 16.83.200.38 |
| Nov 11, 2015 10:04:25.066216946 CET | 1042 | 49186 | 16.83.200.38 | 192.168.1.12 |
| Nov 11, 2015 10:04:25.066308022 CET | 49186 | 1042 | 192.168.1.12 | 16.83.200.38 |
| Nov 11, 2015 10:04:32.120498896 CET | 1042 | 49186 | 16.83.200.38 | 192.168.1.12 |
| Nov 11, 2015 10:04:32.120680094 CET | 49186 | 1042 | 192.168.1.12 | 16.83.200.38 |
| Nov 11, 2015 10:04:32.120836973 CET | 49186 | 1042 | 192.168.1.12 | 16.83.200.38 |
| Nov 11, 2015 10:04:32.120867014 CET | 1042 | 49186 | 16.83.200.38 | 192.168.1.12 |
| Nov 11, 2015 10:04:39.113207102 CET | 49187 | 1042 | 192.168.1.12 | 15.238.20.130 |
| Nov 11, 2015 10:04:39.113261938 CET | 1042 | 49187 | 15.238.20.130 | 192.168.1.12 |
| Nov 11, 2015 10:04:39.113383055 CET | 49187 | 1042 | 192.168.1.12 | 15.238.20.130 |
| Nov 11, 2015 10:04:46.178421974 CET | 1042 | 49187 | 15.238.20.130 | 192.168.1.12 |
| Nov 11, 2015 10:04:46.178494930 CET | 49187 | 1042 | 192.168.1.12 | 15.238.20.130 |
| Nov 11, 2015 10:04:46.178570986 CET | 49187 | 1042 | 192.168.1.12 | 15.238.20.130 |
| Nov 11, 2015 10:04:46.178586960 CET | 1042 | 49187 | 15.238.20.130 | 192.168.1.12 |
| Nov 11, 2015 10:04:46.179630041 CET | 49189 | 1042 | 192.168.1.12 | 15.228.173.71 |
| Nov 11, 2015 10:04:46.179647923 CET | 1042 | 49189 | 15.228.173.71 | 192.168.1.12 |
| Nov 11, 2015 10:04:46.179697990 CET | 49189 | 1042 | 192.168.1.12 | 15.228.173.71 |
| Nov 11, 2015 10:04:53.242748022 CET | 1042 | 49189 | 15.228.173.71 | 192.168.1.12 |
| Nov 11, 2015 10:04:53.242872953 CET | 49189 | 1042 | 192.168.1.12 | 15.228.173.71 |
| Nov 11, 2015 10:04:53.242935896 CET | 49189 | 1042 | 192.168.1.12 | 15.228.173.71 |
| Nov 11, 2015 10:04:53.242949963 CET | 1042 | 49189 | 15.228.173.71 | 192.168.1.12 |
Hooks - Code Manipulation Behavior |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
System Behavior |
|---|
General |
|---|
| Start time: | 10:02:35 |
| Start date: | 11/11/2015 |
| Path: | C:\yauz.bat |
| Wow64 process (32bit): | false |
| Commandline: | unknown |
| Imagebase: | 0x800000 |
| File size: | 22024 bytes |
| MD5 hash: | 6071A0CF7861302564BD4FC44396E7A4 |
Disassembly |
|---|
Code Analysis |
|---|
Execution Graph |
|---|
| Execution Coverage: | 19.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 11% |
| Total number of Nodes: | 711 |
| Total number of Limit Nodes: | 20 |
Executed Functions |
|---|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
Non-executed Functions |
|---|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|