Analysis Report
Overview
General Information |
---|
Analysis ID: | 90047 |
Start time: | 10:46:38 |
Start date: | 13/11/2015 |
Overall analysis duration: | 0h 3m 37s |
Report type: | full |
Sample file name: | attachment.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 1 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
HCA Informations: |
|
EGA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 52 | 0 - 100 | Report FP / FN |
Analysis Advice |
---|
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Signature Overview |
---|
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: attachment.exe | String found in binary or memory: | ||
Source: attachment.exe | String found in binary or memory: | ||
Source: attachment.exe | String found in binary or memory: | ||
Source: attachment.exe | String found in binary or memory: |
Contains functionality to download additional files from the internet | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00807983 |
Found strings which match to known social media urls | Show sources |
Source: attachment.exe | String found in binary or memory: | ||
Source: attachment.exe | String found in binary or memory: | ||
Source: attachment.exe | String found in binary or memory: | ||
Source: attachment.exe | String found in binary or memory: |
Detected TCP or UDP traffic on non-standard ports | Show sources |
Source: global traffic | TCP traffic: | ||
Source: global traffic | TCP traffic: |
Boot Survival: |
---|
Creates an autostart registry key | Show sources |
Source: C:\attachment.exe | Registry value created or modified: | ||
Source: C:\attachment.exe | Registry value created or modified: |
Creates an autostart registry key pointing to binary in C:\Windows | Show sources |
Source: C:\attachment.exe | Registry value created or modified: |
Remote Access Functionality: |
---|
Contains functionality to open a port and listen for incoming connection (possibly a backdoor) | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00807D81 | |
Source: C:\attachment.exe | Code function: | 0_1_00807D81 |
Stealing of Sensitive Information: |
---|
Contains functionality to search for IE or Outlook window (often done to steal information) | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00802C72 | |
Source: C:\attachment.exe | Code function: | 0_1_00802C72 |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: C:\attachment.exe | File created: |
Drops PE files to the windows directory (C:\Windows) | Show sources |
Source: C:\attachment.exe | File created: |
Data Obfuscation: |
---|
Sample is packed with UPX | Show sources |
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00803108 |
PE file contains an invalid checksum | Show sources |
Source: lsass.exe.3300.dr | Static PE information: | ||
Source: attachment.exe | Static PE information: |
Uses code obfuscation techniques (call, push, ret) | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00807F0E | |
Source: C:\attachment.exe | Code function: | 0_1_00807F0E |
Spreading: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00804D32 | |
Source: C:\attachment.exe | Code function: | 0_1_00804D32 |
System Summary: |
---|
Creates temporary files | Show sources |
Source: C:\attachment.exe | File created: |
Reads software policies | Show sources |
Source: C:\attachment.exe | Key opened: |
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) | Show sources |
Source: attachment.exe | Static PE information: | ||
Source: lsass.exe.3300.dr | Static PE information: |
Creates files inside the system directory | Show sources |
Source: C:\attachment.exe | File created: |
Deletes Windows files | Show sources |
Source: C:\attachment.exe | File deleted: |
PE file contains strange resources | Show sources |
Source: attachment.exe | Static PE information: | ||
Source: lsass.exe.3300.dr | Static PE information: |
Sample reads its own file content | Show sources |
Source: C:\attachment.exe | File read: |
Drops files with a known system name (to hide its detection) | Show sources |
Source: C:\attachment.exe | File created: | ||
Source: C:\attachment.exe | File created: |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: attachment.exe | Binary or memory string: | ||
Source: attachment.exe | Binary or memory string: | ||
Source: attachment.exe | Binary or memory string: | ||
Source: attachment.exe | Binary or memory string: |
Anti Debugging: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00803108 |
Contains functionality which may be used to detect a debugger (GetProcessHeap) | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_008036E5 |
Malware Analysis System Evasion: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00804D32 | |
Source: C:\attachment.exe | Code function: | 0_1_00804D32 |
Found decision node followed by non-executed suspicious APIs | Show sources |
Source: C:\attachment.exe | Decision node followed by non-executed suspicious API: | graph_0-2598 |
Found dropped PE file which has not been started or loaded | Show sources |
Source: C:\attachment.exe | Dropped PE file which has not been started: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\attachment.exe TID: 3304 | Thread sleep time: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query local / system time | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00802DB3 |
Contains functionality to query time zone information | Show sources |
Source: C:\attachment.exe | Code function: | 0_2_00802DB3 |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
|
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name |
---|---|---|---|---|
167.194.149.124 | United States | 2897 | GeorgiaTechnologyAuthority | |
4.131.14.165 | United States | 3356 | Level3CommunicationsInc |
Static File Info |
---|
General | |
---|---|
File type: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
TrID: |
|
File name: | attachment.exe |
File size: | 39156 |
MD5: | a44d377b7916cd7a08240d1d0fc4ba32 |
SHA1: | 7d11c2c6ea293e6a04fa59077a08f5a902074e5b |
SHA256: | da61d7474d404380e9ad61ed1086b2091e028daa4ead047a1537b68d4929bd52 |
SHA512: | 6b984ba7891238675c06c473a32f6ac4e0be8d91d5bc571de30b37e6110b31e978e0ac393e0ee91785c0912e2050a523f370d7c982d073a43555ff0aa15b8f8d |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x80b4a0 |
Entrypoint Section: | UPX1 |
Digitally signed: | false |
Imagebase: | 0x800000 |
Subsystem: | windows gui 40 |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | |
Subsystem Version Minor: | |
Import Hash: | 5d02f6de12eb07fb22fe87e05e50d6a0 |
Entrypoint Preview |
---|
Instruction |
---|
pushad |
mov esi, 00807000h |
lea edi, dword ptr [esi-00006000h] |
push edi |
or ebp, FFFFFFFFh |
jmp 00007F3FB8D5B7A2h |
nop |
nop |
nop |
nop |
nop |
nop |
mov al, byte ptr [esi] |
inc esi |
mov byte ptr [edi], al |
inc edi |
add ebx, ebx |
jne 00007F3FB8D5B799h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jc 00007F3FB8D5B77Fh |
mov eax, 00000001h |
add ebx, ebx |
jne 00007F3FB8D5B799h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc eax, eax |
add ebx, ebx |
jnc 00007F3FB8D5B781h |
jne 00007F3FB8D5B79Bh |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jnc 00007F3FB8D5B776h |
xor ecx, ecx |
sub eax, 03h |
jc 00007F3FB8D5B79Fh |
shl eax, 08h |
mov al, byte ptr [esi] |
inc esi |
xor eax, FFFFFFFFh |
je 00007F3FB8D5B806h |
mov ebp, eax |
add ebx, ebx |
jne 00007F3FB8D5B799h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
add ebx, ebx |
jne 00007F3FB8D5B799h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
jne 00007F3FB8D5B7B2h |
inc ecx |
add ebx, ebx |
jne 00007F3FB8D5B799h |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
adc ecx, ecx |
add ebx, ebx |
jnc 00007F3FB8D5B781h |
jne 00007F3FB8D5B79Bh |
mov ebx, dword ptr [esi] |
sub esi, FFFFFFFCh |
adc ebx, ebx |
jnc 00007F3FB8D5B776h |
add ecx, 02h |
cmp ebp, FFFFF300h |
adc ecx, 01h |
lea edx, dword ptr [edi+ebp] |
cmp ebp, FFFFFFFCh |
jbe 00007F3FB8D5B7A1h |
mov al, byte ptr [edx] |
inc edx |
mov byte ptr [edi], al |
inc edi |
dec ecx |
jne 00007F3FB8D5B789h |
jmp 00007F3FB8D5B6F8h |
nop |
mov eax, dword ptr [edx] |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc514 | 0x130 | .rsrc |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc000 | 0x514 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
---|---|---|---|---|---|---|---|---|
UPX0 | 0x1000 | 0x6000 | 0x0 | 0.0 | False | 0 | empty | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ |
UPX1 | 0x7000 | 0x5000 | 0x4600 | 7.89790234125 | False | 0.992410714286 | data | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xc000 | 0x1000 | 0x800 | 2.64956945519 | False | 0.2783203125 | data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
---|---|---|---|---|---|---|---|
RT_ICON | 0xc0d8 | 0x2e8 | data | English | United States | 0 | False |
RT_ICON | 0xc3c4 | 0x128 | GLS_BINARY_LSB_FIRST | English | United States | 0 | False |
RT_GROUP_ICON | 0xc4f0 | 0x22 | MS Windows icon resource - 2 icons, 32x32, 16-colors | English | United States | 0 | False |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.DLL | LoadLibraryA, GetProcAddress, ExitProcess |
ADVAPI32.dll | RegCloseKey |
MSVCRT.dll | time |
USER32.dll | wsprintfA |
WS2_32.dll | gethostname |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 13, 2015 10:47:37.365443945 CET | 49167 | 1042 | 192.168.1.12 | 4.131.14.165 |
Nov 13, 2015 10:47:37.365478992 CET | 1042 | 49167 | 4.131.14.165 | 192.168.1.12 |
Nov 13, 2015 10:47:37.365566015 CET | 49167 | 1042 | 192.168.1.12 | 4.131.14.165 |
Nov 13, 2015 10:49:42.905968904 CET | 1042 | 49167 | 4.131.14.165 | 192.168.1.12 |
Nov 13, 2015 10:49:42.906043053 CET | 49167 | 1042 | 192.168.1.12 | 4.131.14.165 |
Nov 13, 2015 10:49:42.911087990 CET | 49167 | 1042 | 192.168.1.12 | 4.131.14.165 |
Nov 13, 2015 10:49:42.911118984 CET | 1042 | 49167 | 4.131.14.165 | 192.168.1.12 |
Nov 13, 2015 10:49:42.914858103 CET | 49169 | 1042 | 192.168.1.12 | 167.194.149.124 |
Nov 13, 2015 10:49:42.914882898 CET | 1042 | 49169 | 167.194.149.124 | 192.168.1.12 |
Nov 13, 2015 10:49:42.914937019 CET | 49169 | 1042 | 192.168.1.12 | 167.194.149.124 |
Hooks - Code Manipulation Behavior |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 10:47:36 |
Start date: | 13/11/2015 |
Path: | C:\attachment.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x800000 |
File size: | 39156 bytes |
MD5 hash: | A44D377B7916CD7A08240D1D0FC4BA32 |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 19.7% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 11% |
Total number of Nodes: | 712 |
Total number of Limit Nodes: | 19 |
Executed Functions |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|