Loading ...

Analysis Report Wireshark-win32-2.6.3.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102801
Start date:11.01.2019
Start time:19:28:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Wireshark-win32-2.6.3.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean13.evad.winEXE@1/8@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 28.1% (good quality ratio 27.6%)
  • Quality average: 90.2%
  • Quality standard deviation: 19.7%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 63
  • Number of non-executed functions: 41
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold130 - 100Report FP / FNfalseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsObfuscated Files or Information2Credential DumpingSecurity Software Discovery11Application Deployment SoftwareClipboard Data2Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_004061FB FindFirstFileA,FindClose,1_2_004061FB
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,1_2_00405799
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_0040270B FindFirstFileA,1_2_0040270B
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_004061FB FindFirstFileA,FindClose,1_1_004061FB
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,1_1_00405799
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_0040270B FindFirstFileA,1_1_0040270B

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: Wireshark-win32-2.6.3.exe, Wireshark-win32-2.6.3.exe, 00000001.00000003.4523098022.0000000006A70000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: http://desowin.org/usbpcap/
Source: Wireshark-win32-2.6.3.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Wireshark-win32-2.6.3.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: http://www.endace.com/.
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: https://ask.wireshark.org/
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: https://ask.wireshark.org/InstallLocationPublisherThe
Source: Wireshark-win32-2.6.3.exeString found in binary or memory: https://github.com/desowin
Source: nsl7478.tmp.1.drString found in binary or memory: https://github.com/desowin/usbpcap/issues/3
Source: Wireshark-win32-2.6.3.exe, Wireshark-win32-2.6.3.exe, 00000001.00000003.4564453142.0000000006A70000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: https://nmap.org/npcap
Source: Wireshark-win32-2.6.3.exe, 00000001.00000003.4564453142.0000000006A70000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: https://wiki.wireshark.org/WinPcap
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: https://www.wireshark.org
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: https://www.wireshark.org/download.html
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drString found in binary or memory: https://www.wireshark.orgURLInfoAboutURLUpdateInfohttps://www.wireshark.org/download.htmlNoModifyNoR

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_0040524E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_0040524E
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_069A1D68 GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,SendMessageA,GlobalUnlock,CloseClipboard,CallWindowProcA,1_1_069A1D68

System Summary:

barindex
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_004032BF
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_1_004032BF
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_004065421_2_00406542
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_00404A8D1_2_00404A8D
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_004065421_1_00406542
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_00404A8D1_1_00404A8D
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: String function: 00405EF7 appears 34 times
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: String function: 00402ACE appears 53 times
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: String function: 00411A32 appears 50 times
PE file contains strange resourcesShow sources
Source: Wireshark-win32-2.6.3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5356356402.00000000068F0000.00000002.sdmpBinary or memory string: OriginalFilenameuser32j% vs Wireshark-win32-2.6.3.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeFile read: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean13.evad.winEXE@1/8@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_004032BF
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_1_004032BF
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_0040451A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_0040451A
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_004020CD CoCreateInstance,MultiByteToWideChar,1_2_004020CD
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeFile created: C:\Users\user\AppData\Local\Temp\nsa739C.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Wireshark-win32-2.6.3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeFile written: C:\Users\user\AppData\Local\Temp\nsv74B7.tmp\AdditionalTasksPage.iniJump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAutomated click: Next >
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Found installer window with terms and condition textShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeWindow detected: < &BackI &AgreeCancelWireshark Installer Wireshark InstallerLicense AgreementPlease review the license terms before installing Wireshark 2.6.3 32-bit.Press Page Down to see the rest of the agreement.This text consists of three parts:Part I: Some remarks regarding the license given inPart II: The actual license that covers Wireshark.Part III: Other applicable licenses.When in doubt: Part II/III is the legally binding part Part I is justthere to make it easier for people that are not familiar with the GPLv2.------------------------------------------------------------------------Part I:Wireshark is distributed under the GNU GPLv2. There are no restrictionson its use. There are restrictions on its distribution in source orbinary form.Most parts of Wireshark are covered by a "GPL version 2 or later" license.Some files are covered by different licenses that are compatible withthe GPLv2.As a notable exception some utilities distributed with the Wireshark source arecovered by other licenses that are not themselves d
Submission file is bigger than most known malware samplesShow sources
Source: Wireshark-win32-2.6.3.exeStatic file information: File size 54282456 > 1048576
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Wireshark-win32-2.6.3.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_0040DDBD GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,1_1_0040DDBD
PE file contains an invalid checksumShow sources
Source: System.dll.1.drStatic PE information: real checksum: 0x0 should be: 0x6871
Source: Wireshark-win32-2.6.3.exeStatic PE information: real checksum: 0x33c8b32 should be:
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_0040F080 push eax; ret 1_2_0040F0AE
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_0040F080 push eax; ret 1_1_0040F0AE
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_10002D20 push eax; ret 1_1_10002D4E

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeFile created: C:\Users\user\AppData\Local\Temp\nsv74B7.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeFile created: C:\Users\user\AppData\Local\Temp\nsv74B7.tmp\InstallOptions.dllJump to dropped file
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_069A140B wsprintfA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,CharNextA,1_1_069A140B

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXEQT5CORE.DLLQT5GUI.DLLQT5MULTIMEDIA.DLLQT5NETWORK.DLLQT5PRINTSUPPORT.DLLQT5SVG.DLLQT5WIDGETS.DLLQT5WINEXTRAS.DLLLIBGLESV2.DLLLIBEGL.DLLD3DCOMPILER_47.DLLOPENGL32SW.DLL
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE"OPEN
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE,0
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE" "%1""
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE",1
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE",1SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WINPCAPINSTWINPCAP_4_1_3.EXE"
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: UNINSTALL.EXELIBWIRETAP.DLLLIBWIRESHARK.DLLLIBWSCODECS.DLLLIBWSUTIL.DLLLIBGLIB-2.0-0.DLLLIBGIO-2.0-0.DLLLIBGMODULE-2.0-0.DLLLIBGOBJECT-2.0-0.DLLLIBINTL-8.DLLLIBGCC_S_SJLJ-1.DLLLIBCARES-2.DLLLIBGCRYPT-20.DLLLIBGPG-ERROR-0.DLLLIBGMP-10.DLLLIBFFI-6.DLLLIBGNUTLS-30.DLLLIBHOGWEED-4-2.DLLLIBNETTLE-6-2.DLLLIBP11-KIT-0.DLLLIBTASN1-6.DLLLIBWINPTHREAD-1.DLLCOMERR32.DLLKRB5_32.DLLK5SPRT32.DLLLIBSSH.DLLLUA52.DLLLIBLZ4.DLLLIBNGHTTP2-14.DLLLIBSBC-1.DLLLIBSMI-2.DLLLIBSNAPPY-1.DLLLIBSPANDSP-2.DLLLIBBCG729.DLLLIBXML2-2.DLLWINSPARKLE.DLLZLIB1.DLLLIBMAXMINDDB-0.DLLINIT.LUACONSOLE.LUADTD_GEN.LUACOPYING.TXTREADME.TXTREADME.WINDOWS.TXTAUTHORS-SHORTMANUFWKASERVICESPDML2HTML.XSLWS.CSSWIRESHARK.HTMLWIRESHARK-FILTER.HTMLDUMPCAP.EXEDUMPCAP.HTMLEXTCAP.HTMLVCREDIST_X86.EXE"
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE,02.6.3HELPLINKHTTPS://ASK.WIRESHARK.ORG/INSTALLLOCATIONPUBLISHERTHE WIRESHARK DEVELOPER COMMUNITY, HTTPS://WWW.WIRESHARK.ORGURLINFOABOUTURLUPDATEINFOHTTPS://WWW.WIRESHARK.ORG/DOWNLOAD.HTMLNOMODIFYNOREPAIRVERSIONMAJORVERSIONMINOR"
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE"
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXEPATH
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXE
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: DUMPCAP.EXE
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \WIRESHARK.EXE" "%1"
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_004061FB FindFirstFileA,FindClose,1_2_004061FB
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,1_2_00405799
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_0040270B FindFirstFileA,1_2_0040270B
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_004061FB FindFirstFileA,FindClose,1_1_004061FB
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,1_1_00405799
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_0040270B FindFirstFileA,1_1_0040270B
Program exit pointsShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeAPI call chain: ExitProcess graph end nodegraph_1-10156

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_1_0040DDBD GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,1_1_0040DDBD

Language, Device and Operating System Detection:

barindex
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Wireshark-win32-2.6.3.exeCode function: 1_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_004032BF

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: \Wireshark.exe
Source: Wireshark-win32-2.6.3.exe, 00000001.00000002.5355215034.000000000282C000.00000004.sdmp, nsl7478.tmp.1.drBinary or memory string: Software\Microsoft\Windows\CurrentVersion\App Paths\Wireshark.exe

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 102801 Sample: Wireshark-win32-2.6.3.exe Startdate: 11/01/2019 Architecture: WINDOWS Score: 13 12 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->12 5 Wireshark-win32-2.6.3.exe 21 2->5         started        process3 file4 8 C:\Users\user\AppData\Local\...\System.dll, PE32 5->8 dropped 10 C:\Users\user\AppData\...\InstallOptions.dll, PE32 5->10 dropped

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Wireshark-win32-2.6.3.exe1%virustotalBrowse
Wireshark-win32-2.6.3.exe3%metadefenderBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nsv74B7.tmp\InstallOptions.dll0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\nsv74B7.tmp\InstallOptions.dll0%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsv74B7.tmp\System.dll0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\nsv74B7.tmp\System.dll2%metadefenderBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.wireshark.orgURLInfoAboutURLUpdateInfohttps://www.wireshark.org/download.htmlNoModifyNoR0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Local\Temp\nsv74B7.tmp\System.dll6wraWQWLS.exec9c47d0a210f600da3ab52ef474a9f56cea0a8d09cfec9544944fb4a63e7f841maliciousBrowse
    http://l-ardagnole.com/dshgc67384maliciousBrowse
      SaharaTrial.exed7ff9af7d2af4950c9594cba55884d0dd7d3647c05920fb813e589d9a340de62maliciousBrowse
        MAOiAcNHG.exe210aea676fa468350db26a31292f2a2a7a3b35be1db83b240eeebb3acf4d68ecmaliciousBrowse
          Consignacion 22 febrero abonar factura.exea353edf3dc71dda60fab5c5e06bcf176bb0c16a0bf6932db1b964b0048e34b8amaliciousBrowse
            51SHIP_DOC_000121121.exe7b4765094c5b484e9234b234748d61d7d9783c01539b277ac39e2c56cd717040maliciousBrowse
              CrunchSetup.exe478b4031eb3032408fac26617079c970978702da390c14fe65351ea4f0c1473cmaliciousBrowse
                Doc32.exe2a8697e03cd8ddc976f89c4b36f7588d5eb09676f6366c1f524d140ab9155734maliciousBrowse
                  USD TT.doc01bd866849a9428de287bc4a92109b59a4aca74fd7555c8fe0491b129aea227amaliciousBrowse
                    Wireshark-win64-2.4.6.exe025c68ae6ac5a4ae146ba8318f596089859c9d5d890b688ed8c1498745779412maliciousBrowse
                      Tender Documents.doce1a031a1161bf815311e26cb73b29bdc71e63ca36078e9779d40d3f1d9ae33d1maliciousBrowse
                        9Invoice 27349.bat648905a226b5c9fbcd7d0e865b50bea8fa6866ce806e632129f391e73b2c63cdmaliciousBrowse
                          43Weinmann Rechnung 06-9983814 PDF.jse59fb2d75f3d83908a061fe744dbf03545d636d752f033218276075fe104d730maliciousBrowse
                            MSC000000194343.vbse8657a1daad23902367e224c1bb3ec09176fba2fb5b71815adb893360619e1f9maliciousBrowse
                              eGyd9gvR10.docd40a85793b528e171de6753a5f87ec6a86ab924c89dce33b69d43de4c47559abmaliciousBrowse
                                Doc42.exe5fbbb021146505d01341a047f8ff0f3877849d6323ed1545b9447cf6f597df58maliciousBrowse
                                  5TT_Copy_25272523.exef12420af26feba525b1b51d8ebbba0f7c43bd461f02b57e313ec14781cbb9794maliciousBrowse
                                    Soporte_de_consignacion_dia_19-02.exeb88575503e9dce53873da683348f7164b6a6b6519df36ccb8b87c01bcddaf9bcmaliciousBrowse
                                      Scans3001.sc.exeff1c44fc38f23320f760fa2c30710927fb96d1c0281c4ec40b606a9f88ffa653maliciousBrowse
                                        v2.exe3aa7e2c2c3d923ea73d38372784aee698057e4addf65c783fd5c5a2b25946d37maliciousBrowse

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.