Loading ...

Analysis Report JabberVideoSetup4.8.12.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123512
Start date:15.04.2019
Start time:22:30:58
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:JabberVideoSetup4.8.12.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean8.winEXE@1/11@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 90%
  • Number of executed functions: 160
  • Number of non-executed functions: 235
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold80 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold20 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Process Injection1Credential DumpingSecurity Software Discovery21Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information2Network SniffingSystem Information Discovery13Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0042217D __EH_prolog3,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,0_2_0042217D
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0045A208 GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,CreateEventW,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,0_2_0045A208

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: JabberVideoSetup4.8.12.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: JabberVideoSetup4.8.12.exeString found in binary or memory: http://ocsp.thawte.com0
Source: JabberVideoSetup4.8.12.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: JabberVideoSetup4.8.12.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: JabberVideoSetup4.8.12.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: JabberVideoSetup4.8.12.exeString found in binary or memory: http://www.cisco.com/en/US/products/ps11328/tsd_products_support_series_home.html
Source: JabberVideo.msi.0.drString found in binary or memory: http://www.cisco.com/go/warranty
Source: JabberVideo.msi.0.drString found in binary or memory: http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_comp
Source: JabberVideo.msi.0.drString found in binary or memory: http://www.flexerasoftware.com0
Source: JabberVideoSetup4.8.12.exeString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d

System Summary:

barindex
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004464E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_004464E0
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00498EB00_2_00498EB0
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0048C0260_2_0048C026
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004940F00_2_004940F0
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0047C10A0_2_0047C10A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004941320_2_00494132
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0042C4480_2_0042C448
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004884630_2_00488463
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0046C7100_2_0046C710
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0048898E0_2_0048898E
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00480DCA0_2_00480DCA
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00488ED20_2_00488ED2
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00478EDA0_2_00478EDA
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0048954E0_2_0048954E
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004697880_2_00469788
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0048585C0_2_0048585C
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004998DC0_2_004998DC
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0045D8D80_2_0045D8D8
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00469C5D0_2_00469C5D
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00499C680_2_00499C68
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00475D7D0_2_00475D7D
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0046A0310_2_0046A031
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004962300_2_00496230
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0046A43D0_2_0046A43D
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0046A85D0_2_0046A85D
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00476B9E0_2_00476B9E
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00476E190_2_00476E19
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00472E860_2_00472E86
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004730840_2_00473084
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0047711E0_2_0047711E
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 0040E918 appears 41 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 0047565F appears 43 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 00408D97 appears 39 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 004096BA appears 111 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 00464713 appears 61 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 00463F3B appears 54 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 00464749 appears 82 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 004646E0 appears 608 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 004018B0 appears 169 times
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: String function: 004676BC appears 69 times
PE file contains strange resourcesShow sources
Source: JabberVideoSetup4.8.12.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JabberVideoSetup4.8.12.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JabberVideoSetup4.8.12.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: JabberVideoSetup4.8.12.exeBinary or memory string: OriginalFilename vs JabberVideoSetup4.8.12.exe
Source: JabberVideoSetup4.8.12.exe, 00000000.00000002.5082297731.000000000055E000.00000002.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exeh$ vs JabberVideoSetup4.8.12.exe
Source: JabberVideoSetup4.8.12.exeBinary or memory string: OriginalFilenameInstallShield Setup.exeh$ vs JabberVideoSetup4.8.12.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeFile read: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean8.winEXE@1/11@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004464E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_004464E0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00441F61 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary,0_2_00441F61
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0044D92E __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,0_2_0044D92E
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004177BA FindResourceW,SizeofResource,LoadResource,LockResource,0_2_004177BA
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeFile created: C:\Users\user\AppData\Local\Temp\{43AC12B7-791B-460E-960D-D8E16BF6A2FA}\Jump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: debuglog0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: runfromtemp0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: reboot0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: %s%s0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: tempdisk1folder0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: ISSetup.dll0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: ISSetup.dll0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: Skin0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: Startup0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: setup.isn0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: count0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: Languages0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: key%d0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: Languages0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: %s\0x%04x.ini0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: %s\0x%04x.ini0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: %s\%04x.mst0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: %s\%04x.mst0_2_0043E15A
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCommand line argument: `UG0_2_004754B0
PE file has an executable .text section and no other executable sectionShow sources
Source: JabberVideoSetup4.8.12.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeFile read: C:\Users\user\AppData\Local\Temp\{43AC12B7-791B-460E-960D-D8E16BF6A2FA}\Setup.INIJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Writes ini filesShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeFile written: C:\Users\user\AppData\Local\Temp\{43AC12B7-791B-460E-960D-D8E16BF6A2FA}\Setup.INIJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: JabberVideoSetup4.8.12.exeStatic file information: File size 15498280 > 1048576
PE file contains a debug data directoryShow sources
Source: JabberVideoSetup4.8.12.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: B:\TBCWinReleaseWT\MAIN\src\tetris\build\windows\Release\bin\InstallUtils.pdb source: JabberVideo.msi.0.dr
Source: Binary string: E:\CodeBases_Majesty_Hotfixes\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb source: JabberVideoSetup4.8.12.exe
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: JabberVideo.msi.0.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00441F61 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary,0_2_00441F61
PE file contains an invalid checksumShow sources
Source: JabberVideoSetup4.8.12.exeStatic PE information: real checksum: 0xed0390 should be:
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004647B8 push ecx; ret 0_2_004647CB

Persistence and Installation Behavior:

barindex
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00428196 __EH_prolog3,GetTempPathW,CoCreateGuid,CreateDirectoryW,GetPrivateProfileStringW,CreateDirectoryW,0_2_00428196

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0045A382 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0045A382
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-69016
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0042217D __EH_prolog3,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,0_2_0042217D
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0045A208 GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,CreateEventW,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,0_2_0045A208
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00440295 __EH_prolog3,VirtualQuery,GetSystemInfo,MapViewOfFile,0_2_00440295
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: JabberVideo.msi.0.drBinary or memory string: VmCIP
Program exit pointsShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeAPI call chain: ExitProcess graph end nodegraph_0-67665

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004646D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004646D1
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00441F61 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary,0_2_00441F61
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004097D1 GetFileSize,GetProcessHeap,GetProcessHeap,HeapAlloc,ReadFile,lstrlenA,__alloca_probe_16,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree,0_2_004097D1
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0047A13D SetUnhandledExceptionFilter,0_2_0047A13D
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004646D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004646D1
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0046CC4D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0046CC4D
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_004657C4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004657C4

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0043C6DF __EH_prolog3,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,0_2_0043C6DF
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00458DDF GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_00458DDF
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: JabberVideoSetup4.8.12.exeBinary or memory string: AShell_TrayWndTahoma
Source: JabberVideoSetup4.8.12.exeBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_0047CC3C
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_0047CD53
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_2_0047CDEB
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_0047CE5F
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_0047D031
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: EnumSystemLocalesA,0_2_0047D0F4
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0047D11E
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_0047D1C1
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_0047D185
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,0_2_0046D5FD
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,0_2_004419CA
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: GetLocaleInfoW,0_2_00441A4E
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: GetLocaleInfoA,0_2_0048A79F
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_0047AA43
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: GetLocaleInfoA,0_2_0048AA33
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_0047B0E4
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_0047B36F
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_0042C448 _memset,_memset,lstrlenW,_memset,wsprintfW,___FUnloadDelayLoadedDLL2@4,LoadLibraryW,GetProcAddress,GetLastError,GetSystemTimeAsFileTime,0_2_0042C448
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00489D12 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_00489D12
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\JabberVideoSetup4.8.12.exeCode function: 0_2_00432A7F GetVersionExW,GetSystemInfo,0_2_00432A7F

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 123512 Sample: JabberVideoSetup4.8.12.exe Startdate: 15/04/2019 Architecture: WINDOWS Score: 8 4 JabberVideoSetup4.8.12.exe 23 2->4         started       

Simulations

Behavior and APIs

TimeTypeDescription
22:31:50API Interceptor1x Sleep call for process: JabberVideoSetup4.8.12.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
JabberVideoSetup4.8.12.exe0%virustotalBrowse
JabberVideoSetup4.8.12.exe0%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.