Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

2.jpg.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.441091788572866
Filename:	2.jpg.exe
Filesize:	34304
MD5:	93fb70bf6b2fc6da414d9e6a80ecda4f
SHA1:	f04e6e242635c94df8e052a589a886a506095db1
SHA256:	2b5a8036263fe6e79d34e9b1a51a73e86cdc53a6d1037e07d9ecbe5a3de29126
SHA512:	34eb3bfbb96848a72823f52fca242de56081b346eff476dc2ecae50258cbbb63c45e252163b211e713262d14f736ecfb9e4355a2901cee58147d6d4b69a624f7
SSDEEP:	768:cqjERBv1Q29sOcqtH5uqanxJF2bCfSuCjQOaDCZL:ljwNW29suranxH2ufS/UI
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...VF................0..\|............... ........@.. ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (creates a PE file in dynamic memory)	Compliance, Data Obfuscation	Software Packing Security Software Discovery
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	File and Directory Discovery
Machine Learning detection for sample	AV Detection
Abnormal high CPU Usage	System Summary	System Time Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion	Security Software Discovery
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion	Security Software Discovery
Found evasive API chain (date check)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May check if the current machine is a sandbox (GetTickCount - Sleep)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Security Software Discovery
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to modify the execution of threads in other processes		Security Software Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery Security Software Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\Desktop\localfile_638491169974164363.txt

ASCII text, with very long lines (10240), with no line terminators

dropped

Details

File:	C:\Users\user\Desktop\localfile_638491169974164363.txt
Category:	dropped
Dump:	localfile_638491169974164363.txt.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\2.jpg.exe
Type:	ASCII text, with very long lines (10240), with no line terminators
Entropy:	4.330796419787758
Encrypted:	false
Ssdeep:	192:IGBG1sUyhybD+x2w37Q60vpogL0FkipchBon4bW1x:63bpCdGNn9i4bWP
Size:	10240
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\Desktop\localfile_638491175959284389.txt

ASCII text, with very long lines (1474), with no line terminators

modified

Details

File:	C:\Users\user\Desktop\localfile_638491175959284389.txt
Category:	modified
Dump:	localfile_638491175959284389.txt.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\2.jpg.exe
Type:	ASCII text, with very long lines (1474), with no line terminators
Entropy:	6.048107885381353
Encrypted:	false
Ssdeep:	24:Xlgfx8/wEFHRnQwodcCwy+soGAZOPBnRgdIAv2CZ5pGL3yzJWvMOt:XefxNaJ/CwDsoGi2HgWAeI5pGLkJEMI
Size:	1474
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\2.jpg.exe

"C:\Users\user\Desktop\2.jpg.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7272
Target ID:	0
Parent PID:	2580
Name:	2.jpg.exe
Path:	C:\Users\user\Desktop\2.jpg.exe
Commandline:	"C:\Users\user\Desktop\2.jpg.exe"
Size:	34304
MD5:	93FB70BF6B2FC6DA414D9E6A80ECDA4F
Time:	09:49:57
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x290000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (creates a PE file in dynamic memory)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected CobaltStrike	Remote Access Functionality
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected ReflectiveLoader	Data Obfuscation
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Yara detected Costura Assembly Loader	Data Obfuscation
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://8.218.236.5:8089/1.txt

8.218.236.5

http://8.218.236.5/

unknown

http://8.218.236.5:8062/g.pixel

8.218.236.5

http://8.218.236.5:8062/j9sF

8.218.236.5

http://8.218.236.5:8089/0.txt

8.218.236.5

http://8.218.236.5/j9sF

http://8.218.236.5:None/j9sF

http://8.218.236.5:8062/g.pixelHeartbeatTimesg

unknown

http://8.218.236.5:8062/j9sF6

unknown

http://8.218.236.5:8062/g.pixelnkMonitoringM

unknown

http://8.218.236.5:8089

unknown

http://8.218.236.5:8089/0.txtlB

unknown

http://8.218.236.5:8089/1.txtd

unknown

http://8.218.236.5:8062/g.pixelitoringKillbit

unknown

http://8.218.236.5:8062/g.pixelitoringKillbitS

unknown

http://8.218.236.5:8089/0.txtP

unknown

http://8.218.236.5:8089/1.txtP

unknown

http://8.218.236.5:8089/1.txter

unknown

http://127.0.0.1:%u/

unknown

http://8.218.236.5:8062/g.pixelnkMonitoringx

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://8.218.236.5:8089/0.txtC

unknown

http://8.218.236.5:8089t-

unknown

There are 13 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

8.218.236.5

unknown

Singapore

Details

IP:	8.218.236.5
TargetID:	0
Current Path:	C:\Users\user\Desktop\2.jpg.exe
Country:	Singapore
Countrycode:	SGP
ASN number:	45102
ASN name:	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
HTTP GET or POST without a user agent	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

26D8000

trusted library allocation

page read and write

292000

unkown

page readonly

5F30000

direct allocation

page execute and read and write

6360000

direct allocation

page execute and read and write

2621000

trusted library allocation

page read and write

6760000

direct allocation

page execute and read and write

917000

heap

page read and write

607D000

stack

page read and write

9B7000

heap

page read and write

5E1E000

stack

page read and write

88B000

trusted library allocation

page execute and read and write

5CE0000

heap

page read and write

4CEF000

stack

page read and write

26A2000

trusted library allocation

page read and write

2580000

trusted library allocation

page read and write

267F000

trusted library allocation

page read and write

6F8000

stack

page read and write

9D5000

heap

page read and write

26B2000

trusted library allocation

page read and write

87A000

trusted library allocation

page execute and read and write

960000

heap

page read and write

268D000

trusted library allocation

page read and write

5D04000

heap

page read and write

4F7D000

stack

page read and write

E60000

heap

page read and write

26A8000

trusted library allocation

page read and write

3EE000

stack

page read and write

6794000

direct allocation

page execute and read and write

25A0000

heap

page execute and read and write

2600000

trusted library allocation

page read and write

5D1E000

heap

page read and write

9C4000

heap

page read and write

5D46000

heap

page read and write

5CD0000

heap

page read and write

4CAD000

stack

page read and write

4CF0000

heap

page execute and read and write

E67000

heap

page read and write

A0D000

heap

page read and write

ACE000

stack

page read and write

854000

trusted library allocation

page read and write

579D000

stack

page read and write

99E000

heap

page read and write

47BE000

stack

page read and write

26A4000

trusted library allocation

page read and write

50BE000

stack

page read and write

290000

unkown

page readonly

900000

trusted library allocation

page read and write

390000

heap

page read and write

5F1F000

stack

page read and write

8F0000

trusted library allocation

page execute and read and write

6394000

direct allocation

page execute and read and write

67B0000

heap

page read and write

99A000

heap

page read and write

5F7C000

stack

page read and write

68E4000

heap

page read and write

872000

trusted library allocation

page read and write

51BD000

stack

page read and write

A0A000

heap

page read and write

5CF5000

heap

page read and write

8A0000

trusted library allocation

page read and write

267C000

trusted library allocation

page read and write

6796000

direct allocation

page execute and read and write

68E2000

heap

page read and write

2679000

trusted library allocation

page read and write

52FD000

stack

page read and write

631D000

stack

page read and write

A73000

heap

page read and write

910000

heap

page read and write

A17000

heap

page read and write

60BE000

stack

page read and write

95E000

stack

page read and write

61BE000

stack

page read and write

5D0A000

heap

page read and write

679F000

direct allocation

page execute and read and write

860000

trusted library allocation

page read and write

507F000

stack

page read and write

C0E000

stack

page read and write

85D000

trusted library allocation

page execute and read and write

3A0000

heap

page read and write

26C1000

trusted library allocation

page read and write

830000

trusted library allocation

page read and write

54DE000

stack

page read and write

2686000

trusted library allocation

page read and write

569E000

stack

page read and write

68E8000

heap

page read and write

5CC0000

heap

page read and write

51FD000

stack

page read and write

68D0000

heap

page read and write

2610000

heap

page read and write

9D1000

heap

page read and write

A5B000

heap

page read and write

877000

trusted library allocation

page execute and read and write

887000

trusted library allocation

page execute and read and write

845000

heap

page read and write

257E000

stack

page read and write

80E000

stack

page read and write

A6A000

heap

page read and write

5CBD000

stack

page read and write

621D000

stack

page read and write

3621000

trusted library allocation

page read and write

5F20000

trusted library section

page read and write

990000

heap

page read and write

68E0000

heap

page read and write

2681000

trusted library allocation

page read and write

5D16000

heap

page read and write

268F000

trusted library allocation

page read and write

853000

trusted library allocation

page execute and read and write

5BBE000

stack

page read and write

32C000

stack

page read and write

8EE000

stack

page read and write

840000

heap

page read and write

850000

trusted library allocation

page read and write

882000

trusted library allocation

page read and write

679D000

direct allocation

page execute and read and write

26AE000

trusted library allocation

page read and write

55DD000

stack

page read and write

There are 106 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
2.jpg.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report2.jpg.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
2.jpg.exe