Windows Analysis Report
jp.exe

Overview

General Information

Sample name: jp.exe
Analysis ID: 1429061
MD5: 1938a3545517650824657fd09ce4ee16
SHA1: 25a3bb6c1d11fac492825178e5a4ca7c5a8c4910
SHA256: 602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7
Tags: APT44exeJUICYPOTATONG
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: jp.exe ReversingLabs: Detection: 65%
Source: jp.exe Virustotal: Detection: 69% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601382670 CoTaskMemAlloc,CoTaskMemAlloc,LoadLibraryW,GetProcAddress,GetCurrentProcess,CoInitialize,CoInitializeSecurity,CreateObjrefMoniker,CreateBindCtx,CryptStringToBinaryW,RpcServerUseProtseqEpW,RpcServerRegisterAuthInfoW,CreateILockBytesOnHGlobal,StgCreateDocfileOnILockBytes,CLSIDFromString,CoGetInstanceFromIStorage,WaitForSingleObject,CoTaskMemFree,CoTaskMemFree,CoUninitialize,GetLastError,AcceptSecurityContext,SetEvent,QuerySecurityContextToken,GetTokenInformation,GetTokenInformation,GetLengthSid,CopySid,LookupAccountSidW,GetTokenInformation,DuplicateTokenEx,SetEvent, 0_2_00007FF601382670
Source: jp.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138FAC0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 0_2_00007FF60138FAC0
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF6013821C0 GetCurrentProcess,OpenProcessToken,ImpersonateLoggedOnUser,CloseHandle,GetProcessHeap,HeapAlloc,GetCurrentProcessId,ProcessIdToSessionId,SetTokenInformation,CreateProcessAsUserW,GetLastError,CreateProcessWithTokenW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,RevertToSelf,GetProcessHeap,HeapFree, 0_2_00007FF6013821C0
Detected potential crypto function
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601382670 0_2_00007FF601382670
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138FAC0 0_2_00007FF60138FAC0
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601392D8C 0_2_00007FF601392D8C
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601392960 0_2_00007FF601392960
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138CE14 0_2_00007FF60138CE14
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138F220 0_2_00007FF60138F220
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138ADC4 0_2_00007FF60138ADC4
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF6013965B8 0_2_00007FF6013965B8
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF6013885DC 0_2_00007FF6013885DC
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601381130 0_2_00007FF601381130
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601388358 0_2_00007FF601388358
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138E814 0_2_00007FF60138E814
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\jp.exe Code function: String function: 00007FF601381010 appears 54 times
Source: classification engine Classification label: mal48.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601382090 LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,PrivilegeCheck,GetLastError, 0_2_00007FF601382090
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601381B20 CoInitialize,CoCreateInstance,CoUninitialize,CreateEventW,CreateEventW,InitSecurityInterfaceW,LogonUserW,ImpersonateLoggedOnUser,RevertToSelf,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetLastError, 0_2_00007FF601381B20
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_03
Source: jp.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\jp.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: jp.exe ReversingLabs: Detection: 65%
Source: jp.exe Virustotal: Detection: 69%
Source: unknown Process created: C:\Users\user\Desktop\jp.exe "C:\Users\user\Desktop\jp.exe"
Source: C:\Users\user\Desktop\jp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jp.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\jp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\jp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: jp.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: jp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: jp.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: jp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601382670 CoTaskMemAlloc,CoTaskMemAlloc,LoadLibraryW,GetProcAddress,GetCurrentProcess,CoInitialize,CoInitializeSecurity,CreateObjrefMoniker,CreateBindCtx,CryptStringToBinaryW,RpcServerUseProtseqEpW,RpcServerRegisterAuthInfoW,CreateILockBytesOnHGlobal,StgCreateDocfileOnILockBytes,CLSIDFromString,CoGetInstanceFromIStorage,WaitForSingleObject,CoTaskMemFree,CoTaskMemFree,CoUninitialize,GetLastError,AcceptSecurityContext,SetEvent,QuerySecurityContextToken,GetTokenInformation,GetTokenInformation,GetLengthSid,CopySid,LookupAccountSidW,GetTokenInformation,DuplicateTokenEx,SetEvent, 0_2_00007FF601382670
PE file contains sections with non-standard names
Source: jp.exe Static PE information: section name: _RDATA
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\jp.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\jp.exe API coverage: 4.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138FAC0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 0_2_00007FF60138FAC0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138BE8C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF60138BE8C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601382670 CoTaskMemAlloc,CoTaskMemAlloc,LoadLibraryW,GetProcAddress,GetCurrentProcess,CoInitialize,CoInitializeSecurity,CreateObjrefMoniker,CreateBindCtx,CryptStringToBinaryW,RpcServerUseProtseqEpW,RpcServerRegisterAuthInfoW,CreateILockBytesOnHGlobal,StgCreateDocfileOnILockBytes,CLSIDFromString,CoGetInstanceFromIStorage,WaitForSingleObject,CoTaskMemFree,CoTaskMemFree,CoUninitialize,GetLastError,AcceptSecurityContext,SetEvent,QuerySecurityContextToken,GetTokenInformation,GetTokenInformation,GetLengthSid,CopySid,LookupAccountSidW,GetTokenInformation,DuplicateTokenEx,SetEvent, 0_2_00007FF601382670
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF6013821C0 GetCurrentProcess,OpenProcessToken,ImpersonateLoggedOnUser,CloseHandle,GetProcessHeap,HeapAlloc,GetCurrentProcessId,ProcessIdToSessionId,SetTokenInformation,CreateProcessAsUserW,GetLastError,CreateProcessWithTokenW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,RevertToSelf,GetProcessHeap,HeapFree, 0_2_00007FF6013821C0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF60138BE8C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF60138BE8C
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601383720 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF601383720
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601382DB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF601382DB4
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF6013838C8 SetUnhandledExceptionFilter, 0_2_00007FF6013838C8
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601381B20 CoInitialize,CoCreateInstance,CoUninitialize,CreateEventW,CreateEventW,InitSecurityInterfaceW,LogonUserW,ImpersonateLoggedOnUser,RevertToSelf,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetLastError, 0_2_00007FF601381B20
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601396400 cpuid 0_2_00007FF601396400
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601383604 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF601383604
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\jp.exe Code function: 0_2_00007FF601382670 CoTaskMemAlloc,CoTaskMemAlloc,LoadLibraryW,GetProcAddress,GetCurrentProcess,CoInitialize,CoInitializeSecurity,CreateObjrefMoniker,CreateBindCtx,CryptStringToBinaryW,RpcServerUseProtseqEpW,RpcServerRegisterAuthInfoW,CreateILockBytesOnHGlobal,StgCreateDocfileOnILockBytes,CLSIDFromString,CoGetInstanceFromIStorage,WaitForSingleObject,CoTaskMemFree,CoTaskMemFree,CoUninitialize,GetLastError,AcceptSecurityContext,SetEvent,QuerySecurityContextToken,GetTokenInformation,GetTokenInformation,GetLengthSid,CopySid,LookupAccountSidW,GetTokenInformation,DuplicateTokenEx,SetEvent, 0_2_00007FF601382670
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429061 Sample: jp.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 jp.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos