Loading ...

Play interactive tourEdit tour

Analysis Report .exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167273
Start date:25.08.2019
Start time:19:35:58
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name: .exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.evad.winEXE@2/6@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Winlogon Helper DLLProcess Injection1Masquerading2Credential DumpingSystem Time Discovery12Remote File Copy1Data from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDLL Side-Loading1Account ManipulationSystem Information Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Windows\Jammer2nd.exeAvira: Label: WORM/Netsky.AY
Source: C:\Windows\Jammer2nd.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: .exeAvira: Label: WORM/Netsky.AY
Source: .exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2. .exe.400000.0.unpackAvira: Label: TR/Crypt.PEPM.Gen
Source: 2.2.Jammer2nd.exe.400000.0.unpackAvira: Label: TR/Crypt.PEPM.Gen
Source: 0.0. .exe.400000.0.unpackAvira: Label: WORM/Netsky.AY
Source: 2.0.Jammer2nd.exe.400000.0.unpackAvira: Label: WORM/Netsky.AY

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402100 FindFirstFileA,CharLowerBuffA,FindNextFileA,FindClose,0_2_00402100
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_00402100 FindFirstFileA,CharLowerBuffA,FindNextFileA,FindClose,2_2_00402100

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402CD3 socket,htons,bind,closesocket,listen,closesocket,recv,_hwrite,accept,wsprintfA,_lopen,recv,_hwrite,WinExec,_lclose,closesocket,Sleep,0_2_00402CD3

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: .exeStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: Jammer2nd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\Jammer2nd.exeJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\ .exeMutant created: \Sessions\1\BaseNamedObjects\(S)(k)(y)(N)(e)(t)
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005DCE3D0_2_005DCE3D
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_004016910_2_00401691
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_005DCE3D2_2_005DCE3D
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_004016912_2_00401691
PE file contains strange resourcesShow sources
Source: .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Jammer2nd.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\ .exeFile read: C:\Users\user\Desktop\ .exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\ .exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\Jammer2nd.exeSection loaded: wow64log.dllJump to behavior
PE file contains an invalid data directoryShow sources
Source: .exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: Jammer2nd.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Classification labelShow sources
Source: classification engineClassification label: mal68.evad.winEXE@2/6@0/0
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\ .exe 'C:\Users\user\Desktop\ .exe'
Source: unknownProcess created: C:\Windows\Jammer2nd.exe 'C:\Windows\Jammer2nd.exe'
PE file has a big code sizeShow sources
Source: .exeStatic PE information: Virtual size of .text is bigger than: 0x100000

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00405ADF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00405ADF
Entry point lies outside standard sectionsShow sources
Source: initial sampleStatic PE information: section where entry point is pointing to: .aspack
PE file contains an invalid checksumShow sources
Source: Jammer2nd.exe.0.drStatic PE information: real checksum: 0x10104 should be: 0x10b13
Source: .exeStatic PE information: real checksum: 0x10104 should be: 0x10b13
PE file contains sections with non-standard namesShow sources
Source: .exeStatic PE information: section name: .aspack
Source: .exeStatic PE information: section name: .gda
Source: Jammer2nd.exe.0.drStatic PE information: section name: .aspack
Source: Jammer2nd.exe.0.drStatic PE information: section name: .gda
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005DC660 push cs; ret 0_2_005DC663
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005DC001 push 00403E5Fh; ret 0_2_005DC3C5
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_005DC001 push 00403E5Fh; ret 0_2_005DC3C5
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00403BF0 push eax; ret 0_2_00403C1E
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_005DC660 push cs; ret 2_2_005DC663
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_005DC001 push 00403E5Fh; ret 2_2_005DC3C5
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_005DC001 push 00403E5Fh; ret 2_2_005DC3C5
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_00403BF0 push eax; ret 2_2_00403C1E

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\Jammer2nd.exe
Drops PE filesShow sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\Jammer2nd.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\ .exeFile created: C:\Windows\Jammer2nd.exeJump to dropped file

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\Jammer2nd.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-2510
Source: C:\Users\user\Desktop\ .exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-2505
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\Jammer2nd.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-2958
Source: C:\Users\user\Desktop\ .exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-2927
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\ .exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-2527
Source: C:\Windows\Jammer2nd.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_2-2532
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402DE3 GetLocalTime followed by cmp: cmp word ptr [ebp-0eh], 0001h and CTI: jbe 00402F80h0_2_00402DE3
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402DE3 GetLocalTime followed by cmp: cmp word ptr [ebp-0eh], 0006h and CTI: jnc 00402F80h0_2_00402DE3
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402DE3 GetLocalTime followed by cmp: cmp word ptr [ebp-12h], 0005h and CTI: jne 00402F80h0_2_00402DE3
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402DE3 GetLocalTime followed by cmp: cmp word ptr [ebp-14h], 07d4h and CTI: jne 00402F80h0_2_00402DE3
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dah and CTI: jbe 00401A0Eh0_2_004019E8
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0001h and CTI: jc 00401A1Ch0_2_004019E8
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 000ch and CTI: jbe 00401A22h0_2_004019E8
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-0ah], 0001h and CTI: jc 00401A30h0_2_004019E8
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-0ah], 001fh and CTI: jbe 00401A36h0_2_004019E8
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_00402DE3 GetLocalTime followed by cmp: cmp word ptr [ebp-0eh], 0001h and CTI: jbe 00402F80h2_2_00402DE3
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_00402DE3 GetLocalTime followed by cmp: cmp word ptr [ebp-0eh], 0006h and CTI: jnc 00402F80h2_2_00402DE3
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_00402DE3 GetLocalTime followed by cmp: cmp word ptr [ebp-12h], 0005h and CTI: jne 00402F80h2_2_00402DE3
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_00402DE3 GetLocalTime followed by cmp: cmp word ptr [ebp-14h], 07d4h and CTI: jne 00402F80h2_2_00402DE3
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dah and CTI: jbe 00401A0Eh2_2_004019E8
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0001h and CTI: jc 00401A1Ch2_2_004019E8
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 000ch and CTI: jbe 00401A22h2_2_004019E8
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-0ah], 0001h and CTI: jc 00401A30h2_2_004019E8
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_004019E8 GetSystemTime followed by cmp: cmp word ptr [ebp-0ah], 001fh and CTI: jbe 00401A36h2_2_004019E8
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402100 FindFirstFileA,CharLowerBuffA,FindNextFileA,FindClose,0_2_00402100
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_00402100 FindFirstFileA,CharLowerBuffA,FindNextFileA,FindClose,2_2_00402100
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: pk_zip1.log.0.drBinary or memory string: Zu4UyxBbNp3HfknjlqNQBccqQ0tgVK9B0y628opOvly1S08ljVgzqwDTG1HgFsQ/80uvqu2G
Program exit pointsShow sources
Source: C:\Users\user\Desktop\ .exeAPI call chain: ExitProcess graph end nodegraph_0-2990

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00405ADF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00405ADF

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: .exe, 00000000.00000002.959561743.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: .exe, 00000000.00000002.959561743.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Progman
Source: .exe, 00000000.00000002.959561743.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: .exe, 00000000.00000002.959561743.0000000000E30000.00000002.00000001.sdmpBinary or memory string: Program Manager>

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402DE3 GetTickCount,CreateMutexA,GetLastError,CreateThread,CreateThread,CreateThread,GetLocalTime,CreateThread,Sleep,CreateThread,Sleep,Sleep,0_2_00402DE3
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402797 GetLocalTime,GetTimeZoneInformation,wsprintfA,0_2_00402797
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00403E5F GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,0_2_00403E5F

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\ .exeCode function: 0_2_00402CD3 socket,htons,bind,closesocket,listen,closesocket,recv,_hwrite,accept,wsprintfA,_lopen,recv,_hwrite,WinExec,_lclose,closesocket,Sleep,0_2_00402CD3
Source: C:\Windows\Jammer2nd.exeCode function: 2_2_00402CD3 socket,htons,bind,closesocket,listen,closesocket,recv,_hwrite,accept,wsprintfA,_lopen,recv,_hwrite,WinExec,_lclose,closesocket,Sleep,2_2_00402CD3

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 167273 Sample: .exe Startdate: 25/08/2019 Architecture: WINDOWS Score: 68 15 Antivirus or Machine Learning detection for sample 2->15 17 Found evasive API chain (may stop execution after checking mutex) 2->17 19 PE file has a writeable .text section 2->19 21 Drops executables to the windows directory (C:\Windows) and starts them 2->21 5 Jammer2nd.exe 2->5         started        8        .exe 1 6 2->8         started        process3 file4 23 Antivirus or Machine Learning detection for dropped file 5->23 25 Found evasive API chain (may stop execution after checking mutex) 5->25 11 C:\Windows\Jammer2nd.exe, PE32 8->11 dropped 13 C:\Windows\Jammer2nd.exe:Zone.Identifier, ASCII 8->13 dropped signatures5

Simulations

Behavior and APIs

TimeTypeDescription
19:37:02API Interceptor3x Sleep call for process: .exe modified
19:37:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Jammer2nd C:\Windows\Jammer2nd.exe

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
.exe100%AviraWORM/Netsky.AY
.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Jammer2nd.exe100%AviraWORM/Netsky.AY
C:\Windows\Jammer2nd.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2. .exe.400000.0.unpack100%AviraTR/Crypt.PEPM.GenDownload File
2.2.Jammer2nd.exe.400000.0.unpack100%AviraTR/Crypt.PEPM.GenDownload File
0.0. .exe.400000.0.unpack100%AviraWORM/Netsky.AYDownload File
2.0.Jammer2nd.exe.400000.0.unpack100%AviraWORM/Netsky.AYDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.