Loading ...

Play interactive tourEdit tour

Analysis Report Packet.dll

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:193290
Start date:03.12.2019
Start time:06:30:47
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Packet.dll
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:25
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winDLL@43/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .dll
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
Valid AccountsRundll321Winlogon Helper DLLProcess Injection1Virtualization/Sandbox Evasion1Credential DumpingSystem Information Discovery1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationData Destruction
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsData Encrypted for Impact
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRundll321Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolDisk Structure Wipe
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDLL Side-Loading1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationDisk Content Wipe

Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: Packet.dllString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Packet.dllString found in binary or memory: http://ocsp.thawte.com0
Source: Packet.dllString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Packet.dllString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Packet.dllString found in binary or memory: http://ts-ocsp.ws.symantec.com07

System Summary:

barindex
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: Packet.dllBinary string: \Device\NPF_
Source: Packet.dllBinary string: HH:mm:ssdddd, MMMM dd, yyyyMM/dd/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSunGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindowMessageBoxAUSER32.DLLCONOUT$SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecNPF_%SSYSTEM\CurrentControlSet\Services\Tcpip\Parameters\InterfacesSYSTEM\CurrentControlSet\ServicesParametersTcpIpUseZeroBroadcastEnableDHCPDhcpIPAddressDhcpSubnetMaskIPAddressSubnetMask\Device\NPF_1394%s%sSYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}ComponentIdLinkageExportSYSTEM\CurrentControlSet\Services\Tcpip\Linkagebinddrivers\NPF.sysIphlpapiGetAdaptersAddressesairpcap.dllAirpcapGetLastErrorAirpcapGetDeviceListAirpcapFreeDeviceListAirpcapOpenAirpcapCloseAirpcapGetLinkTypeAirpcapSetKernelBufferAirpcapSetFilterAirpcapGetMacAddressAirpcapSetMinToCopyAirpcapGetReadEventAirpcapReadAirpcapGetStatsAirpca
Classification labelShow sources
Source: classification engineClassification label: clean1.winDLL@43/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: Packet.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\Packet.dll',DllRegisterServer
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\Packet.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\Packet.dll',DllRegisterServer
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketAllocatePacket
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketCloseAdapter
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketFreePacket
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetAdapterNames
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetAirPcapHandle
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetDriverVersion
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetNetInfoEx
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetNetType
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetReadEvent
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetStats
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetStatsEx
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetVersion
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketInitPacket
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketIsDumpEnded
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketLibraryVersion
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketOpenAdapter
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketReceivePacket
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketRequest
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketSendPacket
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketSendPackets
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\Packet.dll',DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketAllocatePacketJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketCloseAdapterJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketFreePacketJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetAdapterNamesJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetAirPcapHandleJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetDriverVersionJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetNetInfoExJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetNetTypeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetReadEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetStatsJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetStatsExJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketGetVersionJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketInitPacketJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketIsDumpEndedJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketLibraryVersionJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketOpenAdapterJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketReceivePacketJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketRequestJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketSendPacketJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Packet.dll,PacketSendPacketsJump to behavior
PE / OLE file has a valid certificateShow sources
Source: Packet.dllStatic PE information: certificate valid
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Packet.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Packet.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Packet.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Packet.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Packet.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Packet.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: Packet.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\releases\winpcap_4_1_3\winpcap\packetNtx\Dll\Project\Release No NetMon\x86\Packet.pdb source: Packet.dll
PE file contains a valid data directory to section mappingShow sources
Source: Packet.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Packet.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Packet.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Packet.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Packet.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\loaddll32.exe TID: 2968Thread sleep time: -60000s >= -30000sJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 193290 Sample: Packet.dll Startdate: 03/12/2019 Architecture: WINDOWS Score: 1 5 loaddll32.exe 1 2->5         started        process3 7 rundll32.exe 5->7         started        9 rundll32.exe 5->9         started        11 rundll32.exe 5->11         started        13 18 other processes 5->13

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Packet.dll0%VirustotalBrowse
Packet.dll0%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.