Loading ...

Play interactive tourEdit tour

Analysis Report wget.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:193295
Start date:03.12.2019
Start time:07:19:24
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:wget.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean6.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 0.4% (good quality ratio 0.4%)
  • Quality average: 63.7%
  • Quality standard deviation: 31.8%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold60 - 100trueclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
Valid AccountsCommand-Line Interface2Application Shimming1Process Injection1Software Packing1Credential DumpingSystem Time Discovery2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Data Destruction
Replication Through Removable MediaExecution through API2Port MonitorsApplication Shimming1Process Injection1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Data Encrypted for Impact
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolDisk Structure Wipe
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information21Credentials in FilesSystem Information Discovery24Logon ScriptsInput CaptureData EncryptedMultiband CommunicationDisk Content Wipe

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00475634 FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00475634
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047DA7E FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_0047DA7E

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: wget.exeString found in binary or memory: http://upx.tsx.org
Source: wget.exe, wget.exe, 00000000.00000002.1748614822.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: wget.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: wget.exe, 00000000.00000002.1748614822.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004440600_2_00444060
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048D0000_2_0048D000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004970000_2_00497000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004960000_2_00496000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0049C0000_2_0049C000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004990000_2_00499000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004930000_2_00493000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004950000_2_00495000
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004470100_2_00447010
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004920110_2_00492011
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0042F0200_2_0042F020
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004460800_2_00446080
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004471C00_2_004471C0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004232500_2_00423250
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004422600_2_00442260
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004402C00_2_004402C0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004503500_2_00450350
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0044F3100_2_0044F310
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004A03170_2_004A0317
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004473C00_2_004473C0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0043E3E00_2_0043E3E0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004533800_2_00453380
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004464700_2_00446470
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004764000_2_00476400
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0049641B0_2_0049641B
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0040E4300_2_0040E430
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004304E00_2_004304E0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004954A20_2_004954A2
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004455400_2_00445540
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004575400_2_00457540
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0043D5000_2_0043D500
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004065220_2_00406522
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047A52C0_2_0047A52C
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004335300_2_00433530
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0049C58C0_2_0049C58C
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004446500_2_00444650
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004536500_2_00453650
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048A6600_2_0048A660
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004466100_2_00446610
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004506300_2_00450630
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004946C90_2_004946C9
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004577800_2_00457780
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004468200_2_00446820
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004438300_2_00443830
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004468A90_2_004468A9
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_004449100_2_00444910
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00445A500_2_00445A50
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00423A600_2_00423A60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00447A100_2_00447A10
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00493ACF0_2_00493ACF
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00494AFB0_2_00494AFB
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00443B000_2_00443B00
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00441BC00_2_00441BC0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00424B900_2_00424B90
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00444C600_2_00444C60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00445C000_2_00445C00
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0041DC800_2_0041DC80
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0040CDC00_2_0040CDC0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00494DFB0_2_00494DFB
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00424DA70_2_00424DA7
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048EDA40_2_0048EDA4
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00445E000_2_00445E00
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047FE3E0_2_0047FE3E
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048EEC80_2_0048EEC8
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00442E890_2_00442E89
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00422F600_2_00422F60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00424F600_2_00424F60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0043FF600_2_0043FF60
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0048DF210_2_0048DF21
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00441F900_2_00441F90
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 004759CC appears 61 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00424460 appears 149 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00426FD0 appears 35 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0041EE10 appears 51 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 004048C0 appears 37 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00473A00 appears 405 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0041F000 appears 169 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00422450 appears 177 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00473A3D appears 66 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00477606 appears 37 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00421100 appears 33 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0047A4E0 appears 67 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 00434C80 appears 39 times
Source: C:\Users\user\Desktop\wget.exeCode function: String function: 0041F090 appears 164 times
Classification labelShow sources
Source: classification engineClassification label: clean6.winEXE@2/1@0/0
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_01
Reads software policiesShow sources
Source: C:\Users\user\Desktop\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: wget.exeString found in binary or memory: -h, --help print this help.
Source: wget.exeString found in binary or memory: -h, --help print this help.
Source: wget.exeString found in binary or memory: bind-address
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: set-addPolicy
Source: wget.exeString found in binary or memory: --bind-address=ADDRESS bind to ADDRESS (hostname or IP) on local host.
Source: wget.exeString found in binary or memory: id-cmc-addExtensions
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Source: wget.exeString found in binary or memory: Try `%s --help' for more options.
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\wget.exe 'C:\Users\user\Desktop\wget.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00479999 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00479999
PE file contains sections with non-standard namesShow sources
Source: wget.exeStatic PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047A51B push ecx; ret 0_2_0047A52B
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00473A00 push eax; ret 0_2_00473A14
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00473A00 push eax; ret 0_2_00473A3C
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0041FDB0 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,0_2_0041FDB0

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00490083 rdtsc 0_2_00490083
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\wget.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-69839
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\wget.exeAPI coverage: 6.4 %
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00475634 FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00475634
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047DA7E FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_0047DA7E
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0047F42E VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0047F42E

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00490083 rdtsc 0_2_00490083
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00479999 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00479999

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,EnumSystemLocalesA,0_2_0047D1C1
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,_strlen,EnumSystemLocalesA,0_2_0047D1F8
Source: C:\Users\user\Desktop\wget.exeCode function: _strlen,EnumSystemLocalesA,0_2_0047D27E
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,0_2_0047D2D3
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,0_2_0048263D
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_00483C9C
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,_strncpy,0_2_0047CCA2
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoA,MultiByteToWideChar,0_2_00483D58
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_00483DCC
Source: C:\Users\user\Desktop\wget.exeCode function: GetLocaleInfoW,WideCharToMultiByte,0_2_00483E7F
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00490000 cpuid 0_2_00490000
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00481431 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,0_2_00481431
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00478BA8 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,0_2_00478BA8
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_00477F6E GetVersionExA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,0_2_00477F6E

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0041D6B0 bind,WSAGetLastError,0_2_0041D6B0
Source: C:\Users\user\Desktop\wget.exeCode function: 0_2_0041D710 listen,WSAGetLastError,0_2_0041D710

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 193295 Sample: wget.exe Startdate: 03/12/2019 Architecture: WINDOWS Score: 6 5 wget.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wget.exe1%VirustotalBrowse
wget.exe0%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.wget.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.wget.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.tsx.org0%VirustotalBrowse
http://upx.tsx.org0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.