Loading ...

Play interactive tourEdit tour

Analysis Report sample-20200214-unpacked.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208479
Start date:14.02.2020
Start time:16:18:59
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:sample-20200214-unpacked.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.adwa.evad.winEXE@8/17@2/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 91%)
  • Quality average: 77.9%
  • Quality standard deviation: 31.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 52.109.124.22, 205.185.216.42, 205.185.216.10, 2.20.142.209, 2.20.142.210, 8.248.115.254, 8.248.117.254, 67.27.158.126, 8.253.204.120, 67.26.83.254, 67.26.73.254, 67.27.158.254, 67.26.75.254, 8.253.95.249, 67.26.81.254
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Startup Items1Startup Items1Masquerading111Input Capture1System Time Discovery1Remote File Copy1Input Capture1Data CompressedRemote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationDefacement1
Replication Through Removable MediaService ExecutionRegistry Run Keys / Startup Folder12Process Injection52Software Packing1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection52Input CaptureSecurity Software Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Information Discovery12Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDLL Side-Loading1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\cell_jr.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\cell_jr.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\cell_jr.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\cell_jr.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\cell_jr.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\cell_jr.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\cell_jr.exeAvira: detection malicious, Label: TR/Dropper.Gen
Antivirus detection for sampleShow sources
Source: sample-20200214-unpacked.exeAvira: detection malicious, Label: TR/Dropper.Gen
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\cell_jr.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cell_jr.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cell_jr.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cell_jr.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cell_jr.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cell_jr.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cell_jr.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: sample-20200214-unpacked.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.0.cell_jr.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 4.2.cell_jr.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.2.sample-20200214-unpacked.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.0.sample-20200214-unpacked.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\notepad.exeCode function: 3_2_10001280 _fwprintf,socket,htons,inet_addr,htons,memset,GetCurrentProcessId,htons,strlen,strlen,sendto,recvfrom,strlen,3_2_10001280
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: sample-20200214-unpacked.exe, 00000000.00000002.4320671737.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_00401120 MessageBoxA,SystemParametersInfoA,ExitProcess,0_2_00401120

System Summary:

barindex
PE file contains executable resources (Code or Archives)Show sources
Source: sample-20200214-unpacked.exeStatic PE information: Resource name: PUH type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: cell_jr.exe.0.drStatic PE information: Resource name: PUH type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: cell_jr.exe0.0.drStatic PE information: Resource name: PUH type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.adwa.evad.winEXE@8/17@2/0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_00401750 FindResourceA,LoadResource,LockResource,SizeofResource,VirtualAlloc,memcpy,FreeResource,0_2_00401750
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\Documents\cell_jr.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01
PE file has an executable .text section and no other executable sectionShow sources
Source: sample-20200214-unpacked.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile read: C:\Users\user\Desktop\sample-20200214-unpacked.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\sample-20200214-unpacked.exe 'C:\Users\user\Desktop\sample-20200214-unpacked.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWow64\notepad.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWow64\notepad.exe
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWow64\notepad.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWow64\notepad.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: sample-20200214-unpacked.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\IEUser\Desktop\maif-201920\Debug\dll.pdb source: sample-20200214-unpacked.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_00402146 push ecx; ret 0_2_00402159
Source: C:\Windows\SysWOW64\notepad.exeCode function: 3_2_10002126 push ecx; ret 3_2_10002139

Persistence and Installation Behavior:

barindex
Drops PE files to the document folder of the userShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\Documents\cell_jr.exeJump to dropped file
Drops PE filesShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\Favorites\cell_jr.exeJump to dropped file
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exeJump to dropped file
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\mirai.dllJump to dropped file
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Local\cell_jr.exeJump to dropped file
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\Documents\cell_jr.exeJump to dropped file
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\Videos\cell_jr.exeJump to dropped file
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\Pictures\cell_jr.exeJump to dropped file
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\cell_jr.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\mirai.dllJump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folderShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exeJump to dropped file
Drops PE files to the user root directoryShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\mirai.dllJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exeJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exeJump to behavior
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\cell_jr.exeJump to behavior
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\cell_jr.exe\:Zone.Identifier:$DATAJump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_00401EEC IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00401EEC
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_0040204E SetUnhandledExceptionFilter,0_2_0040204E
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_00402332 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00402332
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_00401EEC IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00401EEC
Source: C:\Windows\SysWOW64\notepad.exeCode function: 3_2_1000233D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_1000233D
Source: C:\Windows\SysWOW64\notepad.exeCode function: 3_2_10001E94 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_10001E94

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 4D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: B10000 protect: page read and writeJump to behavior
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_00401300 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,strlen,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,0_2_00401300
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeThread created: C:\Windows\SysWOW64\notepad.exe EIP: 76EE57B0Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exeThread created: C:\Windows\SysWOW64\notepad.exe EIP: 76EE57B0Jump to behavior
DLL side loading technique detectedShow sources
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: C:\Users\user\mirai.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: C:\Users\user\mirai.dllJump to behavior
Injects files into Windows applicationShow sources
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Users\user\mirai.dll was created by C:\Users\user\Desktop\sample-20200214-unpacked.exeJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Users\user\mirai.dll was created by C:\Users\user\Desktop\sample-20200214-unpacked.exeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 4D0000Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: B10000Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: notepad.exe, 00000003.00000002.4736181809.0000000003040000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.4747127013.00000000036B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: notepad.exe, 00000003.00000002.4736181809.0000000003040000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.4747127013.00000000036B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000003.00000002.4736181809.0000000003040000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.4747127013.00000000036B0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: notepad.exe, 00000003.00000002.4736181809.0000000003040000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.4747127013.00000000036B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_0040217E cpuid 0_2_0040217E
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\sample-20200214-unpacked.exeCode function: 0_2_00401DDB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00401DDB

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: sample-20200214-unpacked.exe, cell_jr.exe, 00000004.00000000.4344550181.0000000000403000.00000002.00020000.sdmpBinary or memory string: avguard.exe

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
16:20:32AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cell_jr.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sample-20200214-unpacked.exe100%AviraTR/Dropper.Gen
sample-20200214-unpacked.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\cell_jr.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\cell_jr.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\cell_jr.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\cell_jr.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\cell_jr.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\cell_jr.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\cell_jr.exe100%AviraTR/Dropper.Gen
C:\Users\user\AppData\Local\cell_jr.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\cell_jr.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\cell_jr.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\cell_jr.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\cell_jr.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\cell_jr.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\cell_jr.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.0.cell_jr.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
4.2.cell_jr.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
0.2.sample-20200214-unpacked.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
0.0.sample-20200214-unpacked.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.