Play interactive tour

Edit tour

Analysis Report jesovROZ8A

Overview

General Information

Sample Name:	jesovROZ8A (renamed file extension from none to exe)
Analysis ID:	346431
MD5:	039ce25d495fa555ae1c210592b564d0
SHA1:	6684d0ffde174052a03931981262dc0a7cb9891c
SHA256:	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
Tags:	unnamed3
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Checks if the current process is being debugged

Detected potential crypto function

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

jesovROZ8A.exe (PID: 6760 cmdline: 'C:\Users\user\Desktop\jesovROZ8A.exe' MD5: 039CE25D495FA555AE1C210592B564D0)

WerFault.exe (PID: 6820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 588 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: jesovROZ8A.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: jesovROZ8A.exe	Virustotal: Detection: 85%			Perma Link
Source: jesovROZ8A.exe	ReversingLabs: Detection: 100%

Machine Learning detection for sample

Show sources

Source: jesovROZ8A.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: jesovROZ8A.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00401401
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00403827
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040142A
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00401C2B
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040C4D3
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040BCEA
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004080B0
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040AD5F
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040AD60
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00408116
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00417516
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040FD1C
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410528
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0042313D
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004125CA
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004131CC
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004221ED
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004065F2
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004065F6
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00411982
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410DBE
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00413220
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00421AE6
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041B2F3
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D684
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D6A0
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041BF43
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00404B50
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00409711
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041E32C
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040E734
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0041CBD1
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004203E1
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040BFFB
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00425FFC
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00407388

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 588

Source: jesovROZ8A.exe, 00000000.00000000.196191725.0000000000446000.00000008.00020000.sdmp	Binary or memory string: OriginalFilenameChevy.exe` vs jesovROZ8A.exe
Source: jesovROZ8A.exe	Binary or memory string: OriginalFilenameChevy.exe` vs jesovROZ8A.exe

Source: jesovROZ8A.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: jesovROZ8A.exe

Static PE information: Section: UPX1 ZLIB complexity 0.996900699013

Source: classification engine

Classification label: mal60.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6760

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4E7.tmp

Jump to behavior

Source: C:\Users\user\Desktop\jesovROZ8A.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: jesovROZ8A.exe	Virustotal: Detection: 85%
Source: jesovROZ8A.exe	ReversingLabs: Detection: 100%

Source: unknown	Process created: C:\Users\user\Desktop\jesovROZ8A.exe 'C:\Users\user\Desktop\jesovROZ8A.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 588

Data Obfuscation:

Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D056 push ds; retf
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00405414 push ds; retn 0000h
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004060E9 push ecx; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00410DFE pushad ; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040D5B6 push 00880000h; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_004046EA pushad ; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_00405EFB pushad ; ret
Source: C:\Users\user\Desktop\jesovROZ8A.exe	Code function: 0_2_0040577F push edi; ret

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Anti Debugging:

Source: C:\Users\user\Desktop\jesovROZ8A.exe

Process queried: DebugPort

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing11	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
jesovROZ8A.exe	86%	Virustotal		Browse
jesovROZ8A.exe	100%	ReversingLabs	Win32.Trojan.Zeus
jesovROZ8A.exe	100%	Avira	TR/Sirefef.AO
jesovROZ8A.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.jesovROZ8A.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.0.jesovROZ8A.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346431
Start date:	31.01.2021
Start time:	15:48:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 32s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	jesovROZ8A (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.winEXE@2/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 98.3% (good quality ratio 69.2%) Quality average: 47% Quality standard deviation: 34.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): WerFault.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 13.88.21.125 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net

Simulations

Behavior and APIs

Time	Type	Description
15:48:59	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_jesovROZ8A.exe_43fc5ffcbae1f11637667ee26b773884583759_76289d07_1ac5feab\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11736
Entropy (8bit):	3.7735213884049688
Encrypted:	false
SSDEEP:	192:detqH/8yKjHBUZMXYjdKV//u7sOS274ItDXs:lH/8y+BUZMXYjM/u7sOX4ItDXs
MD5:	1F9065E7408B870CE000895D72BE6A22
SHA1:	0731D48C9E06AAE9C2C741D4AFAFD8F93B8E9257
SHA-256:	BB16FA02BECA9949F44A76A51E9DD2437455DEE884D5DCF1B581AA1500869FE3
SHA-512:	401D96BE2B1D6E8C24A018F0F01498848EC954D28F8588947B948A9D87D4322684E2C56E4AADED71C5CF3B3B4906C710966BC6DA0964D6C369EC823DF8CC2E0A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.6.1.0.5.3.7.2.6.9.1.3.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.6.1.0.5.3.7.9.7.2.2.6.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.6.9.b.2.f.d.-.5.e.3.3.-.4.2.d.5.-.b.a.6.1.-.8.e.2.8.8.8.d.f.d.f.f.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.9.4.8.7.1.9.-.3.3.c.2.-.4.e.f.d.-.a.4.e.5.-.8.a.a.c.f.0.4.0.c.5.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.j.e.s.o.v.R.O.Z.8.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.h.e.v.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.8.-.0.0.0.1.-.0.0.1.7.-.8.a.2.6.-.d.2.a.2.2.b.f.8.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.e.9.9.7.4.9.2.3.7.a.0.6.0.7.c.4.b.f.6.b.d.7.1.4.a.8.4.d.c.b.3.0.0.0.0.0.9.0.4.!.0.0.0.0.6.6.8.4.d.0.f.f.d.e.1.7.4.0.5.2.a.0.3.9.3.1.9.8.1.2.6.2.d.c.0.a.7.c.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4E7.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Jan 31 23:48:57 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	47426
Entropy (8bit):	2.2142712366005073
Encrypted:	false
SSDEEP:	192:aIgGguASAaeMREMvIeWYxbsxzrpAkY2gA2wa7BU1a1RAf82Dik8lYF1:ouASuM/vWYxbsx3px1p2Bia1v2DikX1
MD5:	52730B8719E5E6ADA0DDD23137DB1025
SHA1:	D77EB63F64A52355BD6367543D4BE03D473A952C
SHA-256:	B5C0EA4849E308E885601FBD5CA80B9950DF9AC1A034234E3B3E4C13FD242FBD
SHA-512:	E73263BF26B27042762A14EB4E1D3A46684DE6B2AAD57AB6529B7CBED768F5B5ACE4DEE17210EBAEB0E893998CE84E13AC95F636956E4D292C9C63065521FC69
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........A.`...................U...........B..............GenuineIntelW...........T.......h....A.`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6DC.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.697242777046635
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNitk6oB6YSeSUtDSXgmfPjSE+CprR889b/usfo1m:RrlsNiu6O6YbSUtDqgmfPjScp/tfn
MD5:	253C880FCCD1BF88B0F083950A8096F8
SHA1:	9A177F3B2F9D6BA34F503D0F7B2DBC42AC436FD0
SHA-256:	F29C38900CEA01AC63940684272EEE69631131A20A1B6BA4F15302D1B8EADF01
SHA-512:	A581C2992AB4F8F1E222236A02784B833B851095C5D73EF2D5BC0B6297DDE0100012129380B86CC2D87B42AC8E9AC6698588D69A684F1348DCD4D11A0B8F36F2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF74A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.460278992789587
Encrypted:	false
SSDEEP:	48:cvIwSD8zsRJgtWI9icWSC8BU8fm8M4JosSF8+q8qrNP9M0hpd:uITfjVVSNfJP1P9MCpd
MD5:	7AB859FAC8A6073B41D1278803874FE3
SHA1:	D21F3474E448E6487C03D907BCFCD690B1F88BC5
SHA-256:	0E0E5DC3F8274CFF34F98D4B29842A0E8BFA685507CF1083692FFF98AB8A12F1
SHA-512:	85BF87601753F3B2B07D81343906660F57227E940895AD4C4DF880204491EEF31D61E676AC9DDD04BEAF36D60A695BBCF9DB16DEF8085EBE4FC5557A4FC203F9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="841499" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.9178862272744785
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	jesovROZ8A.exe
File size:	202240
MD5:	039ce25d495fa555ae1c210592b564d0
SHA1:	6684d0ffde174052a03931981262dc0a7cb9891c
SHA256:	94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab
SHA512:	c2be8d6b80e57339957f370b4ac31bd03140f9a9ed4865926eb6d7e5a69d3510b046930c1933d38629b4c3bcae007b6cf5e6140463ab6e064820cdd91bbd46bb
SSDEEP:	3072:RD9PfpJ/v2bIfdjba+htCsw0qv2AYjGX9E7e+q8EOADhpsWgXDeet78Bx/rUyMHL:RXJWbUTwsTqvdMO9nnSmphgTeE4B+8U
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F...'...'...'......h%......;'...k...'..0...C'...y...&..<&...%.......&..^....%...w...&...3...$.......$...7..Z&..Rich.'.........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x445590
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4D771DAA [Wed Mar 9 06:26:50 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	8
OS Version Minor:	2
File Version Major:	8
File Version Minor:	2
Subsystem Version Major:	8
Subsystem Version Minor:	2
Import Hash:	976c9384d1a3c367e491662f20af4316

Entrypoint Preview

Instruction
pushad
mov esi, 00416000h
lea edi, dword ptr [esi-00015000h]
push edi
jmp 00007F6AFC7A0E6Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F6AFC7A0E69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F6AFC7A0E4Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F6AFC7A0E69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F6AFC7A0E51h
jne 00007F6AFC7A0E6Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F6AFC7A0E46h
xor ecx, ecx
sub eax, 03h
jc 00007F6AFC7A0E6Fh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F6AFC7A0ED6h
mov ebp, eax
add ebx, ebx
jne 00007F6AFC7A0E69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007F6AFC7A0E69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007F6AFC7A0E82h
inc ecx
add ebx, ebx
jne 00007F6AFC7A0E69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F6AFC7A0E51h
jne 00007F6AFC7A0E6Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F6AFC7A0E46h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F6AFC7A0E71h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007F6AFC7A0E59h
jmp 00007F6AFC7A0DC8h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 04h
jnbe 00007F6AFC7A0E53h
add edi, ecx
jmp 00007F6AFC7B0DB1h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4749c	0x428	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0x149c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x15000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x16000	0x30000	0x2f800	False	0.996900699013	data	7.94664222533	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0x2000	0x1a00	False	0.621394230769	data	5.74902503533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_FONT	0x463ec	0x5	data	English	United States
RT_FONT	0x463f8	0x5	data	English	United States
RT_FONT	0x46404	0x5	data	English	United States
RT_FONT	0x46410	0x5	data	English	United States
RT_FONT	0x4641c	0x5	data	English	United States
RT_FONT	0x46428	0x5	data	English	United States
RT_FONT	0x46434	0x5	data	English	United States
RT_FONT	0x46440	0x5	data	English	United States
RT_FONT	0x4644c	0x5	data	English	United States
RT_RCDATA	0x46458	0xb08	data	English	United States
RT_VERSION	0x46f64	0x32c	data	English	United States
RT_MANIFEST	0x47294	0x1be	ASCII text, with CRLF line terminators	English	United States
None	0x47458	0x5	data	English	United States
None	0x47464	0x5	Non-ISO extended-ASCII text, with no line terminators	English	United States
None	0x47470	0x5	data	English	United States
None	0x4747c	0x5	data	English	United States
None	0x47488	0x5	data	English	United States
None	0x47494	0x5	data	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll	RegEnumKeyW
comctl32.dll	ImageList_Add
comdlg32.dll	ChooseColorW
crypt32.dll	CryptProtectData
gdi32.dll	DPtoLP
msimg32.dll	AlphaBlend
msvcrt.dll	exit
ole32.dll	DoDragDrop
rpcrt4.dll	UuidEqual
secur32.dll	GetUserNameExW
shell32.dll	ShellAboutW
shlwapi.dll	UrlIsW
urlmon.dll	CreateAsyncBindCtx
user32.dll	GetDC
version.dll	VerQueryValueW
wininet.dll	InternetOpenW
winmm.dll	mixerOpen

Version Infos

Description	Data
LegalCopyright	Crops Mama Poll 2003-2010
InternalName	Firm Veal Pores Funds Elms
FileVersion	8.9
CompanyName	Foundstone Inc.
ProductName	Yak Press Bent Met Shuts Cogent
ProductVersion	8.9
FileDescription	Wrong Knot Wilt Alto Shrew Strap
OriginalFilename	Chevy.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 31, 2021 15:48:51.427562952 CET	53195	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:48:51.486624002 CET	53	53195	8.8.8.8	192.168.2.3
Jan 31, 2021 15:48:52.618102074 CET	50141	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:48:52.669011116 CET	53	50141	8.8.8.8	192.168.2.3
Jan 31, 2021 15:48:53.823244095 CET	53023	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:48:53.871365070 CET	53	53023	8.8.8.8	192.168.2.3
Jan 31, 2021 15:48:55.231226921 CET	49563	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:48:55.279221058 CET	53	49563	8.8.8.8	192.168.2.3
Jan 31, 2021 15:48:56.441545963 CET	51352	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:48:56.489640951 CET	53	51352	8.8.8.8	192.168.2.3
Jan 31, 2021 15:48:57.840215921 CET	59349	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:48:57.891206980 CET	53	59349	8.8.8.8	192.168.2.3
Jan 31, 2021 15:48:59.063894033 CET	57084	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:48:59.113573074 CET	53	57084	8.8.8.8	192.168.2.3
Jan 31, 2021 15:48:59.712811947 CET	58823	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:48:59.775988102 CET	53	58823	8.8.8.8	192.168.2.3
Jan 31, 2021 15:49:01.016613007 CET	57568	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:49:01.064748049 CET	53	57568	8.8.8.8	192.168.2.3
Jan 31, 2021 15:49:02.666138887 CET	50540	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:49:02.719952106 CET	53	50540	8.8.8.8	192.168.2.3
Jan 31, 2021 15:49:03.982455015 CET	54366	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:49:04.032974958 CET	53	54366	8.8.8.8	192.168.2.3
Jan 31, 2021 15:49:05.172704935 CET	53034	53	192.168.2.3	8.8.8.8
Jan 31, 2021 15:49:05.223520994 CET	53	53034	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: jesovROZ8A.exe PID: 6760 Parent PID: 5912

General

Start time:	15:48:55
Start date:	31/01/2021
Path:	C:\Users\user\Desktop\jesovROZ8A.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\jesovROZ8A.exe'
Imagebase:	0x400000
File size:	202240 bytes
MD5 hash:	039CE25D495FA555AE1C210592B564D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exe PID: 6820 Parent PID: 6760

General

Start time:	15:48:56
Start date:	31/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 588
Imagebase:	0xfe0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report jesovROZ8A

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: jesovROZ8A.exe PID: 6760 Parent PID: 5912

General

Analysis Process: WerFault.exe PID: 6820 Parent PID: 6760

General

Disassembly

Code Analysis