Analysis Report MjjnJ90i5q

Overview

General Information

Sample Name:	MjjnJ90i5q (renamed file extension from none to exe)
Analysis ID:	359684
MD5:	6c7e2255031fdbb8efd157c2b4179319
SHA1:	f77cf9bb93945feb70c2519debbfbaec476156f3
SHA256:	277371d2f69231c4beced4f5898f2a6bd57f1fe7488e50decc6e7ea63ad5677f
Tags:	uncategorized
Infos:
Most interesting Screenshot:

Detection

ZeusVM

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected ZeusVM e-Banking Trojan

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

May initialize a security null descriptor

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: MjjnJ90i5q.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: MjjnJ90i5q.exe	Virustotal: Detection: 87%			Perma Link
Source: MjjnJ90i5q.exe	ReversingLabs: Detection: 87%

Machine Learning detection for sample

Source: MjjnJ90i5q.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.MjjnJ90i5q.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK
Source: 0.0.MjjnJ90i5q.exe.400000.0.unpack	Avira: Label: TR/Kazy.MK

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00412C66 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_00412C66
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0040D161 CryptUnprotectData,LocalFree,		0_2_0040D161

Compliance:

Uses 32bit PE files

Source: MjjnJ90i5q.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Spreading:

Contains functionality to enumerate network shares

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041CCDE GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,

0_2_0041CCDE

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0041702F FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0041702F
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_004170EA FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_004170EA

Networking:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00413803 CreateFileW,WaitForSingleObject,InternetReadFile,WriteFile,FlushFileBuffers,CloseHandle,

0_2_00413803

Source: MjjnJ90i5q.exe	String found in binary or memory: http://www.google.com/webhp
Source: MjjnJ90i5q.exe	String found in binary or memory: http://www.google.com/webhpbc-vMY.txt

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00419823 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,

0_2_00419823

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041D1BF EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

0_2_0041D1BF

Creates a DirectInput object (often for capturing keystrokes)

Source: MjjnJ90i5q.exe, 00000000.00000002.230060266.00000000006DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Detected ZeusVM e-Banking Trojan

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00404F00 lstrcmpiA,lstrcmpiA,lstrcmpiA,CloseHandle,

0_2_00404F00

Protection of GUI:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_004090BA OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,

0_2_004090BA

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00419823 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,OpenInputDesktop,SwitchDesktop,DefWindowProcW,DefWindowProcA,DefDlgProcW,DefDlgProcA,DefFrameProcW,DefFrameProcA,DefMDIChildProcW,DefMDIChildProcA,CallWindowProcW,CallWindowProcA,RegisterClassW,RegisterClassA,RegisterClassExW,RegisterClassExA,BeginPaint,EndPaint,GetDCEx,GetDC,GetWindowDC,ReleaseDC,GetUpdateRect,GetUpdateRgn,GetMessagePos,GetCursorPos,SetCursorPos,SetCapture,ReleaseCapture,GetCapture,GetMessageW,GetMessageA,PeekMessageW,PeekMessageA,TranslateMessage,GetClipboardData,PFXImportCertStore,	0_2_00419823
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00408D01 NtQueryInformationProcess,CloseHandle,NtCreateThread,	0_2_00408D01
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00408DB8 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,	0_2_00408DB8

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_004132E3 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_004132E3

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0040A8D1 InitiateSystemShutdownExW,ExitWindowsEx,		0_2_0040A8D1
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00406B42 CreateMutexW,GetLastError,CloseHandle,CloseHandle,ExitWindowsEx,OpenEventW,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,		0_2_00406B42

Detected potential crypto function

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0041115E	0_2_0041115E
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_004021EB	0_2_004021EB
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00412B72	0_2_00412B72
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00414714	0_2_00414714

Uses 32bit PE files

Source: MjjnJ90i5q.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal72.bank.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0040C85B CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,		0_2_0040C85B
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0040C6E6 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,		0_2_0040C6E6

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041308D GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_0041308D

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041A01E CloseHandle,CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,

0_2_0041A01E

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0040D880 CoCreateInstance,

0_2_0040D880

Source: MjjnJ90i5q.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MjjnJ90i5q.exe	Virustotal: Detection: 87%
Source: MjjnJ90i5q.exe	ReversingLabs: Detection: 87%

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

0_2_0041CCDE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00402475 push es; iretd	0_2_00402484
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00402B41 push cs; iretd	0_2_00402B50
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00402B0B push cs; ret	0_2_00402B20

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041A1A9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

0_2_0041A1A9

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_0041702F FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,		0_2_0041702F
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_004170EA FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,		0_2_004170EA

Source: MjjnJ90i5q.exe, 00000000.00000002.230060266.00000000006DA000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

0_2_00419823

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

0_2_0041CCDE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00405BBA mov edx, dword ptr fs:[00000030h]

0_2_00405BBA

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00405EFF GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

0_2_00405EFF

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00414FB0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_00414FB0

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041848E RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetLocalTime,

0_2_0041848E

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0040C68A GetUserNameExW,

0_2_0040C68A

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_00411AEB GetTimeZoneInformation,

0_2_00411AEB

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe

Code function: 0_2_0041D883 GetVersionExW,GetNativeSystemInfo,

0_2_0041D883

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptor

Source: MjjnJ90i5q.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Source: MjjnJ90i5q.exe	String found in binary or memory: RFB 003.003
Source: MjjnJ90i5q.exe	String found in binary or memory: RFB 003.003
Source: MjjnJ90i5q.exe	String found in binary or memory: RFB 003.003

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00414DE1 socket,bind,closesocket,		0_2_00414DE1
Source: C:\Users\user\Desktop\MjjnJ90i5q.exe	Code function: 0_2_00414B03 socket,bind,listen,closesocket,		0_2_00414B03

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	359684
Product:	CloudBasic
Start time:	16:35:20
Start date:	28.02.2021
Sample:	MjjnJ90i5q
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6c7e2255031fdbb8efd157c2b4179319
SHA1:	f77cf9bb93945feb70c2519debbfbaec476156f3
SHA256:	277371d2f69231c4beced4f5898f2a6bd57f1fe7488e50decc6e7ea63ad5677f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Analysis Report MjjnJ90i5q

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map