{"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"} |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Virustotal: Detection: 26% | Perma Link |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co |
Source: initial sample | Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286A2E NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286C20 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286A78 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286AF8 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286B94 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00401C10 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_004055F3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286A2E |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286629 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02283238 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02283A30 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02283834 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228B409 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228341C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228666C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286A78 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02284440 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228185A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022832A0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02283AA0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022866B8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02284490 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02286AF8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022834C0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022836DE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02283925 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228173C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02283B30 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228350C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228450C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228331C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02283714 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022833A4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022817B8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02283788 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02284993 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022847ED |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022843FB |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022831D8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022839DC |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721975031.00000000020B0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000000.197037296.0000000000424000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameTWINEMAKER.exe vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Binary or memory string: OriginalFilenameTWINEMAKER.exe vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal96.rans.troj.evad.winEXE@1/0@0/0 |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Virustotal: Detection: 26% |
Source: Yara match | File source: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.0.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00409C54 push es; iretd |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0040605F push 00000059h; retf |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00406E64 push eax; retf |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0040A065 pushad ; retf |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00409E0D push edx; iretd |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00409EF8 push ss; iretd |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00406AFE push es; iretd |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_004079CA push cs; iretd |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00409387 push ss; iretd |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00408D90 push cs; iretd |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_00403191 push dword ptr [ebp-44h]; ret |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02285356 push edi; iretd |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | RDTSC instruction interceptor: First address: 0000000002289F94 second address: 000000000228A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F7DFCC1F3BEh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F7DFCC1F8D0h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F7DFCC1F8C4h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | RDTSC instruction interceptor: First address: 000000000228A040 second address: 000000000228A040 instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | RDTSC instruction interceptor: First address: 0000000002289F94 second address: 000000000228A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F7DFCC1F3BEh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F7DFCC1F8D0h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F7DFCC1F8C4h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | RDTSC instruction interceptor: First address: 000000000228A040 second address: 000000000228A040 instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02284E28 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02284E28 rdtsc |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_02284440 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022864F9 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022890F5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022836DE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_0228993D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe | Code function: 0_2_022843FB mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.