Loading ...

Play interactive tourEdit tour

Windows Analysis Report ZDqKJkJ1Sb

Overview

General Information

Sample Name:ZDqKJkJ1Sb (renamed file extension from none to exe)
Analysis ID:492690
MD5:1d29d6cd39010976adcb9fcba517f3bc
SHA1:86d13d8593d4eea9e5b8c9dca9a1d30c7c03f67c
SHA256:c27741b9e50da0c369b848179c9a4f9b0362b6d5e384055c6c72fc9667a270ec
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

SystemBC
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected SystemBC
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
PE file contains strange resources
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Creates job files (autostart)
Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

  • System is w10x64
  • ZDqKJkJ1Sb.exe (PID: 3528 cmdline: 'C:\Users\user\Desktop\ZDqKJkJ1Sb.exe' MD5: 1D29D6CD39010976ADCB9FCBA517F3BC)
  • ZDqKJkJ1Sb.exe (PID: 5916 cmdline: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe start MD5: 1D29D6CD39010976ADCB9FCBA517F3BC)
  • cleanup

Malware Configuration

Threatname: SystemBC

{"HOST1": "195.2.76.80", "HOST2": "195.2.76.80", "PORT1": "4001", "TOR": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: ZDqKJkJ1Sb.exe PID: 3528JoeSecurity_SystemBCYara detected SystemBCJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 0.3.ZDqKJkJ1Sb.exe.740000.0.raw.unpackMalware Configuration Extractor: SystemBC {"HOST1": "195.2.76.80", "HOST2": "195.2.76.80", "PORT1": "4001", "TOR": ""}
    Multi AV Scanner detection for submitted fileShow sources
    Source: ZDqKJkJ1Sb.exeVirustotal: Detection: 40%Perma Link
    Source: ZDqKJkJ1Sb.exeReversingLabs: Detection: 81%

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeUnpacked PE file: 0.2.ZDqKJkJ1Sb.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeUnpacked PE file: 5.2.ZDqKJkJ1Sb.exe.400000.0.unpack
    Source: ZDqKJkJ1Sb.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: Binary string: ZdIC:\vikofoyad_voguwoka\bowu\razu_tog\98 kifu42\kavuyuxayu\y.pdb source: ZDqKJkJ1Sb.exe
    Source: Binary string: C:\vikofoyad_voguwoka\bowu\razu_tog\98 kifu42\kavuyuxayu\y.pdb source: ZDqKJkJ1Sb.exe

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: 195.2.76.80
    Source: Malware configuration extractorURLs: 195.2.76.80
    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 195.2.76.80:4001
    Source: Joe Sandbox ViewASN Name: VDSINA-ASRU VDSINA-ASRU
    Source: unknownTCP traffic detected without corresponding DNS query: 195.2.76.80
    Source: unknownTCP traffic detected without corresponding DNS query: 195.2.76.80
    Source: unknownTCP traffic detected without corresponding DNS query: 195.2.76.80
    Source: unknownTCP traffic detected without corresponding DNS query: 195.2.76.80
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_00402A1E select,recv,0_2_00402A1E
    Source: ZDqKJkJ1Sb.exe, 00000000.00000002.263811427.000000000080A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: ZDqKJkJ1Sb.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Source: ZDqKJkJ1Sb.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: ZDqKJkJ1Sb.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: ZDqKJkJ1Sb.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: ZDqKJkJ1Sb.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeFile created: C:\Windows\Tasks\wow64.jobJump to behavior
    Source: ZDqKJkJ1Sb.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: ZDqKJkJ1Sb.exeVirustotal: Detection: 40%
    Source: ZDqKJkJ1Sb.exeReversingLabs: Detection: 81%
    Source: ZDqKJkJ1Sb.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe 'C:\Users\user\Desktop\ZDqKJkJ1Sb.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe C:\Users\user\Desktop\ZDqKJkJ1Sb.exe start
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeMutant created: \Sessions\1\BaseNamedObjects\wow64
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeMutant created: \BaseNamedObjects\wow64
    Source: classification engineClassification label: mal84.troj.evad.winEXE@2/1@0/1
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_004023E6 CoInitialize,CoCreateInstance,CoUninitialize,0_2_004023E6
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: ZDqKJkJ1Sb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: ZdIC:\vikofoyad_voguwoka\bowu\razu_tog\98 kifu42\kavuyuxayu\y.pdb source: ZDqKJkJ1Sb.exe
    Source: Binary string: C:\vikofoyad_voguwoka\bowu\razu_tog\98 kifu42\kavuyuxayu\y.pdb source: ZDqKJkJ1Sb.exe

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeUnpacked PE file: 0.2.ZDqKJkJ1Sb.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeUnpacked PE file: 5.2.ZDqKJkJ1Sb.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeUnpacked PE file: 0.2.ZDqKJkJ1Sb.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeUnpacked PE file: 5.2.ZDqKJkJ1Sb.exe.400000.0.unpack
    Source: initial sampleStatic PE information: section name: .text entropy: 7.39136293995
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeFile created: C:\Windows\Tasks\wow64.jobJump to behavior
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exe TID: 4940Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_00402D95 rdtsc 0_2_00402D95
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeThread delayed: delay time: 60000Jump to behavior
    Source: ZDqKJkJ1Sb.exe, 00000005.00000002.516337873.0000000000754000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_00402E3C mov eax, dword ptr fs:[00000030h]0_2_00402E3C
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_0062092B mov eax, dword ptr fs:[00000030h]0_2_0062092B
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_0062308C mov eax, dword ptr fs:[00000030h]0_2_0062308C
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_00620D90 mov eax, dword ptr fs:[00000030h]0_2_00620D90
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_00817D1E push dword ptr fs:[00000030h]0_2_00817D1E
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 5_2_00402E3C mov eax, dword ptr fs:[00000030h]5_2_00402E3C
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 5_2_0072092B mov eax, dword ptr fs:[00000030h]5_2_0072092B
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 5_2_00720D90 mov eax, dword ptr fs:[00000030h]5_2_00720D90
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 5_2_0072308C mov eax, dword ptr fs:[00000030h]5_2_0072308C
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 5_2_0074F37E push dword ptr fs:[00000030h]5_2_0074F37E
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_00402D95 rdtsc 0_2_00402D95
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_004020A8 CoInitialize,CoCreateInstance,GetUserNameExW,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,CoUninitialize,0_2_004020A8
    Source: C:\Users\user\Desktop\ZDqKJkJ1Sb.exeCode function: 0_2_004020A8 CoInitialize,CoCreateInstance,GetUserNameExW,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,CoUninitialize,0_2_004020A8

    Stealing of Sensitive Information:

    barindex
    Yara detected SystemBCShow sources
    Source: Yara matchFile source: Process Memory Space: ZDqKJkJ1Sb.exe PID: 3528, type: MEMORYSTR

    Remote Access Functionality:

    barindex
    Yara detected SystemBCShow sources
    Source: Yara matchFile source: Process Memory Space: ZDqKJkJ1Sb.exe PID: 3528, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection1Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion11LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing22LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.