Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:49678
Start time:17:26:53
Joe Sandbox Product:CloudBasic
Start date:09.03.2018
Overall analysis duration:0h 4m 1s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:lefucu.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus25.evad.winEXE@1/0@0/0
HCA Information:
  • Successful, ratio: 91%
  • Number of executed functions: 29
  • Number of non-executed functions: 101
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 97.8%)
  • Quality average: 85.7%
  • Quality standard deviation: 23.7%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Adjusted system time to: 21/6/1992
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold250 - 100Report FP / FNsuspicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may be VM or Sandbox-aware, try analysis on a native machine



Signature Overview

Click to jump to signature section


Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00420B30 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,1_2_00420B30
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00431694 GetKeyboardState,1_2_00431694

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: CODE entropy: 6.90553167448
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0043B154 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_0043B154
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0043B7A0 push 0043B82Dh; ret 1_2_0043B825
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004065E0 push 0040660Ch; ret 1_2_00406604
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00429710 push 0042973Ch; ret 1_2_00429734
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0041C478 push 0041C4A4h; ret 1_2_0041C49C
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0041C256 push 0041C4A4h; ret 1_2_0041C49C
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0040FA74 push 0040FB88h; ret 1_2_0040FB80
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004142E8 push ecx; mov dword ptr [esp], edx1_2_004142E9
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004196CC push ecx; mov dword ptr [esp], edx1_2_004196CE
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0040B7D8 push 0040B804h; ret 1_2_0040B7FC
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00429748 push 00429774h; ret 1_2_0042976C
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004030E8 push eax; ret 1_2_00403124
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004239C4 push 004239F0h; ret 1_2_004239E8
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0040B6F6 push 0040B767h; ret 1_2_0040B75F
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004073E4 push 00407410h; ret 1_2_00407408
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0042352C push 004235FCh; ret 1_2_004235F4
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0043CA50 push 0043CA7Ch; ret 1_2_0043CA74
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00407195 push 00407410h; ret 1_2_00407408
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0042B0BC push 0042B126h; ret 1_2_0042B11E
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0040F870 push 0040FA71h; ret 1_2_0040FA69
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00415D70 push ecx; mov dword ptr [esp], edx1_2_00415D72
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00410960 push 0041098Ch; ret 1_2_00410984
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00423AB8 push 00423AE4h; ret 1_2_00423ADC
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0040F80C push 0040F86Dh; ret 1_2_0040F865
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00425360 push 00425398h; ret 1_2_00425390
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00406658 push 00406684h; ret 1_2_0040667C
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00410959 push 0041098Ch; ret 1_2_00410984
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0043B738 push 0043B79Eh; ret 1_2_0043B796
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0040B6F8 push 0040B767h; ret 1_2_0040B75F
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00496968 push 0049698Eh; ret 1_2_00496986
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00431434 push ecx; mov dword ptr [esp], ecx1_2_00431438
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004070E4 push 00407110h; ret 1_2_00407108

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00405958 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00405958

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: sus25.evad.winEXE@1/0@0/0
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0041F04C GetLastError,FormatMessageA,1_2_0041F04C
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0040858C GetDiskFreeSpaceA,1_2_0040858C
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00413050 FindResourceA,1_2_00413050
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\lefucu.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Reads software policiesShow sources
Source: C:\Users\user\Desktop\lefucu.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004517CC1_2_004517CC
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004493641_2_00449364
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00452F201_2_00452F20
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00482CEC1_2_00482CEC
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004510001_2_00451000
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004438801_2_00443880
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0045270C1_2_0045270C
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00451F681_2_00451F68
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: String function: 00404230 appears 71 times
Sample file is different than original file name gathered from version infoShow sources
Source: lefucu.exeBinary or memory string: OriginalFilenameuser32j% vs lefucu.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: lefucu.exeBinary or memory string: Progman
Source: lefucu.exeBinary or memory string: Program Manager
Source: lefucu.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0043B154 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_0043B154

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00405958 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00405958
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0041F5DC GetSystemInfo,1_2_0041F5DC
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\lefucu.exeAPI coverage: 7.2 %
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0042AF9C GetTickCount,Sleep,GetTickCount,WinHelpA,1_2_0042AF9C

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0044ED18 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_0044ED18
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0044BE0C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0044BE0C
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0044F40C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,1_2_0044F40C
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0044F4BC IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,1_2_0044F4BC
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00423CF0 MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,1_2_00423CF0
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00436D84 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00436D84
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_00435BF8 IsIconic,GetCapture,1_2_00435BF8
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_004364A0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_004364A0
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0043B154 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_0043B154

Language, Device and Operating System Detection:

barindex
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: 1_2_0043B7A0 GetVersion,1_2_0043B7A0
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\lefucu.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_00405B10
Source: C:\Users\user\Desktop\lefucu.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_00405C1C
Source: C:\Users\user\Desktop\lefucu.exeCode function: GetLocaleInfoA,GetACP,1_2_0040A5C8
Source: C:\Users\user\Desktop\lefucu.exeCode function: GetLocaleInfoA,1_2_004093C8
Source: C:\Users\user\Desktop\lefucu.exeCode function: GetLocaleInfoA,1_2_00409414

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 49678 Sample: lefucu.exe Startdate: 09/03/2018 Architecture: WINDOWS Score: 25 4 lefucu.exe 2->4         started        signatures3 7 Contains functionality to detect sleep reduction / modifications 4->7

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot