Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:50180
Start time:22:48:07
Joe Sandbox Product:CloudBasic
Start date:13.03.2018
Overall analysis duration:0h 5m 21s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:59Swift Copy.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 1
  • Number of non-executed functions: 2
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Adjusted system time to: 28/3/1992
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold10 - 100Report FP / FNclean


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_004A9E50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,1_1_004A9E50
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046F8CE push 0046F8FCh; ret 1_1_0046F8F4
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046D8EF push edx; ret 1_1_0046D8F4
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_004696D8 push 00469704h; ret 1_1_004696FC
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046AFF2 push 0000002Ch; ret 1_1_0046B008
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_00469900 push 0046992Ch; ret 1_1_00469924
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_00468F5C push 00468F88h; ret 1_1_00468F80
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046B5B5 push edx; ret 1_1_0046B5B8
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_004693C8 push 004693F4h; ret 1_1_004693EC
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046F8D0 push 0046F8FCh; ret 1_1_0046F8F4
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046CEF4 push ds; iretd 1_1_0046CEF7
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046CA7D push 0000002Ch; ret 1_1_0046CAA9
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046BF96 push edx; iretd 1_1_0046BFC7
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046FB04 push 0046FB2Ah; ret 1_1_0046FB22
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046E03A push es; iretd 1_1_0046E03D
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_00468F5A push 00468F88h; ret 1_1_00468F80
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046D618 push es; iretd 1_1_0046D625
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046C602 push 0000002Ch; ret 1_1_0046C63F

System Summary:

barindex
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\Desktop\59Swift Copy.exeWindow found: window name: TButton
Classification labelShow sources
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\59Swift Copy.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Reads software policiesShow sources
Source: C:\Users\user\Desktop\59Swift Copy.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: 59Swift Copy.exeStatic PE information: Section: UPX1 ZLIB complexity 0.992459454114

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_004A9E50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,1_1_004A9E50

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\59Swift Copy.exeCode function: 1_1_0046D085 cpuid 1_1_0046D085

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 50180 Sample: 59Swift Copy.exe Startdate: 13/03/2018 Architecture: WINDOWS Score: 1 4 59Swift Copy.exe 2->4         started       

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot