Windows Analysis Report IfakQb9U15.exe

Overview

General Information

Sample Name:	IfakQb9U15.exe
Analysis ID:	510140
MD5:	36f662b3c9a54c0c2427602f1463eb69
SHA1:	7e46615097282ac51ef08d3e4ac7d65ce6684a07
SHA256:	d836a03e0b7eeabbc971de7d3e6fcc11bf06e13e633d11118c7429b3abb3c4ed
Tags:	exeSmokeLoader
Infos:
Most interesting Screenshot:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Contains functionality to inject code into remote processes

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000E.00000002.376750362.0000000000460000.00000004.00000001.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://gejajoo7.top/", "http://sysaheu9.top/"]}

Multi AV Scanner detection for submitted file

Source: IfakQb9U15.exe	Virustotal: Detection: 38%			Perma Link
Source: IfakQb9U15.exe	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: IfakQb9U15.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://sysaheu9.top/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: gejajoo7.top	Virustotal: Detection: 9%			Perma Link
Source: sysaheu9.top	Virustotal: Detection: 12%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\jjevwiw

Avira: detection malicious, Label: TR/Redcap.yyhtm

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\jjevwiw

ReversingLabs: Detection: 75%

Machine Learning detection for sample

Source: IfakQb9U15.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jjevwiw

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 14.0.jjevwiw.400000.1.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 14.0.jjevwiw.400000.2.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 1.0.IfakQb9U15.exe.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 14.0.jjevwiw.400000.3.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 3.0.IfakQb9U15.exe.400000.1.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 27.0.jjevwiw.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 13.0.jjevwiw.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 3.0.IfakQb9U15.exe.400000.2.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 3.0.IfakQb9U15.exe.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 3.0.IfakQb9U15.exe.400000.3.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 14.0.jjevwiw.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm

Compliance:

Uses 32bit PE files

Source: IfakQb9U15.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: C:\gawi_lemi-morur\16\suweg\xoyabel\les pugoy-74_lafi\t.pdb source: IfakQb9U15.exe
Source:	Binary string: HC:\gawi_lemi-morur\16\suweg\xoyabel\les pugoy-74_lafi\t.pdb source: IfakQb9U15.exe

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: gejajoo7.top
Source: C:\Windows\explorer.exe	Domain query: sysaheu9.top

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://gejajoo7.top/
Source: Malware configuration extractor	URLs: http://sysaheu9.top/

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Source: Yara match	File source: 28.0.jjevwiw.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.jjevwiw.30815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.jjevwiw.4b215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IfakQb9U15.exe.31415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.376750362.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314233218.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314273302.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.296784154.00000000030C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.376904228.0000000001F51000.00000004.00020000.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: IfakQb9U15.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401927 Sleep,NtTerminateProcess,	3_2_00401927
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401942 Sleep,NtTerminateProcess,	3_2_00401942
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401949 Sleep,NtTerminateProcess,	3_2_00401949
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401956 Sleep,NtTerminateProcess,	3_2_00401956
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00402026 LocalAlloc,NtQuerySystemInformation,	3_2_00402026
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_004018C9 Sleep,NtTerminateProcess,	3_2_004018C9
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401886 Sleep,NtTerminateProcess,	3_2_00401886
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_1_00402026 LocalAlloc,NtQuerySystemInformation,	3_1_00402026
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 13_2_04B20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,	13_2_04B20110
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401927 Sleep,NtTerminateProcess,	14_2_00401927
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401942 Sleep,NtTerminateProcess,	14_2_00401942
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401949 Sleep,NtTerminateProcess,	14_2_00401949
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401956 Sleep,NtTerminateProcess,	14_2_00401956
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00402026 LocalAlloc,NtQuerySystemInformation,	14_2_00402026
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_004018C9 Sleep,NtTerminateProcess,	14_2_004018C9
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401886 Sleep,NtTerminateProcess,	14_2_00401886
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 28_2_00402026 LocalAlloc,NtQuerySystemInformation,	28_2_00402026

PE file contains strange resources

Source: IfakQb9U15.exe	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\jjevwiw D836A03E0B7EEABBC971DE7D3E6FCC11BF06E13E633D11118C7429B3ABB3C4ED

Source: IfakQb9U15.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: jjevwiw.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: IfakQb9U15.exe	Virustotal: Detection: 38%
Source: IfakQb9U15.exe	ReversingLabs: Detection: 75%

Source: IfakQb9U15.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IfakQb9U15.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IfakQb9U15.exe 'C:\Users\user\Desktop\IfakQb9U15.exe'
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Process created: C:\Users\user\Desktop\IfakQb9U15.exe 'C:\Users\user\Desktop\IfakQb9U15.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Process created: C:\Users\user\Desktop\IfakQb9U15.exe 'C:\Users\user\Desktop\IfakQb9U15.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jjevwiw

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/2@3/0

Source: IfakQb9U15.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: IfakQb9U15.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\gawi_lemi-morur\16\suweg\xoyabel\les pugoy-74_lafi\t.pdb source: IfakQb9U15.exe
Source:	Binary string: HC:\gawi_lemi-morur\16\suweg\xoyabel\les pugoy-74_lafi\t.pdb source: IfakQb9U15.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 1_2_03022E12 push eax; retf	1_2_03022E22
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00402EED push eax; ret	3_2_00402FC7
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_1_00402EED push eax; ret	3_1_00402FC7
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 13_2_04B12E12 push eax; retf	13_2_04B12E22
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00402EED push eax; ret	14_2_00402FC7
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 28_2_00402EED push eax; ret	28_2_00402FC7

PE file contains sections with non-standard names

Source: IfakQb9U15.exe	Static PE information: section name: .befifup
Source: jjevwiw.5.dr	Static PE information: section name: .befifup

Source: initial sample	Static PE information: section name: .text entropy: 7.47772772393
Source: initial sample	Static PE information: section name: .text entropy: 7.47772772393

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jjevwiw

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jjevwiw

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\ifakqb9u15.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\jjevwiw:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: IfakQb9U15.exe, 00000003.00000002.314378875.0000000001F90000.00000004.00000001.sdmp, jjevwiw, 0000000E.00000002.376786636.0000000000657000.00000004.00000020.sdmp, jjevwiw, 0000001C.00000002.507811575.0000000001FB0000.00000004.00000001.sdmp

Binary or memory string: ASWHOOK

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6024	Thread sleep count: 563 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3000	Thread sleep count: 378 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3000	Thread sleep time: -37800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 328	Thread sleep count: 456 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 328	Thread sleep time: -45600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6760	Thread sleep count: 390 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep count: 251 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\jjevwiw

Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 563	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 378	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 456	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 390	Jump to behavior

Source: C:\Users\user\Desktop\IfakQb9U15.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\IfakQb9U15.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000005.00000000.302263602.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.283570446.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.297854831.000000000374F000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.303969599.000000000DC40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000005.00000000.282249776.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.303969599.000000000DC40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};`
Source: explorer.exe, 00000005.00000000.302357156.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.298561446.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.302357156.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000005.00000000.303969599.000000000DC40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\IfakQb9U15.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	System information queried: CodeIntegrityInformation	Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 1_2_03020083 push dword ptr fs:[00000030h]	1_2_03020083
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 13_2_04B10083 push dword ptr fs:[00000030h]	13_2_04B10083
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 13_2_04B20042 push dword ptr fs:[00000030h]	13_2_04B20042

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\IfakQb9U15.exe

Code function: 3_2_004026CF EntryPoint,CreateFileW,MapViewOfFile,LdrLoadDll,

3_2_004026CF

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: jjevwiw.5.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: gejajoo7.top
Source: C:\Windows\explorer.exe	Domain query: sysaheu9.top

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\jjevwiw

Memory written: C:\Users\user\AppData\Roaming\jjevwiw base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Roaming\jjevwiw

Code function: 13_2_04B20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

13_2_04B20110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Thread created: C:\Windows\explorer.exe EIP: 30C1920			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Thread created: unknown EIP: 3A71920			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Process created: C:\Users\user\Desktop\IfakQb9U15.exe 'C:\Users\user\Desktop\IfakQb9U15.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw	Jump to behavior

Source: explorer.exe, 00000005.00000000.276042708.00000000089FF000.00000004.00000001.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.296505241.0000000001640000.00000002.00020000.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.296505241.0000000001640000.00000002.00020000.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.265816430.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000000.296505241.0000000001640000.00000002.00020000.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.296505241.0000000001640000.00000002.00020000.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\IfakQb9U15.exe

Code function: 1_2_00405E0E GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00405E0E

Stealing of Sensitive Information:

Yara detected SmokeLoader

Source: Yara match	File source: 28.0.jjevwiw.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.jjevwiw.30815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.jjevwiw.4b215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IfakQb9U15.exe.31415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.376750362.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314233218.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314273302.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.296784154.00000000030C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.376904228.0000000001F51000.00000004.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected SmokeLoader

Source: Yara match	File source: 28.0.jjevwiw.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.jjevwiw.30815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.jjevwiw.4b215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IfakQb9U15.exe.31415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.376750362.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314233218.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314273302.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.296784154.00000000030C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.376904228.0000000001F51000.00000004.00020000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted Domains

Name	IP	Active
clientconfig.passport.net	unknown	unknown
gejajoo7.top	unknown	unknown
sysaheu9.top	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gejajoo7.top/	true	Avira URL Cloud: safe	unknown
http://sysaheu9.top/	true	Avira URL Cloud: malware	unknown

AV Detection:

Found malware configuration

Source: 0000000E.00000002.376750362.0000000000460000.00000004.00000001.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://gejajoo7.top/", "http://sysaheu9.top/"]}

Multi AV Scanner detection for submitted file

Source: IfakQb9U15.exe	Virustotal: Detection: 38%			Perma Link
Source: IfakQb9U15.exe	ReversingLabs: Detection: 75%

Antivirus / Scanner detection for submitted sample

Source: IfakQb9U15.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://sysaheu9.top/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: gejajoo7.top	Virustotal: Detection: 9%			Perma Link
Source: sysaheu9.top	Virustotal: Detection: 12%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\jjevwiw

Avira: detection malicious, Label: TR/Redcap.yyhtm

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\jjevwiw

ReversingLabs: Detection: 75%

Machine Learning detection for sample

Source: IfakQb9U15.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jjevwiw

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 14.0.jjevwiw.400000.1.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 14.0.jjevwiw.400000.2.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 1.0.IfakQb9U15.exe.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 14.0.jjevwiw.400000.3.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 3.0.IfakQb9U15.exe.400000.1.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 27.0.jjevwiw.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 13.0.jjevwiw.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 3.0.IfakQb9U15.exe.400000.2.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 3.0.IfakQb9U15.exe.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 3.0.IfakQb9U15.exe.400000.3.unpack	Avira: Label: TR/Redcap.yyhtm
Source: 14.0.jjevwiw.400000.0.unpack	Avira: Label: TR/Redcap.yyhtm

Compliance:

Uses 32bit PE files

Source: IfakQb9U15.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: C:\gawi_lemi-morur\16\suweg\xoyabel\les pugoy-74_lafi\t.pdb source: IfakQb9U15.exe
Source:	Binary string: HC:\gawi_lemi-morur\16\suweg\xoyabel\les pugoy-74_lafi\t.pdb source: IfakQb9U15.exe

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: gejajoo7.top
Source: C:\Windows\explorer.exe	Domain query: sysaheu9.top

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://gejajoo7.top/
Source: Malware configuration extractor	URLs: http://sysaheu9.top/

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Source: Yara match	File source: 28.0.jjevwiw.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.jjevwiw.30815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.jjevwiw.4b215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IfakQb9U15.exe.31415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.376750362.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314233218.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314273302.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.296784154.00000000030C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.376904228.0000000001F51000.00000004.00020000.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: IfakQb9U15.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Contains functionality to call native functions

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401927 Sleep,NtTerminateProcess,	3_2_00401927
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401942 Sleep,NtTerminateProcess,	3_2_00401942
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401949 Sleep,NtTerminateProcess,	3_2_00401949
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401956 Sleep,NtTerminateProcess,	3_2_00401956
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00402026 LocalAlloc,NtQuerySystemInformation,	3_2_00402026
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_004018C9 Sleep,NtTerminateProcess,	3_2_004018C9
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00401886 Sleep,NtTerminateProcess,	3_2_00401886
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_1_00402026 LocalAlloc,NtQuerySystemInformation,	3_1_00402026
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 13_2_04B20110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,	13_2_04B20110
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401927 Sleep,NtTerminateProcess,	14_2_00401927
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401942 Sleep,NtTerminateProcess,	14_2_00401942
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401949 Sleep,NtTerminateProcess,	14_2_00401949
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401956 Sleep,NtTerminateProcess,	14_2_00401956
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00402026 LocalAlloc,NtQuerySystemInformation,	14_2_00402026
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_004018C9 Sleep,NtTerminateProcess,	14_2_004018C9
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00401886 Sleep,NtTerminateProcess,	14_2_00401886
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 28_2_00402026 LocalAlloc,NtQuerySystemInformation,	28_2_00402026

PE file contains strange resources

Source: IfakQb9U15.exe	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IfakQb9U15.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jjevwiw.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\jjevwiw D836A03E0B7EEABBC971DE7D3E6FCC11BF06E13E633D11118C7429B3ABB3C4ED

Source: IfakQb9U15.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: jjevwiw.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: IfakQb9U15.exe	Virustotal: Detection: 38%
Source: IfakQb9U15.exe	ReversingLabs: Detection: 75%

Source: IfakQb9U15.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IfakQb9U15.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IfakQb9U15.exe 'C:\Users\user\Desktop\IfakQb9U15.exe'
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Process created: C:\Users\user\Desktop\IfakQb9U15.exe 'C:\Users\user\Desktop\IfakQb9U15.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Process created: C:\Users\user\Desktop\IfakQb9U15.exe 'C:\Users\user\Desktop\IfakQb9U15.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jjevwiw

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/2@3/0

Source: IfakQb9U15.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: IfakQb9U15.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\gawi_lemi-morur\16\suweg\xoyabel\les pugoy-74_lafi\t.pdb source: IfakQb9U15.exe
Source:	Binary string: HC:\gawi_lemi-morur\16\suweg\xoyabel\les pugoy-74_lafi\t.pdb source: IfakQb9U15.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 1_2_03022E12 push eax; retf	1_2_03022E22
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_2_00402EED push eax; ret	3_2_00402FC7
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 3_1_00402EED push eax; ret	3_1_00402FC7
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 13_2_04B12E12 push eax; retf	13_2_04B12E22
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 14_2_00402EED push eax; ret	14_2_00402FC7
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 28_2_00402EED push eax; ret	28_2_00402FC7

PE file contains sections with non-standard names

Source: IfakQb9U15.exe	Static PE information: section name: .befifup
Source: jjevwiw.5.dr	Static PE information: section name: .befifup

Source: initial sample	Static PE information: section name: .text entropy: 7.47772772393
Source: initial sample	Static PE information: section name: .text entropy: 7.47772772393

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jjevwiw

Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jjevwiw

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\ifakqb9u15.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\jjevwiw:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: ASWHOOK

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6024	Thread sleep count: 563 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3000	Thread sleep count: 378 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3000	Thread sleep time: -37800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 328	Thread sleep count: 456 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 328	Thread sleep time: -45600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6760	Thread sleep count: 390 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep count: 251 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\jjevwiw

Last function: Thread delayed

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 563	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 378	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 456	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 390	Jump to behavior

Source: C:\Users\user\Desktop\IfakQb9U15.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\IfakQb9U15.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000005.00000000.302263602.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.283570446.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.297854831.000000000374F000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.303969599.000000000DC40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000005.00000000.282249776.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.303969599.000000000DC40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};`
Source: explorer.exe, 00000005.00000000.302357156.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.298561446.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.302357156.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000005.00000000.303969599.000000000DC40000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\IfakQb9U15.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	System information queried: CodeIntegrityInformation	Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Code function: 1_2_03020083 push dword ptr fs:[00000030h]	1_2_03020083
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 13_2_04B10083 push dword ptr fs:[00000030h]	13_2_04B10083
Source: C:\Users\user\AppData\Roaming\jjevwiw	Code function: 13_2_04B20042 push dword ptr fs:[00000030h]	13_2_04B20042

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\IfakQb9U15.exe

Code function: 3_2_004026CF EntryPoint,CreateFileW,MapViewOfFile,LdrLoadDll,

3_2_004026CF

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: jjevwiw.5.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: gejajoo7.top
Source: C:\Windows\explorer.exe	Domain query: sysaheu9.top

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\IfakQb9U15.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\jjevwiw

Memory written: C:\Users\user\AppData\Roaming\jjevwiw base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Roaming\jjevwiw

13_2_04B20110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Thread created: C:\Windows\explorer.exe EIP: 30C1920			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Thread created: unknown EIP: 3A71920			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\IfakQb9U15.exe	Process created: C:\Users\user\Desktop\IfakQb9U15.exe 'C:\Users\user\Desktop\IfakQb9U15.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jjevwiw	Process created: C:\Users\user\AppData\Roaming\jjevwiw C:\Users\user\AppData\Roaming\jjevwiw	Jump to behavior

Source: explorer.exe, 00000005.00000000.276042708.00000000089FF000.00000004.00000001.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.296505241.0000000001640000.00000002.00020000.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.296505241.0000000001640000.00000002.00020000.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.265816430.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000000.296505241.0000000001640000.00000002.00020000.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.296505241.0000000001640000.00000002.00020000.sdmp, jjevwiw, 0000001C.00000002.507596888.0000000000BA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\IfakQb9U15.exe

Code function: 1_2_00405E0E GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00405E0E

Stealing of Sensitive Information:

Yara detected SmokeLoader

Source: Yara match	File source: 28.0.jjevwiw.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.jjevwiw.30815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.jjevwiw.4b215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IfakQb9U15.exe.31415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.376750362.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314233218.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314273302.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.296784154.00000000030C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.376904228.0000000001F51000.00000004.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected SmokeLoader

Source: Yara match	File source: 28.0.jjevwiw.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.jjevwiw.30815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.jjevwiw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.jjevwiw.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.IfakQb9U15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.jjevwiw.4b215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IfakQb9U15.exe.31415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.376750362.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314233218.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.314273302.00000000006A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.296784154.00000000030C1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.376904228.0000000001F51000.00000004.00020000.sdmp, type: MEMORY

ID:	510140
Product:	CloudBasic
Start time:	14:07:11
Start date:	27.10.2021
Sample:	IfakQb9U15.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	36f662b3c9a54c0c2427602f1463eb69
SHA1:	7e46615097282ac51ef08d3e4ac7d65ce6684a07
SHA256:	d836a03e0b7eeabbc971de7d3e6fcc11bf06e13e633d11118c7429b3abb3c4ed
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\jjevwiw	PE32 executable (GUI) Intel 80386, for MS Windows	36F662B3C9A54C0C2427602F1463EB69	7E46615097282AC51EF08D3E4AC7D65CE6684A07	D836A03E0B7EEABBC971DE7D3E6FCC11BF06E13E633D11118C7429B3ABB3C4ED
C:\Users\user\AppData\Roaming\jjevwiw:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report IfakQb9U15.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Domains

Contacted URLs