Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1JXnBACf4L.exe

Overview

General Information

Sample Name:1JXnBACf4L.exe
Analysis ID:528757
MD5:55639d8c8ae9090875ac0a663f0a8f57
SHA1:43474904bc2ae4f7dc2a3a6de33fb70bf11fb906
SHA256:d975e34edbe0b4371e2ea6f82bf56289486b4f5d43a6fb069def7360b813ab19
Tags:exe

Most interesting Screenshot:

Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file contains section with special chars
Uses 32bit PE files
PE file contains more sections than normal
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file overlay found
Entry point lies outside standard sections
PE file contains sections with non-standard names

Classification

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 1JXnBACf4L.exeVirustotal: Detection: 26%Perma Link
Machine Learning detection for sampleShow sources
Source: 1JXnBACf4L.exeJoe Sandbox ML: detected
Source: 1JXnBACf4L.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 1JXnBACf4L.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

System Summary:

barindex
PE file contains section with special charsShow sources
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 1JXnBACf4L.exeStatic PE information: Number of sections : 11 > 10
Source: 1JXnBACf4L.exeBinary or memory string: OriginalFilenameWinDescS2 vs 1JXnBACf4L.exe
Source: 1JXnBACf4L.exeStatic PE information: Data appended to the last section found
Source: 1JXnBACf4L.exeStatic PE information: Section: ZLIB complexity 1.00063511266
Source: 1JXnBACf4L.exeStatic PE information: Section: ZLIB complexity 1.00176310306
Source: 1JXnBACf4L.exeStatic PE information: Section: ZLIB complexity 1.0365448505
Source: 1JXnBACf4L.exeStatic PE information: Section: ZLIB complexity 1.0176
Source: 1JXnBACf4L.exeStatic PE information: Section: ZLIB complexity 1.00317094263
Source: 1JXnBACf4L.exeVirustotal: Detection: 26%
Source: classification engineClassification label: mal56.winEXE@0/0@0/0
Source: 1JXnBACf4L.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x293e00
Source: 1JXnBACf4L.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: 1JXnBACf4L.exeStatic PE information: real checksum: 0x2a7f0c should be: 0x53ac2
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name:
Source: 1JXnBACf4L.exeStatic PE information: section name: .imports
Source: 1JXnBACf4L.exeStatic PE information: section name: .winlice
Source: 1JXnBACf4L.exeStatic PE information: section name: .boot
Source: initial sampleStatic PE information: section name: entropy: 7.97271005667

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionSoftware Packing2OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1JXnBACf4L.exe26%VirustotalBrowse
1JXnBACf4L.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:528757
Start date:25.11.2021
Start time:18:37:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 11s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:1JXnBACf4L.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.winEXE@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe
Errors:
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.937653870615833
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:1JXnBACf4L.exe
File size:332271
MD5:55639d8c8ae9090875ac0a663f0a8f57
SHA1:43474904bc2ae4f7dc2a3a6de33fb70bf11fb906
SHA256:d975e34edbe0b4371e2ea6f82bf56289486b4f5d43a6fb069def7360b813ab19
SHA512:760a002c88a501f20bd4751770ac642bbc89c58d5ee350d02e1663c94a179f923da40b019c926a9326f2366fd0d341de39a1a817cc866a8ac9aff2e2a09120eb
SSDEEP:6144:IADrRaW+IlIUM2VmrI09qJdkfwsgF9f4fetvB87mRMc0P48LyYxH:DvRL+0MjrI0EVF9YcB8UM3FFH
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R.ZQ3e.Q3e.Q3e.XK..A3e..[a.]3e..[f.T3e..[`.M3e..[d.U3e.EXd.@3e.Q3d..3e..Zl.]3e..Z..P3e.Q3..P3e..Zg.P3e.RichQ3e.........PE..L..

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x7d4108
Entrypoint Section:.boot
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x6196E78F [Thu Nov 18 23:53:51 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:62887e1cbeeea4bcc9666b312e1861a8

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1b2d70x210.imports
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d0000x4e8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x6680000x10.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x1c0180x18.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x10000x10a870x8129False1.00063511266data7.97271005667IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
0x120000x5ac80x185fFalse1.00176310306data7.92650297366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0x180000x9600x12dFalse1.0365448505data7.12254688974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
0x190000x4e80x271False1.0176data7.6271406474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0x1a0000xe840xd8dFalse1.00317094263data7.86809864864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.imports0x1b0000x10000x600False0.3671875data3.89574962759IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls0x1c0000x10000x200False0.056640625data0.181201876782IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x1d0000x10000x600False0.40625data3.71175649169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.winlice0x1e0000x3b60000x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.boot0x3d40000x293e000x293e00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc0x6680000x10000x10False0empty0.0IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0x1d0900x2c8dataRussianRussia
RT_MANIFEST0x1d3680x17dXML 1.0 document textEnglishUnited States

Imports

DLLImport
kernel32.dllGetModuleHandleA
USER32.dllwsprintfW
ADVAPI32.dllRegCloseKey
SHELL32.dllShellExecuteA
MSVCP140.dll?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
WININET.dllInternetConnectA
dxgi.dllCreateDXGIFactory1
d3d9.dllDirect3DCreate9
urlmon.dllURLDownloadToFileA
VCRUNTIME140.dllmemset
api-ms-win-crt-runtime-l1-1-0.dll_get_narrow_winmain_command_line
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll_callnewh
api-ms-win-crt-string-l1-1-0.dll_wcsicmp
api-ms-win-crt-utility-l1-1-0.dllrand
api-ms-win-crt-environment-l1-1-0.dllgetenv
api-ms-win-crt-math-l1-1-0.dll__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll_set_fmode

Version Infos

DescriptionData
LegalCopyrightCopyright (C) 2021
InternalNameTODO: < >
FileVersion1.0.0.1
CompanyNameWinHelpers
ProductNameWinDescS
ProductVersion1.0.0.1
FileDescriptionFileWinHelper
OriginalFilenameWinDescS
Translation0x0419 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
RussianRussia
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly

Reset < >