Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:67742
Start time:11:30:52
Joe Sandbox Product:CloudBasic
Start date:12.07.2018
Overall analysis duration:0h 1m 26s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ss.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.winEXE@1/0@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 5
  • Number of non-executed functions: 14
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 79.3%)
  • Quality average: 60%
  • Quality standard deviation: 39.7%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe

Detection

StrategyScoreRangeReportingDetection
Threshold640 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: ss.exeAvira: Label: HEUR/AGEN.1011596
Multi AV Scanner detection for submitted fileShow sources
Source: ss.exevirustotal: Detection: 54%Perma Link
Source: ss.exemetadefender: Detection: 70%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 1.2.ss.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1011596
Source: 1.1.ss.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1011596
Source: 1.0.ss.exe.400000.0.unpackAvira: Label: HEUR/AGEN.1011596

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\ss.exeCode function: 1_2_00402221 EnterCriticalSection,send,select,__WSAFDIsSet,recv,1_2_00402221

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\ss.exeCode function: 1_2_00402E05 _chkstk,socket,htons,bind,closesocket,WSAIoctl,memset,recv,1_2_00402E05

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: ss.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\ss.exeCode function: 1_2_004030D61_2_004030D6
Source: C:\Users\user\Desktop\ss.exeCode function: 1_1_004030D61_1_004030D6
PE file contains only one sectionShow sources
Source: ss.exeStatic PE information: Section .text
Classification labelShow sources
Source: classification engineClassification label: mal64.winEXE@1/0@0/0
Found command line outputShow sources
Source: C:\Users\user\Desktop\ss.exeConsole Write: ............?[Pw....TCP Port Scanner V1.2 By WinEggDrop..(..H%...G!..F!..K!.@J!..I!.HH!.W...F..C.3.wd...%.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ........<.......................?[Pw....TCP Port Scanner V1.2 By WinEggDrop..(..H%...G!..F!..K!..3.w....u.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ........................................?[Pw....TCP Port Scanner V1.2 By WinEggDrop..(..H%...G!..3.w....T.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ....................Example: C:\Users\user\Desktop\ss.exe TCP 12.12.12.12/24 80 512....3.w@...J.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ............................Example: C:\Users\user\Desktop\ss.exe TCP 12.12.12.12/24 8.3.w....T.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ....................................Example: C:\Users\user\Desktop\ss.exe TCP 12.12.12.3.w....].........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ............................................Example: C:\Users\user\Desktop\ss.exe TCP R3.w....\.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ....................Example: C:\Users\user\Desktop\ss.exe TCP 12.12.12.12 1-65535 512.Z3.w ...L.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ............................Example: C:\Users\user\Desktop\ss.exe TCP 12.12.12.12 1-65B3.w....^.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ........ktop\ss.....TCP 12.12.12.12 1-65B3.w....^.....'.................d.@.d.@...%..............3.w....Q.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ....................Example: C:\Users\user\Desktop\ss.exe SYN 12.12.12.12 12.12.12.254 80.H...P.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ....................Example: C:\Users\user\Desktop\ss.exe SYN 12.12.12.12 1-65535.12.1.3.w@...H.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ............................Example: C:\Users\user\Desktop\ss.exe SYN 12.12.12.12 1-65.3.w....X.........@.....Jump to behavior
Source: C:\Users\user\Desktop\ss.exeConsole Write: ....................Example: C:\Users\user\Desktop\ss.exe SYN 12.12.12.12 21,80,3389.2.3.w0...K.........@.....Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: ss.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ss.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: ss.exevirustotal: Detection: 54%
Source: ss.exemetadefender: Detection: 70%

Malware Analysis System Evasion:

barindex
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Users\user\Desktop\ss.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-939
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\ss.exeAPI coverage: 4.2 %

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\ss.exeCode function: 1_2_004021CA GetLocalTime,wsprintfA,1_2_004021CA
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\ss.exeCode function: 1_2_00402110 GetVersionExA,1_2_00402110

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 67742 Sample: ss.exe Startdate: 12/07/2018 Architecture: WINDOWS Score: 64 7 Antivirus detection for submitted file 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 PE file has a writeable .text section 2->11 13 Antivirus detection for unpacked file 2->13 5 ss.exe 2->5         started        process3

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
ss.exe55%virustotalBrowse
ss.exe71%metadefenderBrowse
ss.exe100%AviraHEUR/AGEN.1011596

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
1.2.ss.exe.400000.0.unpack100%AviraHEUR/AGEN.1011596
1.1.ss.exe.400000.0.unpack100%AviraHEUR/AGEN.1011596
1.0.ss.exe.400000.0.unpack100%AviraHEUR/AGEN.1011596

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots