Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
empudh9lY5

Overview

General Information

Sample Name:empudh9lY5 (renamed file extension from none to exe)
Analysis ID:715067
MD5:8f43b86f351db105a727e67e39459d78
SHA1:ad9b43ecbae064ddca1908c40999974bc28466ba
SHA256:9830e0d007c07364bf97b2a3e0496b7a7f5811e7e71fcdd9dada104d29d1982c
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses 32bit PE files
Yara signature match
Found large amount of non-executed APIs
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found potential string decryption / allocating functions

Classification

  • System is w10x64
  • empudh9lY5.exe (PID: 2560 cmdline: C:\Users\user\Desktop\empudh9lY5.exe MD5: 8F43B86F351DB105A727E67E39459D78)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmpCoreImpact_sysdll_exeDetects a malware sysdll.exe from the Rocket Kitten APTFlorian Roth
  • 0x1e799:$x6: /info.dat
  • 0x1e6bf:$z2: Encountered error sending error message to client
  • 0x1e68b:$z3: Encountered error building error message to client
  • 0x1e4b3:$z4: Attempting to unlock uninitialized lock!
  • 0x1e273:$z5: connect_back_tcp_channel#do_connect:: Error resolving connect back hostname
  • 0x1e343:$z6: select_event_get(): fd not found
  • 0x1e6f3:$z7: Encountered error sending syscall response to client
  • 0x20d8b:$z8: GetProcAddress() error
  • 0x1e498:$z9: Error entering thread lock
  • 0x1e4dc:$z10: Error exiting thread lock
  • 0x1e2bf:$z11: connect_back_tcp_channel_init:: socket() failed
  • 0x1e73e:$z12: event_add() failed for ev.
  • 0x1e728:$z13: Uh, oh, exit() failed
  • 0x1e73e:$z14: event_add() failed for ev.
  • 0x1e759:$z15: event_add() failed.
  • 0x1e77e:$z16: needroot
  • 0x1e78e:$z17: ./plugins/
00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmpWoolenGoldfish_Generic_3Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZFlorian Roth
  • 0x1e273:$x3: connect_back_tcp_channel#do_connect:: Error resolving connect back hostname
  • 0x48fb:$s0: kernel32.dll GetProcAddressLoadLibraryAws2_32.dll
  • 0x1e4b3:$s2: Attempting to unlock uninitialized lock!
  • 0x20910:$s4: unable to load kernel32.dll
  • 0x1e6f3:$s7: Encountered error sending syscall response to client
  • 0x1e799:$s9: /info.dat
  • 0x1e498:$s10: Error entering thread lock
  • 0x1e4dc:$s11: Error exiting thread lock
  • 0x1e2bf:$s12: connect_back_tcp_channel_init:: socket() failed
Process Memory Space: empudh9lY5.exe PID: 2560CoreImpact_sysdll_exeDetects a malware sysdll.exe from the Rocket Kitten APTFlorian Roth
  • 0x8395:$x6: /info.dat
  • 0x87ba:$x6: /info.dat
  • 0x82ce:$z2: Encountered error sending error message to client
  • 0x829b:$z3: Encountered error building error message to client
  • 0x80e7:$z4: Attempting to unlock uninitialized lock!
  • 0x7eb9:$z5: connect_back_tcp_channel#do_connect:: Error resolving connect back hostname
  • 0x7f85:$z6: select_event_get(): fd not found
  • 0x8300:$z7: Encountered error sending syscall response to client
  • 0x8ed9:$z8: GetProcAddress() error
  • 0x80cc:$z9: Error entering thread lock
  • 0x8110:$z10: Error exiting thread lock
  • 0x7f05:$z11: connect_back_tcp_channel_init:: socket() failed
  • 0x834b:$z12: event_add() failed for ev.
  • 0x8335:$z13: Uh, oh, exit() failed
  • 0x834b:$z14: event_add() failed for ev.
  • 0x8366:$z15: event_add() failed.
  • 0x837a:$z16: needroot
  • 0x838a:$z17: ./plugins/
Process Memory Space: empudh9lY5.exe PID: 2560WoolenGoldfish_Generic_3Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZFlorian Roth
  • 0x7eb9:$x3: connect_back_tcp_channel#do_connect:: Error resolving connect back hostname
  • 0x7c4c:$s0: kernel32.dll GetProcAddressLoadLibraryAws2_32.dll
  • 0x80e7:$s2: Attempting to unlock uninitialized lock!
  • 0x8a82:$s4: unable to load kernel32.dll
  • 0x8300:$s7: Encountered error sending syscall response to client
  • 0x8395:$s9: /info.dat
  • 0x87ba:$s9: /info.dat
  • 0x80cc:$s10: Error entering thread lock
  • 0x8110:$s11: Error exiting thread lock
  • 0x7f05:$s12: connect_back_tcp_channel_init:: socket() failed
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: empudh9lY5.exeReversingLabs: Detection: 21%
Source: empudh9lY5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficTCP traffic: 192.168.2.3:49702 -> 189.30.155.39:8080
Source: unknownDNS traffic detected: queries for: sherlock.servegame.com

System Summary

barindex
Source: 00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects a malware sysdll.exe from the Rocket Kitten APT Author: Florian Roth
Source: 00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Author: Florian Roth
Source: Process Memory Space: empudh9lY5.exe PID: 2560, type: MEMORYSTRMatched rule: Detects a malware sysdll.exe from the Rocket Kitten APT Author: Florian Roth
Source: Process Memory Space: empudh9lY5.exe PID: 2560, type: MEMORYSTRMatched rule: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Author: Florian Roth
Source: empudh9lY5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CoreImpact_sysdll_exe author = Florian Roth, description = Detects a malware sysdll.exe from the Rocket Kitten APT, score = 27.12.2014, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = f89a4d4ae5cca6d69a5256c96111e707
Source: 00000000.00000002.516789881.0000000000570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WoolenGoldfish_Generic_3 date = 2015/03/25, hash2 = e8dbcde49c7f760165ebb0cb3452e4f1c24981f5, author = Florian Roth, description = Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ, score = 86222ef166474e53f1eb6d7e6701713834e6fee7, reference = http://goo.gl/NpJpVZ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: empudh9lY5.exe PID: 2560, type: MEMORYSTRMatched rule: CoreImpact_sysdll_exe author = Florian Roth, description = Detects a malware sysdll.exe from the Rocket Kitten APT, score = 27.12.2014, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = f89a4d4ae5cca6d69a5256c96111e707
Source: Process Memory Space: empudh9lY5.exe PID: 2560, type: MEMORYSTRMatched rule: WoolenGoldfish_Generic_3 date = 2015/03/25, hash2 = e8dbcde49c7f760165ebb0cb3452e4f1c24981f5, author = Florian Roth, description = Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ, score = 86222ef166474e53f1eb6d7e6701713834e6fee7, reference = http://goo.gl/NpJpVZ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: empudh9lY5.exeStatic PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057492D0_2_0057492D
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005740470_2_00574047
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005748470_2_00574847
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005738710_2_00573871
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005740710_2_00574071
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005708610_2_00570861
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057403B0_2_0057403B
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057402D0_2_0057402D
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005740C60_2_005740C6
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005740FD0_2_005740FD
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005878ED0_2_005878ED
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057408E0_2_0057408E
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057288C0_2_0057288C
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057488B0_2_0057488B
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005738BF0_2_005738BF
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005740A90_2_005740A9
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005739620_2_00573962
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005741690_2_00574169
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005741150_2_00574115
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057390B0_2_0057390B
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005741F00_2_005741F0
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005739E00_2_005739E0
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005741A60_2_005741A6
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005742400_2_00574240
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573A670_2_00573A67
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573A1E0_2_00573A1E
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00574A0D0_2_00574A0D
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00574A360_2_00574A36
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573AD70_2_00573AD7
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005742CA0_2_005742CA
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005742E90_2_005742E9
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573A950_2_00573A95
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005742BD0_2_005742BD
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573AA10_2_00573AA1
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573B560_2_00573B56
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573B440_2_00573B44
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005743440_2_00574344
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573B760_2_00573B76
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573B7D0_2_00573B7D
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005743610_2_00574361
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573B030_2_00573B03
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573B250_2_00573B25
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005743200_2_00574320
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005743F10_2_005743F1
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573BFB0_2_00573BFB
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005743990_2_00574399
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573BBC0_2_00573BBC
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005743B80_2_005743B8
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005743A20_2_005743A2
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005744400_2_00574440
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005744000_2_00574400
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573CD40_2_00573CD4
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573CDF0_2_00573CDF
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573CFA0_2_00573CFA
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005744860_2_00574486
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057355C0_2_0057355C
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005745740_2_00574574
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057357D0_2_0057357D
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005735630_2_00573563
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573D620_2_00573D62
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005875110_2_00587511
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573D040_2_00573D04
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005735360_2_00573536
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573D300_2_00573D30
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573D250_2_00573D25
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057452D0_2_0057452D
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005735D40_2_005735D4
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005745F60_2_005745F6
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573DF50_2_00573DF5
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005735950_2_00573595
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057158D0_2_0057158D
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573DA00_2_00573DA0
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057465B0_2_0057465B
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005746660_2_00574666
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005736090_2_00573609
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573E080_2_00573E08
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00586E3F0_2_00586E3F
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005736280_2_00573628
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005736DC0_2_005736DC
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573ED90_2_00573ED9
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005736CF0_2_005736CF
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005746FF0_2_005746FF
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005746E30_2_005746E3
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005736EE0_2_005736EE
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573E930_2_00573E93
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573EA30_2_00573EA3
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573EAD0_2_00573EAD
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057374B0_2_0057374B
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00587F6A0_2_00587F6A
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057476B0_2_0057476B
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005737190_2_00573719
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005747090_2_00574709
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057373F0_2_0057373F
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005747260_2_00574726
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573F2D0_2_00573F2D
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057372B0_2_0057372B
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00573FFC0_2_00573FFC
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005737E10_2_005737E1
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005747970_2_00574797
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005737820_2_00573782
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_0057378F0_2_0057378F
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: String function: 0057497C appears 190 times
Source: empudh9lY5.exeReversingLabs: Detection: 21%
Source: empudh9lY5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\empudh9lY5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: mal56.winEXE@1/0@3/1
Source: C:\Users\user\Desktop\empudh9lY5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\empudh9lY5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: empudh9lY5.exeStatic file information: File size 1283072 > 1048576
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_005719B5 pushfd ; ret 0_2_005719B6
Source: C:\Users\user\Desktop\empudh9lY5.exeCode function: 0_2_00571219 push 090000B4h; iretd 0_2_0057121E
Source: initial sampleStatic PE information: section name: .text entropy: 6.9280540298858515