Windows
Analysis Report
Mcafe.exe
Overview
General Information
Detection
Score: | 3 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64
- Mcafe.exe (PID: 6080 cmdline:
C:\Users\u ser\Deskto p\Mcafe.ex e MD5: 76166C4AD30E3DA0060F41FE59E465F1)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00007FF6C31349B8 |
Source: | Section loaded: | Jump to behavior |
Source: | Code function: | 0_2_00007FF6C3133738 | |
Source: | Code function: | 0_2_00007FF6C31385EC | |
Source: | Code function: | 0_2_00007FF6C31349B8 | |
Source: | Code function: | 0_2_00007FF6C313A608 |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF6C31349B8 |
Source: | Code function: | 0_2_00007FF6C313444C |
Source: | Code function: | 0_2_00007FF6C31370F0 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF6C313444C | |
Source: | Code function: | 0_2_00007FF6C313ABA4 | |
Source: | Code function: | 0_2_00007FF6C31315EC | |
Source: | Code function: | 0_2_00007FF6C31317D0 |
Source: | Code function: | 0_2_00007FF6C313A450 |
Source: | Code function: | 0_2_00007FF6C31314C4 |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | 12 System Information Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
Joe Sandbox Version: | 37.1.0 Beryl |
Analysis ID: | 877004 |
Start date and time: | 2023-05-28 11:09:22 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | Mcafe.exe |
Detection: | CLEAN |
Classification: | clean3.winEXE@1/0@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
- Execution Graph export aborted for target Mcafe.exe, PID 6080 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
File type: | |
Entropy (8bit): | 2.972849273689623 |
TrID: |
|
File name: | Mcafe.exe |
File size: | 653824 |
MD5: | 76166c4ad30e3da0060f41fe59e465f1 |
SHA1: | 31d887a689a2a6fab9723589bd02d5c15ec09924 |
SHA256: | 908d00c0d3a8fe68b7cb0da154143ac81e357b1ca043ff25ac3581d2186defcb |
SHA512: | e0ed4e2af54add6d449d9b4ac0ac291ed9195a96d55a44c956fd7d32f7144ef432d9da14a5d6ff00fb3e94e79df8a7278338f3c475936b62a5da3848ab538f47 |
SSDEEP: | 3072:FgXpJozm2lkCsuYDbM2ZZQ4MGGfviMQYTQbrEQ:IpC62lkCMcGGHikTk |
TLSH: | 34D4D84DA49010ADE054CA30C4239E6C722EFF617DA4AA1AD86C3F651B721E74BFF536 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.w:cq.icq.icq.i8..hiq.i8..hfq.i8..h.q.i8..haq.ih..hFq.ih..hsq.ih..hkq.i...h`q.icq.i6q.i...haq.i...hbq.i...ibq.i...hbq.iRichcq. |
Icon Hash: | 60714d696171130e |
Entrypoint: | 0x140001260 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6045D2FF [Mon Mar 8 07:32:15 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 5f74a5c747508e2822fdb9b687deaf42 |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FA5F89D7E50h |
dec eax |
add esp, 28h |
jmp 00007FA5F89D7A6Fh |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007FA5F89D83D0h |
test eax, eax |
je 00007FA5F89D7C13h |
dec eax |
mov eax, dword ptr [00000030h] |
dec eax |
mov ecx, dword ptr [eax+08h] |
jmp 00007FA5F89D7BF7h |
dec eax |
cmp ecx, eax |
je 00007FA5F89D7C06h |
xor eax, eax |
dec eax |
cmpxchg dword ptr [00014780h], ecx |
jne 00007FA5F89D7BE0h |
xor al, al |
dec eax |
add esp, 28h |
ret |
mov al, 01h |
jmp 00007FA5F89D7BE9h |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
movzx eax, byte ptr [0001476Bh] |
test ecx, ecx |
mov ebx, 00000001h |
cmove eax, ebx |
mov byte ptr [0001475Bh], al |
call 00007FA5F89D81D7h |
call 00007FA5F89D85A2h |
test al, al |
jne 00007FA5F89D7BF6h |
xor al, al |
jmp 00007FA5F89D7C06h |
call 00007FA5F89DA4F9h |
test al, al |
jne 00007FA5F89D7BFBh |
xor ecx, ecx |
call 00007FA5F89D85B2h |
jmp 00007FA5F89D7BDCh |
mov al, bl |
dec eax |
add esp, 20h |
pop ebx |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
cmp byte ptr [00014720h], 00000000h |
mov ebx, ecx |
jne 00007FA5F89D7C59h |
cmp ecx, 01h |
jnbe 00007FA5F89D7C5Ch |
call 00007FA5F89D8336h |
test eax, eax |
je 00007FA5F89D7C1Ah |
test ebx, ebx |
jne 00007FA5F89D7C16h |
dec eax |
lea ecx, dword ptr [0001470Ah] |
call 00007FA5F89D7C16h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x14490 | 0x88 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x14518 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19000 | 0x8a0d0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x17000 | 0xc48 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xa4000 | 0x634 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x135a0 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x13600 | 0x130 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x220 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa120 | 0xa200 | False | 0.5997540509259259 | data | 6.395766713803173 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0x8c5e | 0x8e00 | False | 0.420196963028169 | data | 4.652196167949441 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x15000 | 0x1cd8 | 0xc00 | False | 0.1220703125 | data | 1.6762355778220264 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x17000 | 0xc48 | 0xe00 | False | 0.4263392857142857 | data | 4.352891457392214 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x18000 | 0x94 | 0x200 | False | 0.20703125 | data | 1.0851159447005283 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x19000 | 0x8a0d0 | 0x8a200 | False | 0.07012690893665158 | data | 2.133609499800161 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xa4000 | 0x634 | 0x800 | False | 0.46240234375 | data | 4.784673546563933 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x192b0 | 0x42028 | Device independent bitmap graphic, 256 x 512 x 32, image size 0 | English | United States |
RT_ICON | 0x5b2d8 | 0x25228 | Device independent bitmap graphic, 192 x 384 x 32, image size 0 | English | United States |
RT_ICON | 0x80500 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States |
RT_ICON | 0x90d28 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 0 | English | United States |
RT_ICON | 0x9a1d0 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 0 | English | United States |
RT_ICON | 0x9e3f8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States |
RT_ICON | 0xa09a0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States |
RT_ICON | 0xa1a48 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States |
RT_ICON | 0xa23d0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States |
RT_GROUP_ICON | 0xa2838 | 0x84 | data | English | United States |
RT_VERSION | 0xa2f18 | 0x1b4 | data | English | United States |
RT_MANIFEST | 0xa28c0 | 0x655 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States |
DLL | Import |
---|---|
UnityPlayer.dll | UnityMain |
KERNEL32.dll | WriteConsoleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, CloseHandle, RtlUnwindEx, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, GetCurrentProcess, ExitProcess, TerminateProcess, GetModuleHandleExW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW |
Name | Ordinal | Address |
---|---|---|
AmdPowerXpressRequestHighPerformance | 1 | 0x140015004 |
NvOptimusEnablement | 2 | 0x140015000 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 11:10:15 |
Start date: | 28/05/2023 |
Path: | C:\Users\user\Desktop\Mcafe.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6c3130000 |
File size: | 653824 bytes |
MD5 hash: | 76166C4AD30E3DA0060F41FE59E465F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
C-Code - Quality: 83% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 65% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C31385EC Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMONCrypto
C-Code - Quality: 73% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C3133738 Relevance: .1, Instructions: 126COMMONCrypto
C-Code - Quality: 56% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C313A450 Relevance: .0, Instructions: 32COMMON
C-Code - Quality: 86% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C31317D0 Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 71% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C3132180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMON
C-Code - Quality: 50% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C3139F4C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C3133454 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 48% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 85% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C3138CDC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
C-Code - Quality: 33% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C3136EB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
C-Code - Quality: 20% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C3136E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
C-Code - Quality: 27% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00007FF6C3136DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
C-Code - Quality: 27% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |