Loading ...

Analysis Report Google_Adobe_FlashPlayer.exe

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:96288
Start date:06.12.2018
Start time:22:55:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 12s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Google_Adobe_FlashPlayer.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.winEXE@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: Google_Adobe_FlashPlayer.exe

Detection

StrategyScoreRangeReportingDetection
Threshold600 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsSoftware Packing1Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: Google_Adobe_FlashPlayer.exeAvira: Label: TR/Rogue.KD.829256
Multi AV Scanner detection for submitted fileShow sources
Source: Google_Adobe_FlashPlayer.exevirustotal: Detection: 76%Perma Link
Source: Google_Adobe_FlashPlayer.exemetadefender: Detection: 77%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 0.0.Google_Adobe_FlashPlayer.exe.dd0000.0.unpackAvira: Label: TR/Rogue.KD.829256

System Summary:

barindex
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess Stats: CPU usage > 98%
Sample file is different than original file name gathered from version infoShow sources
Source: Google_Adobe_FlashPlayer.exe, 00000000.00000002.3952593501.0000000000DD2000.00000002.sdmpBinary or memory string: OriginalFilenameFPX_13jan.exe4 vs Google_Adobe_FlashPlayer.exe
Source: Google_Adobe_FlashPlayer.exeBinary or memory string: OriginalFilenameFPX_13jan.exe4 vs Google_Adobe_FlashPlayer.exe
Classification labelShow sources
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
PE file has an executable .text section and no other executable sectionShow sources
Source: Google_Adobe_FlashPlayer.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\93d3642eb09dd0758766983414b96cbb\mscorlib.ni.dllJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Google_Adobe_FlashPlayer.exevirustotal: Detection: 76%
Source: Google_Adobe_FlashPlayer.exemetadefender: Detection: 77%
PE file contains a COM descriptor data directoryShow sources
Source: Google_Adobe_FlashPlayer.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Google_Adobe_FlashPlayer.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\Google_Adobe_FlashPlayer.exeMemory allocated: page read and write | page guardJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 96288 Sample: Google_Adobe_FlashPlayer.exe Startdate: 06/12/2018 Architecture: WINDOWS Score: 60 7 Antivirus detection for submitted file 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Antivirus detection for unpacked file 2->11 5 Google_Adobe_FlashPlayer.exe 2 2->5         started        process3

Simulations

Behavior and APIs

TimeTypeDescription
22:56:22API Interceptor6x Sleep call for process: Google_Adobe_FlashPlayer.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Google_Adobe_FlashPlayer.exe76%virustotalBrowse
Google_Adobe_FlashPlayer.exe80%metadefenderBrowse
Google_Adobe_FlashPlayer.exe100%AviraTR/Rogue.KD.829256

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
0.2.Google_Adobe_FlashPlayer.exe.dd0000.0.unpack100%AviraHEUR/AGEN.1035106
0.1.Google_Adobe_FlashPlayer.exe.dd0000.0.unpack100%AviraHEUR/AGEN.1035106
0.0.Google_Adobe_FlashPlayer.exe.dd0000.0.unpack100%AviraTR/Rogue.KD.829256

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.