Windows Analysis Report
message.com.exe

Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_00507730	0_2_00507730
Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_005011C9	0_2_005011C9
Source: C:\Windows\java.exe	Code function: 8_2_00507730	8_2_00507730
Source: C:\Windows\java.exe	Code function: 8_2_005011C9	8_2_005011C9

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C

Source: C:\Users\user\Desktop\message.com.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 1196

Source: message.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.spre.expl.evad.winEXE@8/10@0/6

Source: C:\Windows\java.exe	Mutant created: \Sessions\1\BaseNamedObjects\701188root701188root7701188root701188root77
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6888

Source: C:\Users\user\Desktop\message.com.exe

File created: C:\Users\user\AppData\Local\Temp\zincite.log

Source: C:\Users\user\Desktop\message.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: message.com.exe	ReversingLabs: Detection: 97%
Source: message.com.exe	Virustotal: Detection: 91%

Source: C:\Users\user\Desktop\message.com.exe

File read: C:\Users\user\Desktop\message.com.exe

Source: unknown	Process created: C:\Users\user\Desktop\message.com.exe "C:\Users\user\Desktop\message.com.exe"
Source: C:\Users\user\Desktop\message.com.exe	Process created: C:\Windows\services.exe "C:\Windows\services.exe"
Source: C:\Users\user\Desktop\message.com.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 1196
Source: unknown	Process created: C:\Windows\java.exe "C:\Windows\java.exe"
Source: C:\Windows\java.exe	Process created: C:\Users\user\AppData\Local\Temp\services.exe "C:\Users\user\AppData\Local\Temp\services.exe"
Source: unknown	Process created: C:\Windows\services.exe "C:\Windows\services.exe"
Source: C:\Users\user\Desktop\message.com.exe	Process created: C:\Windows\services.exe "C:\Windows\services.exe"	Jump to behavior
Source: C:\Windows\java.exe	Process created: C:\Users\user\AppData\Local\Temp\services.exe "C:\Users\user\AppData\Local\Temp\services.exe"	Jump to behavior

Source: C:\Users\user\Desktop\message.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\java.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\services.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\message.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Drops PE files with benign system names

Source: C:\Users\user\Desktop\message.com.exe

Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,

0_2_00503620

Source: services.exe.0.dr	Static PE information: section name: UPX2
Source: services.exe.8.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_0050A42D push ds; ret	0_2_0050A42E
Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_0050DEA6 push ds; ret	0_2_0050DEBE
Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_0050A501 push ecx; retf	0_2_0050A53F
Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_0050A50F push ecx; retf	0_2_0050A53F
Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_00509BA2 push edx; retf	0_2_00509BAB
Source: C:\Windows\services.exe	Code function: 2_2_00405A55 push es; iretd	2_2_00405A8E
Source: C:\Windows\java.exe	Code function: 8_2_0050A42D push ds; ret	8_2_0050A42E
Source: C:\Windows\java.exe	Code function: 8_2_0050DEA6 push ds; ret	8_2_0050DEBE
Source: C:\Windows\java.exe	Code function: 8_2_0050A501 push ecx; retf	8_2_0050A53F
Source: C:\Windows\java.exe	Code function: 8_2_0050A50F push ecx; retf	8_2_0050A53F
Source: C:\Windows\java.exe	Code function: 8_2_00509BA2 push edx; retf	8_2_00509BAB

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\message.com.exe	File created: C:\Windows\services.exe			Jump to dropped file
Source: C:\Windows\java.exe	File created: C:\Users\user\AppData\Local\Temp\services.exe			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown	Executable created and started: C:\Windows\java.exe
Source: C:\Users\user\Desktop\message.com.exe	Executable created and started: C:\Windows\services.exe			Jump to behavior

Exploit detected, runtime environment dropped PE file

Source: C:\Windows\java.exe

File created: services.exe.8.dr

Jump to dropped file

Source: C:\Users\user\Desktop\message.com.exe	File created: C:\Windows\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\message.com.exe	File created: C:\Windows\services.exe	Jump to dropped file
Source: C:\Windows\java.exe	File created: C:\Users\user\AppData\Local\Temp\services.exe	Jump to dropped file

Source: C:\Users\user\Desktop\message.com.exe	File created: C:\Windows\java.exe			Jump to dropped file
Source: C:\Users\user\Desktop\message.com.exe	File created: C:\Windows\services.exe			Jump to dropped file

Source: C:\Users\user\Desktop\message.com.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM	Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM	Jump to behavior
Source: C:\Windows\services.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services	Jump to behavior
Source: C:\Windows\services.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\services.exe	Window / User API: threadDelayed 1426	Jump to behavior
Source: C:\Windows\java.exe	Window / User API: threadDelayed 1380	Jump to behavior
Source: C:\Windows\java.exe	Window / User API: threadDelayed 7702	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Window / User API: threadDelayed 2230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe	Window / User API: threadDelayed 7767	Jump to behavior
Source: C:\Windows\services.exe	Window / User API: threadDelayed 9361	Jump to behavior
Source: C:\Windows\services.exe	Window / User API: threadDelayed 638	Jump to behavior

Source: C:\Windows\java.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_8-3537
Source: C:\Windows\services.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_2-1036
Source: C:\Users\user\Desktop\message.com.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-3533

Source: C:\Users\user\Desktop\message.com.exe TID: 6732	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\services.exe TID: 6380	Thread sleep count: 1426 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 7576	Thread sleep count: 1380 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 7576	Thread sleep time: -1104000s >= -30000s	Jump to behavior
Source: C:\Windows\java.exe TID: 7552	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 7576	Thread sleep count: 7702 > 30	Jump to behavior
Source: C:\Windows\java.exe TID: 7576	Thread sleep time: -6161600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572	Thread sleep count: 2230 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572	Thread sleep time: -557500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572	Thread sleep count: 7767 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572	Thread sleep time: -1941750s >= -30000s	Jump to behavior
Source: C:\Windows\services.exe TID: 7736	Thread sleep count: 9361 > 30	Jump to behavior
Source: C:\Windows\services.exe TID: 7736	Thread sleep time: -2340250s >= -30000s	Jump to behavior
Source: C:\Windows\services.exe TID: 7736	Thread sleep count: 638 > 30	Jump to behavior
Source: C:\Windows\services.exe TID: 7736	Thread sleep time: -159500s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\message.com.exe	Last function: Thread delayed
Source: C:\Windows\services.exe	Last function: Thread delayed
Source: C:\Windows\services.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h		0_2_00505717
Source: C:\Windows\java.exe	Code function: 8_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h		8_2_00505717

Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,		0_2_005052AD
Source: C:\Windows\java.exe	Code function: 8_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,		8_2_005052AD

Source: C:\Users\user\Desktop\message.com.exe

Thread delayed: delay time: 56000

Source: C:\Windows\java.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\java.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\java.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\java.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\java.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\java.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: java.exe, 00000008.00000002.2622640497.000000000056E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld}
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: services.exe, 00000002.00000002.2622723854.0000000000812000.00000004.00000020.00020000.00000000.sdmp, services.exe, 0000000B.00000002.2624896857.0000000000800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: services.exe, 00000009.00000002.2622857477.0000000000812000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: message.com.exe, 00000000.00000002.1500711357.000000000059E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\services.exe

API call chain: ExitProcess graph end node

graph_2-1005

Source: C:\Users\user\Desktop\message.com.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\message.com.exe

Code function: 0_2_00505A45 LdrInitializeThunk,lstrcpy,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcat,lstrcat,lstrcpy,lstrcpy,

0_2_00505A45

Source: C:\Users\user\Desktop\message.com.exe

Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,

0_2_00503620

Source: C:\Users\user\Desktop\message.com.exe

Code function: 0_2_00504E00 GetProcessHeap,RtlAllocateHeap,CreateFileA,ReadFile,ReadFile,FindCloseChangeNotification,GetProcessHeap,HeapFree,

0_2_00504E00

Source: C:\Users\user\Desktop\message.com.exe	Process created: C:\Windows\services.exe "C:\Windows\services.exe"			Jump to behavior
Source: C:\Windows\java.exe	Process created: C:\Users\user\AppData\Local\Temp\services.exe "C:\Users\user\AppData\Local\Temp\services.exe"			Jump to behavior

Source: C:\Users\user\Desktop\message.com.exe

Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,

0_2_005032CB

Source: C:\Users\user\Desktop\message.com.exe

Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,

0_2_005032CB

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\message.com.exe	Code function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,		0_2_0050311C
Source: C:\Windows\java.exe	Code function: 8_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress,		8_2_0050311C

Source: C:\Windows\services.exe

Code function: 2_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,

2_2_00401F0E

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	22 Masquerading	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Exploitation for Client Execution	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
message.com.exe	97%	ReversingLabs	Win32.Worm.Mydoom
message.com.exe	92%	Virustotal		Browse
message.com.exe	100%	Avira	WORM/Mydoom.O.1
message.com.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\services.exe	100%	Avira	BDS/Backdoor.fszhy
C:\Windows\java.exe	100%	Avira	WORM/Mydoom.O.1
C:\Windows\services.exe	100%	Avira	BDS/Backdoor.fszhy
C:\Users\user\AppData\Local\Temp\services.exe	100%	Joe Sandbox ML
C:\Windows\java.exe	100%	Joe Sandbox ML
C:\Windows\services.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\services.exe	100%	ReversingLabs	Win32.Worm.Mydoom
C:\Users\user\AppData\Local\Temp\services.exe	85%	Virustotal		Browse
C:\Windows\java.exe	97%	ReversingLabs	Win32.Worm.Mydoom
C:\Windows\java.exe	92%	Virustotal		Browse
C:\Windows\services.exe	100%	ReversingLabs	Win32.Worm.Mydoom
C:\Windows\services.exe	85%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://www.altavista.com/web/results?q=%s&kgs=0&kls=0	0%	Avira URL Cloud	safe
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c	0%	Avira URL Cloud	safe
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s	0%	Avira URL Cloud	safe
https://denmark.smartscre_	0%	Avira URL Cloud	safe
https://unitUSOPrivaten.micrp	0%	Avira URL Cloud	safe
https://unitedstates2.ss.wd.microsoft	0%	Avira URL Cloud	safe
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s	0%	Avira URL Cloud	safe
https://europe.dbgcreepp	0%	Avira URL Cloud	safe
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s	1%	Virustotal		Browse
https://europe.d	0%	Avira URL Cloud	safe
https://unitedstates2.ss.wd.microsoft	0%	Virustotal		Browse
http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=	0%	Avira URL Cloud	safe
https://denmark.smartscre_curlrcom	0%	Avira URL Cloud	safe
https://unitedstates4.ss.wd.microsoft.us	0%	Avira URL Cloud	safe
https://southkoreregid.1991-06.com.microsoftza	0%	Avira URL Cloud	safe
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s	0%	Virustotal		Browse
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c	0%	Virustotal		Browse
https://unitedstates4.ss.wd.microsoft.us	0%	Virustotal		Browse
http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=	0%	Virustotal		Browse
http://www.altavista.com/web/results?q=%s&kgs=0&kls=0	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://unitUSOPrivaten.micrp	message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.altavista.com/web/results?q=%s&kgs=0&kls=0	message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s	message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://denmark.smartscre_	message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c	message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://unitedstates2.ss.wd.microsoft	message.com.exe, 00000000.00000002.1500711357.00000000005B4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://europe.dbgcreepp	message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s	message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://europe.d	message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=	message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://denmark.smartscre_curlrcom	message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://unitedstates4.ss.wd.microsoft.us	message.com.exe, 00000000.00000002.1500711357.00000000005B4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://southkoreregid.1991-06.com.microsoftza	message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
15.124.29.93	unknown	United States	1874	HPESUS	false
4.240.78.155	unknown	United States	3356	LEVEL3US	false
159.134.165.119	unknown	Ireland	5466	EIRCOMInternetHouseIE	false
16.91.195.90	unknown	United States	unknown	unknown	false
24.196.145.49	unknown	United States	20115	CHARTER-20115US	false

Private

IP
192.168.1.64

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446503
Start date and time:	2024-05-23 15:13:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	message.com.exe
Detection:	MAL
Classification:	mal100.spre.expl.evad.winEXE@8/10@0/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 55 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:13:54	API Interceptor	1x Sleep call for process: message.com.exe modified
09:14:08	API Interceptor	1x Sleep call for process: WerFault.exe modified
09:14:38	API Interceptor	930461x Sleep call for process: java.exe modified
09:14:39	API Interceptor	387746x Sleep call for process: services.exe modified
15:13:55	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM C:\Windows\java.exe
15:14:04	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services C:\Windows\services.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
4.240.78.155	AHnFoINkgu.exe	Get hash	malicious	MyDoom	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHARTER-20115US	gm7Kudjyws.elf	Get hash	malicious	Gafgyt	Browse	47.46.33.144
	6uBxa0vGQt.elf	Get hash	malicious	Gafgyt	Browse	47.39.126.138
	UTHyAUOVPD.elf	Get hash	malicious	Mirai	Browse	68.187.128.74
	6YyUQU3was.elf	Get hash	malicious	Mirai	Browse	47.6.68.123
	S4kCacU4pQ.elf	Get hash	malicious	Gafgyt, Mirai	Browse	71.9.59.238
	hCNsvwoPS6.elf	Get hash	malicious	Unknown	Browse	97.94.126.144
	qwmLv2FcgD.elf	Get hash	malicious	Unknown	Browse	66.214.254.218
	https://teiegeram-hk.com/	Get hash	malicious	Unknown	Browse	47.238.230.216
	O7HAqYMIla.elf	Get hash	malicious	Gafgyt, Mirai	Browse	47.6.192.223
	file.exe	Get hash	malicious	FormBook	Browse	47.238.226.135
LEVEL3US	yzKJORP7Q4.elf	Get hash	malicious	Mirai, Moobot	Browse	195.122.148.75
	AsrP4dFOgM.elf	Get hash	malicious	Mirai, Moobot	Browse	207.120.23.151
	4rg5Y5MHO8.elf	Get hash	malicious	Mirai, Moobot	Browse	195.122.148.75
	gJlGkncVHO.elf	Get hash	malicious	Mirai, Moobot	Browse	4.60.94.244
	j55aXfhPv3.elf	Get hash	malicious	Mirai, Moobot	Browse	9.229.188.157
	gm7Kudjyws.elf	Get hash	malicious	Gafgyt	Browse	9.118.129.82
	vZBUQqNWgr.elf	Get hash	malicious	Mirai	Browse	9.14.76.91
	n8RoxsQ4om.elf	Get hash	malicious	Mirai	Browse	4.149.11.172
	Xi102MnZby.elf	Get hash	malicious	Mirai	Browse	8.195.231.20
	6YyUQU3was.elf	Get hash	malicious	Mirai	Browse	8.126.41.29
EIRCOMInternetHouseIE	N4OvIeLPCh.elf	Get hash	malicious	Mirai	Browse	159.134.126.188
	X7xw44e4Ob.elf	Get hash	malicious	Mirai	Browse	86.45.72.235
	3noHaWnI4J.elf	Get hash	malicious	Unknown	Browse	86.40.46.11
	16sbYI4aDX.elf	Get hash	malicious	Unknown	Browse	86.47.233.103
	BduAJLAMAy.elf	Get hash	malicious	Mirai, Okiru	Browse	217.183.76.102
	240506-b7lv1sfmcw_pw_infected.zip	Get hash	malicious	Xmrig	Browse	83.70.50.205
	bot.mips.elf	Get hash	malicious	Unknown	Browse	86.40.46.45
	2AAH1UYstb.elf	Get hash	malicious	Mirai	Browse	86.40.46.63
	arm7.elf	Get hash	malicious	Mirai	Browse	217.183.204.139
	gVPlpwuoVV.elf	Get hash	malicious	Mirai	Browse	86.41.149.5
HPESUS	zDAH4anUtC.elf	Get hash	malicious	Unknown	Browse	205.239.207.228
	bqHlnibJh9.elf	Get hash	malicious	Mirai	Browse	205.239.255.111
	nnrBAc4RLp.elf	Get hash	malicious	Mirai	Browse	66.54.49.18
	pagtZwlU1G.elf	Get hash	malicious	Unknown	Browse	15.141.5.31
	GSzQSyqWKB.elf	Get hash	malicious	Mirai	Browse	66.54.49.22
	z9QVrRPbJc.elf	Get hash	malicious	Unknown	Browse	15.210.207.16
	ZMDO0vznFx.elf	Get hash	malicious	Unknown	Browse	15.127.198.185
	lS9yzwGRef.elf	Get hash	malicious	Mirai	Browse	204.230.188.223
	UuD1zt2QpK.elf	Get hash	malicious	Mirai	Browse	170.213.223.118
	2xPVyj2lU8.elf	Get hash	malicious	Mirai	Browse	15.140.91.155

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\services.exe	java.exe	Get hash	malicious	MyDoom	Browse
	.scr.exe	Get hash	malicious	MyDoom	Browse
	File.scr.exe	Get hash	malicious	MyDoom	Browse
	document.scr.exe	Get hash	malicious	MyDoom	Browse
	document.scr.exe	Get hash	malicious	MyDoom	Browse
	gildong@hongs.com.exe	Get hash	malicious	MyDoom	Browse
	.com.exe	Get hash	malicious	MyDoom	Browse
	mail.txt .exe	Get hash	malicious	MyDoom	Browse
	instruction.scr.exe	Get hash	malicious	MyDoom	Browse
	.scr.exe	Get hash	malicious	MyDoom	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_message.com.exe_eabd2b87f1d1ff89785cafa7c6d1682cb0e0_578fa923_f27a16b7-0af0-4c1f-b85f-b3b6001c5425\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8568673996956846
Encrypted:	false
SSDEEP:	96:bZF6Wdh0nsRhM1yDfwQXIDcQvc6QcEVcw3cE/n+HbHg/opAnQzOqg7TlOy4aEuFZ:dAESnE0BU/gjdKzuiFlZ24IO8m
MD5:	E848028BB17E825EDBFA9B979C8504A2
SHA1:	ED7C6EC84289994D7CF4D35D3E0C64F7B6F06DCE
SHA-256:	DD4AEEE1437639FCCD21879266ED9F43014A65BD8B47B70043C6C06BCC5E09A7
SHA-512:	74F672708BA4EC180FF2536C6200F9C6C8083B85DCA1C18D06F2764955301701CE05EFDCC522C0DF831E1982603C2B9779E36BEA2A6D345F7E20230A72B3B8B8
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.9.4.3.6.4.2.4.9.3.2.6.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.4.3.6.4.2.9.1.5.1.5.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.7.a.1.6.b.7.-.0.a.f.0.-.4.c.1.f.-.b.8.5.f.-.b.3.b.6.0.0.1.c.5.4.2.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.a.c.b.2.7.d.-.5.8.b.a.-.4.e.0.3.-.b.c.f.a.-.1.8.e.a.d.0.3.1.8.2.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.e.s.s.a.g.e...c.o.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.e.8.-.0.0.0.1.-.0.0.1.4.-.1.0.1.6.-.d.c.0.f.1.3.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.e.9.2.8.3.d.6.a.0.f.6.8.a.3.f.3.9.7.a.8.7.e.7.e.d.b.0.d.a.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.c.9.9.f.6.8.7.b.1.8.2.f.3.d.e.e.7.1.e.8.4.3.4.3.6.0.5.9.5.8.3.2.e.a.4.3.1.0.7.5.!.m.e.s.s.a.g.e...c.o.m...e.x.e.....T.a.r.g.e.t.A.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FFD.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 23 13:14:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	99262
Entropy (8bit):	1.977843795848732
Encrypted:	false
SSDEEP:	384:kMqoys/4EtjvwVlMU4hZgQERGgY1ttp4cugcbEgbQ8DgnkkDr71:kyP/4Etjvw/MU4hrEcgYRpuRI7
MD5:	0B6D6470B86E7A3E87C6A55F817B9519
SHA1:	92C801A2CD7F1F49E32E3EFA03F561ACA8489172
SHA-256:	8CA59B520D5E57EF917FE793D9EC6E180B058B6ED1D6895C3FFEE64CE1346992
SHA-512:	76A73A48BF056A47F014F7FF97445C4F8E7DB19C25D1D4FB37B826550D0A8A8BCF8A8AC54E9B17C87D5BB0D400582C4E1760D73ED37708F87580C599BD14ECB4
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........AOf........................................0>..........T.......8...........T............/...T......................x...............................................................................eJ..............GenuineIntel............T............AOf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70BA.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8334
Entropy (8bit):	3.6928575628570646
Encrypted:	false
SSDEEP:	192:R6l7wVeJTS6RK6YS+SU9JFgmfyJjRprk89b/ysfi1m:R6lXJG6M6YbSU9JFgmfyJjN/xfp
MD5:	67D75DD3B5795AC758F64B022996C708
SHA1:	0FF780F7EB7E1FD75DB00BCA377F2F02C2561852
SHA-256:	A1FC779693DEEAA7993BCADF5D85E99E0D1F86BBAC56FC0EA10F8BD132E746CA
SHA-512:	5EBBD259610156DE3DFDE2C261ED7AFE9AB374F8C3DEFAD2AD630EC5A630B86DDDD97E26E219F569B878F98857129672DA3B42BC298FCD8503C31126C94D540C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70EA.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4590
Entropy (8bit):	4.424182974969968
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI9zYWpW8VYEYm8M4JJ8F1m+q8VdutWh31Ed:uIjffI7JR7VUJYm0utWh31Ed
MD5:	D8D4DE2B29ED4761AB6AD14A83A0A49A
SHA1:	76CF10EB0893C73098E24245E2DCED4C1911A8DE
SHA-256:	05D71F426D7C82552AE654DFC2418C85731CCCB656C87C83571A327A62E54A9E
SHA-512:	2A23E198587DBBC3C61CA2EF6ABC831A4C305D5C5966F3B5021890CEAB92EFB96AE242E05026E404F06189B6A37DF46712DBE4186C81B0FB00B5858A403C3E14
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="335776" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\services.exe

Process:	C:\Windows\java.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	6.951274251785221
Encrypted:	false
SSDEEP:	192:tZWNqWKIzebvOZnzCj6juhEJS3/Uf/tpfmG62X9f3:tZ6qWTYvczfahX/UHtF6e9f3
MD5:	B0FE74719B1B647E2056641931907F4A
SHA1:	E858C206D2D1542A79936CB00D85DA853BFC95E2
SHA-256:	BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
SHA-512:	9C82E88264696D0DADEF9C0442AD8D1183E48F0FB355A4FC9BF4FA5DB4E27745039F98B1FD1FEBFF620A5DED6DD493227F00D7D2E74B19757685AA8655F921C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100% Antivirus: Virustotal, Detection: 85%, Browse
Joe Sandbox View:	Filename: java.exe, Detection: malicious, Browse Filename: .scr.exe, Detection: malicious, Browse Filename: File.scr.exe, Detection: malicious, Browse Filename: document.scr.exe, Detection: malicious, Browse Filename: document.scr.exe, Detection: malicious, Browse Filename: gildong@hongs.com.exe, Detection: malicious, Browse Filename: .com.exe, Detection: malicious, Browse Filename: mail.txt .exe, Detection: malicious, Browse Filename: instruction.scr.exe, Detection: malicious, Browse Filename: .scr.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................PE..L........................ .......@..pg...P...p....@..........................................................................p......................................................................................................................UPX0.....@..............................UPX1..... ...P......................@...UPX2.........p......................@..............................................................................................................................................................................................................................................................................................................................................................................................................................................1.24.UPX!....

C:\Users\user\AppData\Local\Temp\zincite.log

Process:	C:\Users\user\Desktop\message.com.exe
File Type:	data
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	7.795514762507085
Encrypted:	false
SSDEEP:	24:TviXk7ETV5CXcNvHn6zBXTKFu+v3lAd2OcBaAaS/:TviXk7ET7CsPlud2O4aAx
MD5:	99EAC78C50F59FB1ABD6FE2D24B626B4
SHA1:	ED0F4878EE2991DEE65BBCADEDA817F25E766660
SHA-256:	864228C23218197BF3AB9B125CB222744643101B0BB20925C28AA6F700075677
SHA-512:	F7174858FE7027768EEC922370371DF7E080571FD582C7473CB854B9AB4BED11688CDD334FB0317298B1A2F16D64C4CB82F5A7E4B0A3809955150638EFFD3FE1
Malicious:	false
Reputation:	low
Preview:	..`....^..._.NN.@;7.@.r...0..(...E....j.Y.j.>..B6.q..k...k.>..h.;M.B7.g...$4.g..^.......g.....<H.l..{..\.lW/f.W./]\....c..I.ex.3y..y..1r.3{#........c...0..V\....`\...U..[......s.W.\...$.H..>W.."W.d.H..F..$...X.ZE....c.6..xZE.....$.G..6..RW.th.Yp.1X....h.X..=Y....$.......[.&....3E...3.....q:...^f..Q......q.......?...k...P+.A...A..1G%..xr...XL......D...].@....6..8?....X...V8..X..z.qc@X...c...o....#7...f..A.P..]_~..9..x...X......#n..e.AEq.:je.A?......k.U....bo.....#<.j.\...3%...%j.\...8.}b....z}b.}b...EV..7....}....A.C....I.:..3.^...U.y.AR3(..k.vL...K.R..vv.......1f.K..i.N{VG..y..:.....`M....VG.. v....z.......,..&....?..2.:.V.x.....C.GPy.+.y.2-.+.yH.~...6.v..aIK-...,...%...,.IK/.IK-.....",.P.....{...#Q..{...{.......{..wx.=....cB..w..H/.H/..H/.....r...%.NN%.%%.Z}j.T.$.Z}j~N..\|..e.N._.N....K...qJ.E....K...u."?\.`..:"mZ:)...u.o.u....s...R..}.M%._M%.k.......v!...M%....(..7uCF..C.............W. ....[......0d.O.]NQ.MO.d.O..k..F...,[.V`..

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372055515072458
Encrypted:	false
SSDEEP:	6144:1FVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguN4iL:zV1QyWWI/glMM6kF7eq
MD5:	1EF560964D6B2495B7641A7A6AD0A045
SHA1:	5E786957A509884124C673B16A91FF3FB39AC58F
SHA-256:	B865A591EA1ABB4BF24A27BA3B9C4AB437DB90CF61BFF722814A372EF0013828
SHA-512:	192ED9FE41DD5D343E20C6EFFB9B6AF8F6A7B85B8F30BADB75E3434ACEC35A2142E5006F7B74CB84ECC61A71F37286830874326993BA7AD75D407ACC9D4A8786
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:....................................................................................................................................................................................................................................................................................................................................................z. ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\java.exe

Process:	C:\Users\user\Desktop\message.com.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	28864
Entropy (8bit):	7.564388249755126
Encrypted:	false
SSDEEP:	384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNHS6e:Dv8IRRdsxq1DjJcqfH
MD5:	E5128ECE1B9916A6DF7CD56D66C193C2
SHA1:	C99F687B182F3DEE71E8434360595832EA431075
SHA-256:	6C37D14D5AD674E4C0FA8DF0A999BE6B27399936C9FF16F7FB30B802ADDB7B4C
SHA-512:	67B9166F33C78140CE2259DF9A7BAE92E6CAE066B7F54CB0EBDEC183EF1FFAF958F6CD24B0BB01E2B6A302FB73E9C5C057554C825E1496EF3B679E77DD7715AF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97% Antivirus: Virustotal, Detection: 92%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L........................`........................P.............................................................................0...................................................................................................................UPX0....................................UPX1.....`.......`..................@....rsrc................d..............@......................................................................................................................................................................................................................................................................................................................................................................................................................1.24.UPX!....

C:\Windows\java.exe:Zone.Identifier

Process:	C:\Users\user\Desktop\message.com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\services.exe

Process:	C:\Users\user\Desktop\message.com.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	6.951274251785221
Encrypted:	false
SSDEEP:	192:tZWNqWKIzebvOZnzCj6juhEJS3/Uf/tpfmG62X9f3:tZ6qWTYvczfahX/UHtF6e9f3
MD5:	B0FE74719B1B647E2056641931907F4A
SHA1:	E858C206D2D1542A79936CB00D85DA853BFC95E2
SHA-256:	BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
SHA-512:	9C82E88264696D0DADEF9C0442AD8D1183E48F0FB355A4FC9BF4FA5DB4E27745039F98B1FD1FEBFF620A5DED6DD493227F00D7D2E74B19757685AA8655F921C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100% Antivirus: Virustotal, Detection: 85%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................PE..L........................ .......@..pg...P...p....@..........................................................................p......................................................................................................................UPX0.....@..............................UPX1..... ...P......................@...UPX2.........p......................@..............................................................................................................................................................................................................................................................................................................................................................................................................................................1.24.UPX!....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.564388249755126
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	message.com.exe
File size:	28'864 bytes
MD5:	e5128ece1b9916a6df7cd56d66c193c2
SHA1:	c99f687b182f3dee71e8434360595832ea431075
SHA256:	6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c
SHA512:	67b9166f33c78140ce2259df9a7bae92e6cae066b7f54cb0ebdec183ef1ffaf958f6cd24b0bb01e2b6a302fb73e9c5c057554c825e1496ef3b679e77dd7715af
SSDEEP:	384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNHS6e:Dv8IRRdsxq1DjJcqfH
TLSH:	72D2C091B040B6E2D05682731D86C462F8129D600A9BD2CBB724BF7FFDF23854B0DD26
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L........................`.........

File Icon


Icon Hash:	9361c4a092b08082

Static PE Info

General

Entrypoint:	0x50ed00
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x500000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	98cd465c2ab2841f9fd90d5e847563f4

Entrypoint Preview

Instruction
pushad
mov esi, 00509000h
lea edi, dword ptr [esi-00008000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F03ACB31D02h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F03ACB31CF9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F03ACB31CDFh
mov eax, 00000001h
add ebx, ebx
jne 00007F03ACB31CF9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F03ACB31CE1h
jne 00007F03ACB31CFBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F03ACB31CD6h
xor ecx, ecx
sub eax, 03h
jc 00007F03ACB31CFFh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F03ACB31D66h
mov ebp, eax
add ebx, ebx
jne 00007F03ACB31CF9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007F03ACB31CF9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007F03ACB31D12h
inc ecx
add ebx, ebx
jne 00007F03ACB31CF9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F03ACB31CE1h
jne 00007F03ACB31CFBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F03ACB31CD6h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F03ACB31D01h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007F03ACB31CE9h
jmp 00007F03ACB31C58h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf514	0x130	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x514	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x9000	0x6000	0x6000	20cc7d301223a53410f8b542bb816f9a	False	0.971923828125	data	7.859086691322967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf000	0x1000	0x800	60d328df3a5dff05a8db261a75a0deda	False	0.27880859375	data	2.6542421841999686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf0d8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.2782258064516129
RT_ICON	0xf3c4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.4189189189189189
RT_GROUP_ICON	0xf4f0	0x22	data	English	United States	1.0

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, ExitProcess
ADVAPI32.dll	RegCloseKey
MSVCRT.dll	memset
USER32.dll	wsprintfA
WS2_32.dll	gethostname

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 15:13:56.199729919 CEST	49705	1034	192.168.2.8	15.124.29.93
May 23, 2024 15:13:56.204732895 CEST	1034	49705	15.124.29.93	192.168.2.8
May 23, 2024 15:13:56.204822063 CEST	49705	1034	192.168.2.8	15.124.29.93
May 23, 2024 15:13:56.208085060 CEST	49705	1034	192.168.2.8	15.124.29.93
May 23, 2024 15:13:56.256030083 CEST	1034	49705	15.124.29.93	192.168.2.8
May 23, 2024 15:14:17.612704992 CEST	1034	49705	15.124.29.93	192.168.2.8
May 23, 2024 15:14:17.612771988 CEST	49705	1034	192.168.2.8	15.124.29.93
May 23, 2024 15:14:17.612983942 CEST	49705	1034	192.168.2.8	15.124.29.93
May 23, 2024 15:14:17.613805056 CEST	49712	1034	192.168.2.8	4.240.78.155
May 23, 2024 15:14:17.669143915 CEST	1034	49705	15.124.29.93	192.168.2.8
May 23, 2024 15:14:17.719350100 CEST	1034	49712	4.240.78.155	192.168.2.8
May 23, 2024 15:14:17.719434977 CEST	49712	1034	192.168.2.8	4.240.78.155
May 23, 2024 15:14:17.719491005 CEST	49712	1034	192.168.2.8	4.240.78.155
May 23, 2024 15:14:17.773034096 CEST	1034	49712	4.240.78.155	192.168.2.8
May 23, 2024 15:14:39.139288902 CEST	1034	49712	4.240.78.155	192.168.2.8
May 23, 2024 15:14:39.139518976 CEST	49712	1034	192.168.2.8	4.240.78.155
May 23, 2024 15:14:39.139518976 CEST	49712	1034	192.168.2.8	4.240.78.155
May 23, 2024 15:14:39.140522003 CEST	49713	1034	192.168.2.8	24.196.145.49
May 23, 2024 15:14:39.192744970 CEST	1034	49712	4.240.78.155	192.168.2.8
May 23, 2024 15:14:39.239397049 CEST	1034	49713	24.196.145.49	192.168.2.8
May 23, 2024 15:14:39.239522934 CEST	49713	1034	192.168.2.8	24.196.145.49
May 23, 2024 15:14:39.239590883 CEST	49713	1034	192.168.2.8	24.196.145.49
May 23, 2024 15:14:39.296145916 CEST	1034	49713	24.196.145.49	192.168.2.8
May 23, 2024 15:15:00.645147085 CEST	1034	49713	24.196.145.49	192.168.2.8
May 23, 2024 15:15:00.645246029 CEST	49713	1034	192.168.2.8	24.196.145.49
May 23, 2024 15:15:00.645279884 CEST	49713	1034	192.168.2.8	24.196.145.49
May 23, 2024 15:15:00.652292013 CEST	49715	1034	192.168.2.8	159.134.165.119
May 23, 2024 15:15:00.657354116 CEST	1034	49713	24.196.145.49	192.168.2.8
May 23, 2024 15:15:00.707402945 CEST	1034	49715	159.134.165.119	192.168.2.8
May 23, 2024 15:15:00.707582951 CEST	49715	1034	192.168.2.8	159.134.165.119
May 23, 2024 15:15:00.715615988 CEST	49715	1034	192.168.2.8	159.134.165.119
May 23, 2024 15:15:00.763462067 CEST	1034	49715	159.134.165.119	192.168.2.8
May 23, 2024 15:15:22.131966114 CEST	1034	49715	159.134.165.119	192.168.2.8
May 23, 2024 15:15:22.132095098 CEST	49715	1034	192.168.2.8	159.134.165.119
May 23, 2024 15:15:22.561502934 CEST	49715	1034	192.168.2.8	159.134.165.119
May 23, 2024 15:15:22.563697100 CEST	49716	1034	192.168.2.8	16.91.195.90
May 23, 2024 15:15:22.566627979 CEST	1034	49715	159.134.165.119	192.168.2.8
May 23, 2024 15:15:22.571651936 CEST	1034	49716	16.91.195.90	192.168.2.8
May 23, 2024 15:15:22.571789980 CEST	49716	1034	192.168.2.8	16.91.195.90
May 23, 2024 15:15:22.588049889 CEST	49716	1034	192.168.2.8	16.91.195.90
May 23, 2024 15:15:22.624295950 CEST	1034	49716	16.91.195.90	192.168.2.8
May 23, 2024 15:15:43.976439953 CEST	1034	49716	16.91.195.90	192.168.2.8
May 23, 2024 15:15:43.976541996 CEST	49716	1034	192.168.2.8	16.91.195.90
May 23, 2024 15:15:43.977761030 CEST	49717	1034	192.168.2.8	192.168.1.64
May 23, 2024 15:15:43.978130102 CEST	49716	1034	192.168.2.8	16.91.195.90
May 23, 2024 15:15:44.032623053 CEST	1034	49717	192.168.1.64	192.168.2.8
May 23, 2024 15:15:44.032718897 CEST	49717	1034	192.168.2.8	192.168.1.64
May 23, 2024 15:15:44.033354044 CEST	49717	1034	192.168.2.8	192.168.1.64
May 23, 2024 15:15:44.037688017 CEST	1034	49716	16.91.195.90	192.168.2.8
May 23, 2024 15:15:44.042493105 CEST	1034	49717	192.168.1.64	192.168.2.8
May 23, 2024 15:16:05.417108059 CEST	1034	49717	192.168.1.64	192.168.2.8
May 23, 2024 15:16:05.417193890 CEST	49717	1034	192.168.2.8	192.168.1.64
May 23, 2024 15:16:05.417237997 CEST	49717	1034	192.168.2.8	192.168.1.64
May 23, 2024 15:16:05.468353987 CEST	1034	49717	192.168.1.64	192.168.2.8

Target ID:	0
Start time:	09:13:54
Start date:	23/05/2024
Path:	C:\Users\user\Desktop\message.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\message.com.exe"
Imagebase:	0x500000
File size:	28'864 bytes
MD5 hash:	E5128ECE1B9916A6DF7CD56D66C193C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MyDoom, Description: Yara detected MyDoom, Source: 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	09:13:54
Start date:	23/05/2024
Path:	C:\Windows\services.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\services.exe"
Imagebase:	0x400000
File size:	8'192 bytes
MD5 hash:	B0FE74719B1B647E2056641931907F4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs Detection: 85%, Virustotal, Browse
Reputation:	moderate
Has exited:	false

Target ID:	6
Start time:	09:14:02
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 1196
Imagebase:	0x90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	09:14:04
Start date:	23/05/2024
Path:	C:\Windows\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\java.exe"
Imagebase:	0x500000
File size:	28'864 bytes
MD5 hash:	E5128ECE1B9916A6DF7CD56D66C193C2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MyDoom, Description: Yara detected MyDoom, Source: 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs Detection: 92%, Virustotal, Browse
Reputation:	low
Has exited:	false

Target ID:	9
Start time:	09:14:04
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Local\Temp\services.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\services.exe"
Imagebase:	0x400000
File size:	8'192 bytes
MD5 hash:	B0FE74719B1B647E2056641931907F4A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs Detection: 85%, Virustotal, Browse
Reputation:	moderate
Has exited:	false

Target ID:	11
Start time:	09:14:12
Start date:	23/05/2024
Path:	C:\Windows\services.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\services.exe"
Imagebase:	0x400000
File size:	8'192 bytes
MD5 hash:	B0FE74719B1B647E2056641931907F4A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false