Windows Analysis Report
sj-updater-app.exe

Overview

General Information

Sample name: sj-updater-app.exe
Analysis ID: 1448096
MD5: 457dd6e4dc5e7866f2b10b065379f3e3
SHA1: 7a2b3bd51b34f6e8361a41dc428917234edf76d9
SHA256: a3281a97f2bdbeba81f22630ba5dd9543e28debcdda17188357ecdf4c7c7ff8a
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: sj-updater-app.exe Static PE information: certificate valid
Source: sj-updater-app.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\GitLab-Runner\builds\ywNX1RjN\1\behavior\chuck-norrisk\sj-pulse-desktop\cmakebuild\Release\bin\sj-updater\sj-updater-app.pdb source: sj-updater-app.exe
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122B7210 WSARecv,#111, 0_2_00007FF7122B7210
Source: sj-updater-app.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sj-updater-app.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sj-updater-app.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sj-updater-app.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sj-updater-app.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sj-updater-app.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sj-updater-app.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sj-updater-app.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sj-updater-app.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: sj-updater-app.exe String found in binary or memory: http://ocsp.digicert.com0
Source: sj-updater-app.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: sj-updater-app.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: sj-updater-app.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: sj-updater-app.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: sj-updater-app.exe String found in binary or memory: https://2.4.5sj-pulse-desktop
Source: sj-updater-app.exe String found in binary or memory: https://pulse.surveyjunkie.com/downloads
Source: sj-updater-app.exe String found in binary or memory: https://www.surveyjunkie.com/api/v1/pulse/$(user.id)/heartbeat
Source: sj-updater-app.exe String found in binary or memory: https://www.surveyjunkie.com/api/v1/pulse/$(user.id)/heartbeatingress.coralogix.us/logs/v1/bulkinsig
Detected potential crypto function
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122FE340 0_2_00007FF7122FE340
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122DD330 0_2_00007FF7122DD330
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122A5B80 0_2_00007FF7122A5B80
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122B1370 0_2_00007FF7122B1370
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF71229FBB0 0_2_00007FF71229FBB0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF712296BB0 0_2_00007FF712296BB0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF712302440 0_2_00007FF712302440
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122EE4A0 0_2_00007FF7122EE4A0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122F7CF0 0_2_00007FF7122F7CF0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7123B6970 0_2_00007FF7123B6970
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122F79A0 0_2_00007FF7122F79A0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122B7210 0_2_00007FF7122B7210
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122E2230 0_2_00007FF7122E2230
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122D5A20 0_2_00007FF7122D5A20
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122DB290 0_2_00007FF7122DB290
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122D9A90 0_2_00007FF7122D9A90
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122F0AD0 0_2_00007FF7122F0AD0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122912B0 0_2_00007FF7122912B0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122DDB10 0_2_00007FF7122DDB10
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122B2F50 0_2_00007FF7122B2F50
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF712308F60 0_2_00007FF712308F60
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7123A7740 0_2_00007FF7123A7740
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122ACF60 0_2_00007FF7122ACF60
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122EF760 0_2_00007FF7122EF760
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122C2FC0 0_2_00007FF7122C2FC0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122E2FA0 0_2_00007FF7122E2FA0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7123057E0 0_2_00007FF7123057E0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122A2840 0_2_00007FF7122A2840
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122F8030 0_2_00007FF7122F8030
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122A0080 0_2_00007FF7122A0080
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF71229A060 0_2_00007FF71229A060
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF71229E0C0 0_2_00007FF71229E0C0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122BA0C0 0_2_00007FF7122BA0C0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122F08B0 0_2_00007FF7122F08B0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122D7100 0_2_00007FF7122D7100
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122E55E0 0_2_00007FF7122E55E0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122F0650 0_2_00007FF7122F0650
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF712301620 0_2_00007FF712301620
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122B9660 0_2_00007FF7122B9660
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122F7EA0 0_2_00007FF7122F7EA0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122F5EF0 0_2_00007FF7122F5EF0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: String function: 00007FF712293690 appears 67 times
Sample file is different than original file name gathered from version info
Source: sj-updater-app.exe Binary or memory string: OriginalFilename vs sj-updater-app.exe
Source: sj-updater-app.exe, 00000000.00000002.2897984777.00007FF71248C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesj-updater.exe6 vs sj-updater-app.exe
Source: sj-updater-app.exe Binary or memory string: OriginalFilenamesj-updater.exe6 vs sj-updater-app.exe
Source: classification engine Classification label: clean2.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7123F46DC GetDiskFreeSpaceExW,GetLastError,__std_fs_open_handle,CloseHandle,free,malloc,free,free,GetFinalPathNameByHandleW,malloc,free,free,CloseHandle,abort,CloseHandle,GetDiskFreeSpaceExW,GetLastError,free,GetLastError,CloseHandle,free,free, 0_2_00007FF7123F46DC
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122D8A90 StartServiceCtrlDispatcherA,GetLastError,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7122D8A90
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122D8A90 StartServiceCtrlDispatcherA,GetLastError,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7122D8A90
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: sj-updater-app.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sj-updater-app.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sj-updater-app.exe String found in binary or memory: Originator-Return-Address
Source: sj-updater-app.exe String found in binary or memory: MMHS-Exempted-Address
Source: sj-updater-app.exe String found in binary or memory: Accept-Additions
Source: sj-updater-app.exe String found in binary or memory: /maximum-install-time-ms
Source: sj-updater-app.exe String found in binary or memory: List-Help
Source: sj-updater-app.exe String found in binary or memory: /maximum-install-time-ms
Source: sj-updater-app.exe String found in binary or memory: bad numeric conversion: positive overflow/hosting-url/initial-check-delay-ms/version-check-interval-ms/maximum-install-time-ms/error-expiration-period-ms/maximum-retry-attempts/verify-signature/version-info-file-url/feature-flags-file-url/feature-flags-config-dir/feature-flags-update-post-delay-ms/observabilityFailed to load updater configuraion: {}C:\GitLab-Runner\builds\ywNX1RjN\1\behavior\chuck-norrisk\sj-pulse-desktop\sj-updater\src\UpdaterConfig.cpp__cdecl sj::UpdaterConfig::UpdaterConfig(const class std::vector<struct sj::cfg::ConfigFile,class std::allocator<struct sj::cfg::ConfigFile> > &)Activating default configurationhttps://www.surveyjunkie.com/api/v1/pulse/$(user.id)/heartbeatingress.coralogix.us/logs/v1/bulkinsights-collector.newrelic.com/v1/accounts/1592627/eventsev_log-api.newrelic.com/log/v1log_metric-api.newrelic.com/metric/v1mt_trace-api.newrelic.com/trace/v1tr_api.mixpanel.com93c82f2a7e19b351d199aada15357e62https://pulse.surveyjunkie.com/downloads{}/version-info-{}.json{}/desktop-feature-flags.jsonSJPulse/config'JSON pointer must be empty or begin with '/' - was: 'escape character '~' must be followed with '0' or '1'Overflow detected for '{}'. {} become {}Rounding detected for '{}'. {} become {}Attempting to assign negative number '{}' to a variable expecting positive number '{}'Number expected for '{}', but {} given.unresolved reference token '9 at byte parse errorparse_error/~1~~0nullobjectarraystringbooleanbinarydiscardednumbercannot use operator[] with a string argument with cannot use operator[] with a numeric argument with 961c151d2e87f2686a955a9be24d316f1362bf21 3.11.2) is out of rangearray index '-' (' must not begin with '0'array index '' is not a number exceeds size_typearray index out_of_rangetype_errorother_errortype must be string, but is type must be boolean, but is type must be number, but is
Source: sj-updater-app.exe String found in binary or memory: Accept-Additions
Source: sj-updater-app.exe String found in binary or memory: List-Help
Source: sj-updater-app.exe String found in binary or memory: MMHS-Exempted-Address
Source: sj-updater-app.exe String found in binary or memory: Originator-Return-Address
Source: sj-updater-app.exe String found in binary or memory: C:\DISQO-Dev\vcpkg\installed\x64-windows\include\boost/asio/ip/impl/address_v4.ipp
Source: sj-updater-app.exe String found in binary or memory: C:\DISQO-Dev\vcpkg\installed\x64-windows\include\boost/asio/ip/impl/address_v6.ipp
Source: sj-updater-app.exe String found in binary or memory: http/1.1C:\DISQO-Dev\vcpkg\installed\x64-windows\include\boost/asio/ip/impl/address_v4.ippC:\DISQO-Dev\vcpkg\installed\x64-windows\include\boost/asio/ip/impl/address_v6.ippC:\GitLab-Runner\builds\ywNX1RjN\1\behavior\chuck-norrisk\sj-pulse-desktop\sj-pulse-core\src\network\details\SslUtilities.cppvoid __cdecl sj::details::configureSslContextOptions(struct ssl_ctx_st *const ) noexceptCould not set minimum protocol version for SSL contextCould not set SNI server name '{}', desc: {}void __cdecl sj::details::configureCertificateValidation(class boost::asio::ssl::stream<class boost::asio::basic_stream_socket<class boost::asio::ip::tcp,class boost::asio::any_io_executor> &> &,class std::variant<class std::basic_string_view<char,struct std::char_traits<char> >,class boost::asio::ip::address>,class std::basic_string_view<char,struct std::char_traits<char> >,bool &,class boost::system::error_code &)Could not set ALPN list, desc: {}
Source: unknown Process created: C:\Users\user\Desktop\sj-updater-app.exe "C:\Users\user\Desktop\sj-updater-app.exe"
Source: C:\Users\user\Desktop\sj-updater-app.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: boost_iostreams-vc143-mt-x64-1_83.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: libssl-3-x64.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: libcrypto-3-x64.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: spdlog.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: fmt.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: brotlienc.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: brotlidec.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: sentry.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: msvcp140_atomic_wait.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: sj-updater-app.exe Static PE information: certificate valid
Source: sj-updater-app.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: sj-updater-app.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: sj-updater-app.exe Static file information: File size 2156920 > 1048576
Source: sj-updater-app.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x17a200
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: sj-updater-app.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\GitLab-Runner\builds\ywNX1RjN\1\behavior\chuck-norrisk\sj-pulse-desktop\cmakebuild\Release\bin\sj-updater\sj-updater-app.pdb source: sj-updater-app.exe
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122D8A90 StartServiceCtrlDispatcherA,GetLastError,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7122D8A90
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122D7090 GetProcessHeap,HeapFree, 0_2_00007FF7122D7090
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7123F58EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7123F58EC
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7122D7100 GetProcessHeap,HeapAlloc,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,CloseHandle,GetProcessHeap,HeapAlloc,CloseHandle,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,CloseHandle,AllocateAndInitializeSid,FreeSid,EqualSid,EqualSid,FreeSid,FreeSid,CloseHandle,FreeSid,FreeSid,CloseHandle, 0_2_00007FF7122D7100
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_00007FF7123F3C4C
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF7123F5DFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7123F5DFC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1448096 Sample: sj-updater-app.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 2 5 sj-updater-app.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos