Windows Analysis Report
sj-updater-app.exe

Overview

General Information

Sample name: sj-updater-app.exe
Analysis ID: 1448097
MD5: 457dd6e4dc5e7866f2b10b065379f3e3
SHA1: 7a2b3bd51b34f6e8361a41dc428917234edf76d9
SHA256: a3281a97f2bdbeba81f22630ba5dd9543e28debcdda17188357ecdf4c7c7ff8a
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: sj-updater-app.exe Static PE information: certificate valid
Source: sj-updater-app.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\GitLab-Runner\builds\ywNX1RjN\1\behavior\chuck-norrisk\sj-pulse-desktop\cmakebuild\Release\bin\sj-updater\sj-updater-app.pdb source: sj-updater-app.exe
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC07210 WSARecv,#111, 0_2_00007FF63CC07210
Source: sj-updater-app.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sj-updater-app.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sj-updater-app.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sj-updater-app.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sj-updater-app.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sj-updater-app.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sj-updater-app.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sj-updater-app.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sj-updater-app.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: sj-updater-app.exe String found in binary or memory: http://ocsp.digicert.com0
Source: sj-updater-app.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: sj-updater-app.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: sj-updater-app.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: sj-updater-app.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: sj-updater-app.exe String found in binary or memory: https://2.4.5sj-pulse-desktop
Source: sj-updater-app.exe String found in binary or memory: https://pulse.surveyjunkie.com/downloads
Source: sj-updater-app.exe String found in binary or memory: https://www.surveyjunkie.com/api/v1/pulse/$(user.id)/heartbeat
Source: sj-updater-app.exe String found in binary or memory: https://www.surveyjunkie.com/api/v1/pulse/$(user.id)/heartbeatingress.coralogix.us/logs/v1/bulkinsig
Detected potential crypto function
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC51620 0_2_00007FF63CC51620
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC355E0 0_2_00007FF63CC355E0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC45EF0 0_2_00007FF63CC45EF0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC47EA0 0_2_00007FF63CC47EA0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC40650 0_2_00007FF63CC40650
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC09660 0_2_00007FF63CC09660
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC48030 0_2_00007FF63CC48030
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC12FC0 0_2_00007FF63CC12FC0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC557E0 0_2_00007FF63CC557E0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC32FA0 0_2_00007FF63CC32FA0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CCF7740 0_2_00007FF63CCF7740
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC02F50 0_2_00007FF63CC02F50
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBFCF60 0_2_00007FF63CBFCF60
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC3F760 0_2_00007FF63CC3F760
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC58F60 0_2_00007FF63CC58F60
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC27100 0_2_00007FF63CC27100
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBEE0C0 0_2_00007FF63CBEE0C0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC0A0C0 0_2_00007FF63CC0A0C0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBF0080 0_2_00007FF63CBF0080
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC408B0 0_2_00007FF63CC408B0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBF2840 0_2_00007FF63CBF2840
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBEA060 0_2_00007FF63CBEA060
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC07210 0_2_00007FF63CC07210
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC32230 0_2_00007FF63CC32230
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC25A20 0_2_00007FF63CC25A20
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC479A0 0_2_00007FF63CC479A0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CD06970 0_2_00007FF63CD06970
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC2DB10 0_2_00007FF63CC2DB10
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC2D330 0_2_00007FF63CC2D330
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC40AD0 0_2_00007FF63CC40AD0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC2B290 0_2_00007FF63CC2B290
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC29A90 0_2_00007FF63CC29A90
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBE12B0 0_2_00007FF63CBE12B0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBF5B80 0_2_00007FF63CBF5B80
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBEFBB0 0_2_00007FF63CBEFBB0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CBE6BB0 0_2_00007FF63CBE6BB0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC4E340 0_2_00007FF63CC4E340
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC01370 0_2_00007FF63CC01370
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC47CF0 0_2_00007FF63CC47CF0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC3E4A0 0_2_00007FF63CC3E4A0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC52440 0_2_00007FF63CC52440
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: String function: 00007FF63CBE3690 appears 67 times
Sample file is different than original file name gathered from version info
Source: sj-updater-app.exe Binary or memory string: OriginalFilename vs sj-updater-app.exe
Source: sj-updater-app.exe, 00000000.00000000.1972281910.00007FF63CDDC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesj-updater.exe6 vs sj-updater-app.exe
Source: sj-updater-app.exe Binary or memory string: OriginalFilenamesj-updater.exe6 vs sj-updater-app.exe
Source: classification engine Classification label: clean2.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CD446DC GetDiskFreeSpaceExW,GetLastError,__std_fs_open_handle,CloseHandle,free,malloc,free,free,GetFinalPathNameByHandleW,malloc,free,free,CloseHandle,abort,CloseHandle,GetDiskFreeSpaceExW,GetLastError,free,GetLastError,CloseHandle,free,free, 0_2_00007FF63CD446DC
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC28A90 StartServiceCtrlDispatcherA,GetLastError,_invalid_parameter_noinfo_noreturn, 0_2_00007FF63CC28A90
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC28A90 StartServiceCtrlDispatcherA,GetLastError,_invalid_parameter_noinfo_noreturn, 0_2_00007FF63CC28A90
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
Source: sj-updater-app.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sj-updater-app.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sj-updater-app.exe String found in binary or memory: MMHS-Exempted-Address
Source: sj-updater-app.exe String found in binary or memory: Originator-Return-Address
Source: sj-updater-app.exe String found in binary or memory: List-Help
Source: sj-updater-app.exe String found in binary or memory: Accept-Additions
Source: sj-updater-app.exe String found in binary or memory: /maximum-install-time-ms
Source: sj-updater-app.exe String found in binary or memory: /maximum-install-time-ms
Source: sj-updater-app.exe String found in binary or memory: bad numeric conversion: positive overflow/hosting-url/initial-check-delay-ms/version-check-interval-ms/maximum-install-time-ms/error-expiration-period-ms/maximum-retry-attempts/verify-signature/version-info-file-url/feature-flags-file-url/feature-flags-config-dir/feature-flags-update-post-delay-ms/observabilityFailed to load updater configuraion: {}C:\GitLab-Runner\builds\ywNX1RjN\1\behavior\chuck-norrisk\sj-pulse-desktop\sj-updater\src\UpdaterConfig.cpp__cdecl sj::UpdaterConfig::UpdaterConfig(const class std::vector<struct sj::cfg::ConfigFile,class std::allocator<struct sj::cfg::ConfigFile> > &)Activating default configurationhttps://www.surveyjunkie.com/api/v1/pulse/$(user.id)/heartbeatingress.coralogix.us/logs/v1/bulkinsights-collector.newrelic.com/v1/accounts/1592627/eventsev_log-api.newrelic.com/log/v1log_metric-api.newrelic.com/metric/v1mt_trace-api.newrelic.com/trace/v1tr_api.mixpanel.com93c82f2a7e19b351d199aada15357e62https://pulse.surveyjunkie.com/downloads{}/version-info-{}.json{}/desktop-feature-flags.jsonSJPulse/config'JSON pointer must be empty or begin with '/' - was: 'escape character '~' must be followed with '0' or '1'Overflow detected for '{}'. {} become {}Rounding detected for '{}'. {} become {}Attempting to assign negative number '{}' to a variable expecting positive number '{}'Number expected for '{}', but {} given.unresolved reference token '9 at byte parse errorparse_error/~1~~0nullobjectarraystringbooleanbinarydiscardednumbercannot use operator[] with a string argument with cannot use operator[] with a numeric argument with 961c151d2e87f2686a955a9be24d316f1362bf21 3.11.2) is out of rangearray index '-' (' must not begin with '0'array index '' is not a number exceeds size_typearray index out_of_rangetype_errorother_errortype must be string, but is type must be boolean, but is type must be number, but is
Source: sj-updater-app.exe String found in binary or memory: Accept-Additions
Source: sj-updater-app.exe String found in binary or memory: List-Help
Source: sj-updater-app.exe String found in binary or memory: MMHS-Exempted-Address
Source: sj-updater-app.exe String found in binary or memory: Originator-Return-Address
Source: sj-updater-app.exe String found in binary or memory: C:\DISQO-Dev\vcpkg\installed\x64-windows\include\boost/asio/ip/impl/address_v4.ipp
Source: sj-updater-app.exe String found in binary or memory: C:\DISQO-Dev\vcpkg\installed\x64-windows\include\boost/asio/ip/impl/address_v6.ipp
Source: sj-updater-app.exe String found in binary or memory: http/1.1C:\DISQO-Dev\vcpkg\installed\x64-windows\include\boost/asio/ip/impl/address_v4.ippC:\DISQO-Dev\vcpkg\installed\x64-windows\include\boost/asio/ip/impl/address_v6.ippC:\GitLab-Runner\builds\ywNX1RjN\1\behavior\chuck-norrisk\sj-pulse-desktop\sj-pulse-core\src\network\details\SslUtilities.cppvoid __cdecl sj::details::configureSslContextOptions(struct ssl_ctx_st *const ) noexceptCould not set minimum protocol version for SSL contextCould not set SNI server name '{}', desc: {}void __cdecl sj::details::configureCertificateValidation(class boost::asio::ssl::stream<class boost::asio::basic_stream_socket<class boost::asio::ip::tcp,class boost::asio::any_io_executor> &> &,class std::variant<class std::basic_string_view<char,struct std::char_traits<char> >,class boost::asio::ip::address>,class std::basic_string_view<char,struct std::char_traits<char> >,bool &,class boost::system::error_code &)Could not set ALPN list, desc: {}
Source: unknown Process created: C:\Users\user\Desktop\sj-updater-app.exe "C:\Users\user\Desktop\sj-updater-app.exe"
Source: C:\Users\user\Desktop\sj-updater-app.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: boost_iostreams-vc143-mt-x64-1_83.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: libssl-3-x64.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: libcrypto-3-x64.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: spdlog.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: fmt.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: brotlienc.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: brotlidec.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: sentry.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: msvcp140_atomic_wait.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\sj-updater-app.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: sj-updater-app.exe Static PE information: certificate valid
Source: sj-updater-app.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: sj-updater-app.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: sj-updater-app.exe Static file information: File size 2156920 > 1048576
Source: sj-updater-app.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x17a200
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: sj-updater-app.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: sj-updater-app.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\GitLab-Runner\builds\ywNX1RjN\1\behavior\chuck-norrisk\sj-pulse-desktop\cmakebuild\Release\bin\sj-updater\sj-updater-app.pdb source: sj-updater-app.exe
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sj-updater-app.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC28A90 StartServiceCtrlDispatcherA,GetLastError,_invalid_parameter_noinfo_noreturn, 0_2_00007FF63CC28A90
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC27100 GetProcessHeap,HeapAlloc,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,CloseHandle,GetProcessHeap,HeapAlloc,CloseHandle,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,CloseHandle,AllocateAndInitializeSid,FreeSid,EqualSid,EqualSid,FreeSid,FreeSid,CloseHandle,FreeSid,FreeSid,CloseHandle, 0_2_00007FF63CC27100
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CD458EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF63CD458EC
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CC27100 GetProcessHeap,HeapAlloc,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,CloseHandle,GetProcessHeap,HeapAlloc,CloseHandle,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,CloseHandle,AllocateAndInitializeSid,FreeSid,EqualSid,EqualSid,FreeSid,FreeSid,CloseHandle,FreeSid,FreeSid,CloseHandle, 0_2_00007FF63CC27100
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_00007FF63CD43C4C
Source: C:\Users\user\Desktop\sj-updater-app.exe Code function: 0_2_00007FF63CD45DFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF63CD45DFC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1448097 Sample: sj-updater-app.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 2 5 sj-updater-app.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos