Edit tour

Windows Analysis Report
file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip

Overview

General Information

Sample name:	file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip
Analysis ID:	1484446
MD5:	7fdeec36b7c05e17b52244fb7b470d7c
SHA1:	eda7f3bb4d7eeb497234c8cb4d3fb70b2cfc24d7
SHA256:	874947f06e359ea7c68780750b03eb1ade4d558e5a3d7526878b94eb99688b5a
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Uses known network protocols on non-standard ports

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: CurrentVersion Autorun Keys Modification

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 6984 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

fanyiyouda.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\fanyiyouda.exe" MD5: 6D3D81D2D87E2D1EB54B0BBBC610BCDA)

fanyiyouda.exe (PID: 3992 cmdline: "C:\Users\user\Desktop\fanyiyouda.exe" MD5: 6D3D81D2D87E2D1EB54B0BBBC610BCDA)

fanyiyouda.exe (PID: 736 cmdline: "C:\Users\user\Desktop\fanyiyouda.exe" MD5: 6D3D81D2D87E2D1EB54B0BBBC610BCDA)

fanyiyouda.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\fanyiyouda.exe" MD5: 6D3D81D2D87E2D1EB54B0BBBC610BCDA)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\navmd\arphaCrashReport64.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\fanyiyouda.exe, ProcessId: 6264, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\innipi

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 169.150.222.205 - Destination IP: 192.168.2.16

Timestamp:	2024-07-30T05:21:12.809518+0200
SID:	2011803
Source Port:	9000
Destination Port:	49710
Protocol:	TCP
Classtype:	Executable code was detected

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected - Source IP: 169.150.222.205 - Destination IP: 192.168.2.16

Timestamp:	2024-07-30T05:21:03.900827+0200
SID:	2011803
Source Port:	9000
Destination Port:	49706
Protocol:	TCP
Classtype:	Executable code was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\navmd\arphaDump64.dll	ReversingLabs: Detection: 54%
Source: C:\ProgramData\navmd\arphaDump64.dll	Virustotal: Detection: 46%			Perma Link

Source: unknown	HTTPS traffic detected: 39.97.203.118:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 39.97.203.118:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 39.97.203.118:443 -> 192.168.2.16:49715 version: TLS 1.2

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 280
Source: unknown	Network traffic detected: HTTP traffic on port 280 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 280
Source: unknown	Network traffic detected: HTTP traffic on port 280 -> 49709

Source: global traffic	TCP traffic: 192.168.2.16:49705 -> 154.91.82.142:280
Source: global traffic	TCP traffic: 192.168.2.16:49706 -> 169.150.222.205:9000

Source: global traffic	HTTP traffic detected: GET /Test.txt HTTP/1.1Connection: Keep-AliveHost: 154.91.82.142:280
Source: global traffic	HTTP traffic detected: GET /Test.txt HTTP/1.1Connection: Keep-AliveHost: 154.91.82.142:280

Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.82.142

Source: global traffic	HTTP traffic detected: GET /Test.txt HTTP/1.1Connection: Keep-AliveHost: 154.91.82.142:280
Source: global traffic	HTTP traffic detected: GET /Test.txt HTTP/1.1Connection: Keep-AliveHost: 154.91.82.142:280

Source: global traffic	DNS traffic detected: DNS query: helloword.win
Source: global traffic	DNS traffic detected: DNS query: jerryrat2024.oss-cn-beijing.aliyuncs.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 39.97.203.118:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 39.97.203.118:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 39.97.203.118:443 -> 192.168.2.16:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\fanyiyouda.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Source: classification engine

Classification label: mal52.troj.winZIP@5/2@3/29

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\fanyiyouda.exe "C:\Users\user\Desktop\fanyiyouda.exe"
Source: unknown	Process created: C:\Users\user\Desktop\fanyiyouda.exe "C:\Users\user\Desktop\fanyiyouda.exe"
Source: unknown	Process created: C:\Users\user\Desktop\fanyiyouda.exe "C:\Users\user\Desktop\fanyiyouda.exe"
Source: unknown	Process created: C:\Users\user\Desktop\fanyiyouda.exe "C:\Users\user\Desktop\fanyiyouda.exe"

Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: webio.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: dinput8.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: inputhost.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: webio.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: dinput8.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: inputhost.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\fanyiyouda.exe	Section loaded: ondemandconnroutehelper.dll

Source: file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip

Static file information: File size 27421841 > 1048576

Source: C:\Users\user\Desktop\fanyiyouda.exe	File created: C:\ProgramData\navmd\arphaDump64.dll			Jump to dropped file
Source: C:\Users\user\Desktop\fanyiyouda.exe	File created: C:\ProgramData\ntjfj\arphaCrashReport64.exe			Jump to dropped file

Source: C:\Users\user\Desktop\fanyiyouda.exe	File created: C:\ProgramData\navmd\arphaDump64.dll			Jump to dropped file
Source: C:\Users\user\Desktop\fanyiyouda.exe	File created: C:\ProgramData\ntjfj\arphaCrashReport64.exe			Jump to dropped file

Source: C:\Users\user\Desktop\fanyiyouda.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run innipi
Source: C:\Users\user\Desktop\fanyiyouda.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run innipi

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 280
Source: unknown	Network traffic detected: HTTP traffic on port 280 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 280
Source: unknown	Network traffic detected: HTTP traffic on port 280 -> 49709

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fanyiyouda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\fanyiyouda.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\fanyiyouda.exe	Window / User API: threadDelayed 524
Source: C:\Users\user\Desktop\fanyiyouda.exe	Window / User API: threadDelayed 652
Source: C:\Users\user\Desktop\fanyiyouda.exe	Window / User API: threadDelayed 1423
Source: C:\Users\user\Desktop\fanyiyouda.exe	Window / User API: threadDelayed 4183
Source: C:\Users\user\Desktop\fanyiyouda.exe	Window / User API: threadDelayed 4307

Source: C:\Users\user\Desktop\fanyiyouda.exe	Dropped PE file which has not been started: C:\ProgramData\navmd\arphaDump64.dll			Jump to dropped file
Source: C:\Users\user\Desktop\fanyiyouda.exe	Dropped PE file which has not been started: C:\ProgramData\ntjfj\arphaCrashReport64.exe			Jump to dropped file

Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 5404	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 7036	Thread sleep count: 524 > 30
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 5400	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 1288	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 6616	Thread sleep count: 652 > 30
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 1284	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 6616	Thread sleep count: 1423 > 30
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 7036	Thread sleep count: 4183 > 30
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 7036	Thread sleep time: -41830s >= -30000s
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 6616	Thread sleep count: 4307 > 30
Source: C:\Users\user\Desktop\fanyiyouda.exe TID: 6616	Thread sleep time: -43070s >= -30000s

Source: C:\Users\user\Desktop\fanyiyouda.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\fanyiyouda.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Rundll32	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
C:\ProgramData\ntjfj\arphaCrashReport64.exe	0%	ReversingLabs
C:\ProgramData\ntjfj\arphaCrashReport64.exe	0%	Virustotal		Browse
C:\ProgramData\navmd\arphaDump64.dll	54%	ReversingLabs	Win64.Trojan.DllHijack
C:\ProgramData\navmd\arphaDump64.dll	47%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
helloword.win	1%	Virustotal		Browse
jerryrat2024.oss-cn-beijing.aliyuncs.com	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
helloword.win	169.150.222.205	true	false	1%, Virustotal, Browse	unknown
jerryrat2024.oss-cn-beijing.aliyuncs.com	39.97.203.118	true	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
169.150.222.205	helloword.win	United States	2711	SPIRITTEL-ASUS	false
154.91.82.142	unknown	Seychelles	134705	ITACE-AS-APItaceInternationalLimitedHK	false
39.97.203.118	jerryrat2024.oss-cn-beijing.aliyuncs.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1484446
Start date and time:	2024-07-30 05:19:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip
Detection:	MAL
Classification:	mal52.troj.winZIP@5/2@3/29
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Created / dropped Files

C:\ProgramData\navmd\arphaDump64.dll

Download File

Process:	C:\Users\user\Desktop\fanyiyouda.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2199488
Entropy (8bit):	7.683305461232812
Encrypted:	false
SSDEEP:
MD5:	5D165E30CDB59FDCCBD2ACE554EF3DF7
SHA1:	20344ECC0639934EB752C2F28AC2A0E37BA1852E
SHA-256:	7FCD3560EF424424DBD26B8E1BA90CA0F6198AA1D0BDA44F92CB880F4666A1F1
SHA-512:	7EF245B877C5FEB431794BE1E267845AE1E29723BDB5866B02AAEFF589EB2F6232E1A033BFEF7C711E9812939E2C931893B9D5BED862E6F6BD6101262572854A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54% Antivirus: Virustotal, Detection: 47%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h-)..Cz..Cz..Cz.[.z..Cz.[.z..Cz.[.z..Cz..8z..Cz..Bz..Cz.[.z..Cz.[.z..Cz.[.z..CzRich..Cz................PE..d...#..f.........." .......... .....4.........................................!......{!...@.....................................................(.... ... ..........f!..)....!.....P................................................................................text............................... ..`.rdata..c2.......4..................@..@.data...."..........................@....pdata..............................@..@.rsrc..... .. .... .................@..@.reloc........!......b!.............@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\ntjfj\arphaCrashReport64.exe

Download File

Process:	C:\Users\user\Desktop\fanyiyouda.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	238384
Entropy (8bit):	6.278635939854228
Encrypted:	false
SSDEEP:
MD5:	8B5D51DF7BBD67AEB51E9B9DEE6BC84A
SHA1:	DD63C3D4ACF0CE27F71CCE44B8950180E48E36FA
SHA-256:	E743E8FAC075A379161E1736388451E0AF0FDE7DA595EA9D15EEB5140E3E8271
SHA-512:	1B4350D51C2107D0AA22EB01D64E1F1AB73C28114045C388BAF9547CC39A902C8A274A24479C7C2599F94C96F8772E438F21A2849316B5BD7F5D47C26A1E483B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:...;...:...;)..:...;...:...;...:...;...:...;...:...;...:3..;...:...:...:3..;...:3.4:...:..\:...:3..;...:Rich...:........................PE..d......`.........."..........t......$..........@....................................j.....`..........................................................p...-...P.......h..0;......l...P...8.......................(.................... ..@............................text............................... ..`.rdata..F.... ......................@..@.data...L&... ......................@....pdata.......P......................@..@.rsrc....-...p.......2..............@..@.reloc..l............`..............@..B........................................................................................................................................................................................................................

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.994408667810287
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip
File size:	27'421'841 bytes
MD5:	7fdeec36b7c05e17b52244fb7b470d7c
SHA1:	eda7f3bb4d7eeb497234c8cb4d3fb70b2cfc24d7
SHA256:	874947f06e359ea7c68780750b03eb1ade4d558e5a3d7526878b94eb99688b5a
SHA512:	7aeb30c7a8ffe6972fbb3f4076f83b6091ab04b0db5d70fb1ebd6384e6179454335669d1bbed14cef9bdde884f60963014ebe7b06e96eeac89342624ca16fec8
SSDEEP:	393216:0Q7INdUEkQz7xtJVhu34fCSy9SGApUQY4JqGvKVtEoCSiuW5MMOit4wFIuLN0G:0OmPbvfCRSGAp4SIEVuSMMf4kSG
TLSH:	325733CCF1165C88EAD60C98CDEB377CE1BE9A206683A963525BCF1D02F3587555CAC8
File Content Preview:	PK...........X._.(....S.......manifest.json..Ok.0...J.i.2.?s.^.=...Rd[i.i...hV..g.....I?.=.t'8..c"..p'.?'L#.=.]Fd.i.}....j.{L..M...ia...&.oxC..H[.O....../...>u.%.]:.fJ2.2.h...{].}>.S..c......B3mj.(J.6...#P.B..j...u-jYS...`..V*n.6.q.~.c.K......h...d.0.c...

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\ProgramData\navmd\arphaDump64.dll

C:\ProgramData\ntjfj\arphaCrashReport64.exe

Static File Info

General

File Icon

Windows Analysis Report
file_6c73ff4553d147e39fc35434c1e9e972_2024-07-30_02_54_11_351000.zip