Edit tour

Windows Analysis Report
BjLxqVU7m4.dll

Overview

General Information

Sample name:	BjLxqVU7m4.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	4b7a85411716775d966284e879a6bda87feade4c9f40cb94ade6e217793e8a84.exe
Analysis ID:	1563002
MD5:	bd804dfa6fafa1917f83060a30f7f1d0
SHA1:	68cc23c6877806705588ceb6fec57d913a543c1d
SHA256:	4b7a85411716775d966284e879a6bda87feade4c9f40cb94ade6e217793e8a84
Tags:	148-135-121-165exeuser-JAMESWT_MHT
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Writes to foreign memory regions

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6520 cmdline: loaddll64.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6620 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 1096 cmdline: rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

sdiagnhost.exe (PID: 4416 cmdline: c:\windows\System32\sdiagnhost.exe MD5: 3A161A0124CE64840140D6A9943A5DD3)

conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sdiagnhost.exe (PID: 1476 cmdline: c:\windows\System32\sdiagnhost.exe MD5: 3A161A0124CE64840140D6A9943A5DD3)

conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2097265530.0000023F26458000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x9979:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xcf0f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.2097166418.000000F46C712000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6fe9:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xa57f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.2144696138.000000219F0F2000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6e29:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5b19:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x90af:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5b19:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x90af:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000003.2144509875.0000015D67C38000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5019:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x85af:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: BjLxqVU7m4.dll

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Source: unknown	HTTPS traffic detected: 148.135.121.165:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.135.121.165:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: BjLxqVU7m4.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: F:\Code\ctf\catchme\source\httpshellcode\x64\Release\httpshellcode.pdb&& source: sdiagnhost.exe, 00000003.00000002.3337833644.00000212452D0000.00000004.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3337939260.0000021245313000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337924845.000001E9B9ED3000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337450217.000001E9B9D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: F:\Code\ctf\catchme\source\httpshellcode\x64\Release\httpshellcode.pdb source: sdiagnhost.exe, 00000003.00000002.3337833644.00000212452D0000.00000004.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3337939260.0000021245313000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337924845.000001E9B9ED3000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337450217.000001E9B9D90000.00000004.00001000.00020000.00000000.sdmp

Source: Joe Sandbox View

JA3 fingerprint: 72a589da586844d7f0818ce684948eea

Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165

Source: global traffic	HTTP traffic detected: GET /39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3 HTTP/1.1Connection: Keep-AliveContent-Type: text/plainUser-Agent: HCMUS-CTF BotnetHost: 148.135.121.165
Source: global traffic	HTTP traffic detected: GET /39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3 HTTP/1.1Connection: Keep-AliveContent-Type: text/plainUser-Agent: HCMUS-CTF BotnetHost: 148.135.121.165

Source: sdiagnhost.exe, 00000006.00000002.3337478663.000001E9B9DD2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721704145.000001E9B9DD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/
Source: sdiagnhost.exe, 00000003.00000003.2721646362.0000021245104000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3337520750.0000021245105000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.2121243744.00000212450FF000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3337384034.0000021245097000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337478663.000001E9B9DD2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721704145.000001E9B9DD1000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721388889.000001E9B9E15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3
Source: sdiagnhost.exe, 00000006.00000002.3337478663.000001E9B9DD2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721704145.000001E9B9DD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3m
Source: sdiagnhost.exe, 00000003.00000002.3337384034.0000021245097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/h
Source: sdiagnhost.exe, 00000003.00000002.3337384034.0000021245097000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337478663.000001E9B9DD2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721704145.000001E9B9DD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165:443/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 148.135.121.165:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.135.121.165:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2097265530.0000023F26458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2097166418.000000F46C712000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2144696138.000000219F0F2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000003.2144509875.0000015D67C38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_00000212450675CD NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,		3_2_00000212450675CD
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 6_2_000001E9B9C375CD NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,		6_2_000001E9B9C375CD

Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_0000021245066DC5	3_2_0000021245066DC5
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_00000212450675CD	3_2_00000212450675CD
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000002124506806D	3_2_000002124506806D
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_0000021245067195	3_2_0000021245067195
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000002124506A8C5	3_2_000002124506A8C5
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_0000021245065ED1	3_2_0000021245065ED1
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_00000212453111C0	3_2_00000212453111C0
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 6_2_000001E9B9C36DC5	6_2_000001E9B9C36DC5
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 6_2_000001E9B9C375CD	6_2_000001E9B9C375CD
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 6_2_000001E9B9C37195	6_2_000001E9B9C37195
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 6_2_000001E9B9C3A8C5	6_2_000001E9B9C3A8C5
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 6_2_000001E9B9C3806D	6_2_000001E9B9C3806D
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 6_2_000001E9B9C35ED1	6_2_000001E9B9C35ED1
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 6_2_000001E9B9ED11C0	6_2_000001E9B9ED11C0

Source: 00000000.00000002.2097265530.0000023F26458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2097166418.000000F46C712000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2144696138.000000219F0F2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000003.2144509875.0000015D67C38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal72.evad.winDLL@12/0@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_03

Source: BjLxqVU7m4.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1

Source: BjLxqVU7m4.dll

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1
Source: C:\Windows\System32\sdiagnhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe
Source: C:\Windows\System32\sdiagnhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: BjLxqVU7m4.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: BjLxqVU7m4.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: BjLxqVU7m4.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\Code\ctf\catchme\source\httpshellcode\x64\Release\httpshellcode.pdb&& source: sdiagnhost.exe, 00000003.00000002.3337833644.00000212452D0000.00000004.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3337939260.0000021245313000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337924845.000001E9B9ED3000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337450217.000001E9B9D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: F:\Code\ctf\catchme\source\httpshellcode\x64\Release\httpshellcode.pdb source: sdiagnhost.exe, 00000003.00000002.3337833644.00000212452D0000.00000004.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3337939260.0000021245313000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337924845.000001E9B9ED3000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337450217.000001E9B9D90000.00000004.00001000.00020000.00000000.sdmp

Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\sdiagnhost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 1276	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe TID: 3180	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe TID: 5520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe TID: 5692	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe TID: 2364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\sdiagnhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: sdiagnhost.exe, 00000006.00000002.3337745462.000001E9B9E1F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2121162740.000001E9B9E1C000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721916034.000001E9B9E1C000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721388889.000001E9B9E1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: sdiagnhost.exe, 00000003.00000003.2721386114.0000021245112000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.2721646362.0000021245104000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3337520750.0000021245105000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.2721894603.0000021245113000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.2121421493.0000021245112000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.2121243744.00000212450FF000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.2721702995.0000021245113000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3337384034.0000021245097000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2121162740.000001E9B9E1C000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721916034.000001E9B9E1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sdiagnhost.exe, 00000006.00000003.2722045406.000001E9B9DE1000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721704145.000001E9B9DD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll64.exe	Memory allocated: C:\Windows\System32\sdiagnhost.exe base: 21245060000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\sdiagnhost.exe base: 1E9B9C30000 protect: page execute and read and write			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\loaddll64.exe	Thread created: C:\Windows\System32\sdiagnhost.exe EIP: 45060000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\System32\sdiagnhost.exe EIP: B9C30000			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll64.exe	Memory written: C:\Windows\System32\sdiagnhost.exe base: 21245060000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\sdiagnhost.exe base: 1E9B9C30000			Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe	Jump to behavior

Source: C:\Windows\System32\sdiagnhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Rundll32	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BjLxqVU7m4.dll	50%	ReversingLabs	Win64.Exploit.DonutMarte

URLs

Source	Detection	Scanner	Label
https://148.135.121.165/	0%	Avira URL Cloud	safe
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3	0%	Avira URL Cloud	safe
https://148.135.121.165:443/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac	0%	Avira URL Cloud	safe
https://148.135.121.165/h	0%	Avira URL Cloud	safe
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3m	0%	Avira URL Cloud	safe

Domains and IPs

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://148.135.121.165/	sdiagnhost.exe, 00000006.00000002.3337478663.000001E9B9DD2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721704145.000001E9B9DD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://148.135.121.165:443/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac	sdiagnhost.exe, 00000003.00000002.3337384034.0000021245097000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000002.3337478663.000001E9B9DD2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721704145.000001E9B9DD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://148.135.121.165/h	sdiagnhost.exe, 00000003.00000002.3337384034.0000021245097000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3m	sdiagnhost.exe, 00000006.00000002.3337478663.000001E9B9DD2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000006.00000003.2721704145.000001E9B9DD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
148.135.121.165	unknown	Sweden		158	ERI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563002
Start date and time:	2024-11-26 11:37:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BjLxqVU7m4.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	4b7a85411716775d966284e879a6bda87feade4c9f40cb94ade6e217793e8a84.exe
Detection:	MAL
Classification:	mal72.evad.winDLL@12/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 4

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: BjLxqVU7m4.dll

Simulations

Behavior and APIs

Time	Type	Description
05:38:04	API Interceptor	1x Sleep call for process: loaddll64.exe modified
05:38:07	API Interceptor	2x Sleep call for process: sdiagnhost.exe modified

WriteProcessMemory, CloseHandle, VirtualAllocEx, CreateRemoteThread, CreateProcessA, WriteConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 11:38:06.598839998 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:06.598861933 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:06.598925114 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:06.601047993 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:06.601059914 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:06.608355999 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:06.608431101 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:06.608498096 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:06.617628098 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:06.617647886 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.003618002 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.003710032 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.026752949 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.026870966 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.064169884 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.064204931 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.064579964 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.071988106 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.072009087 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.072390079 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.112560034 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.115861893 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.455761909 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.457381964 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.499339104 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.503338099 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.836764097 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.836853981 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.836914062 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.838018894 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.838042021 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.838052988 CET	49705	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.838058949 CET	443	49705	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.847007990 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.847079992 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.847134113 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.847596884 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.847614050 CET	443	49704	148.135.121.165	192.168.2.5
Nov 26, 2024 11:38:08.847630024 CET	49704	443	192.168.2.5	148.135.121.165
Nov 26, 2024 11:38:08.847636938 CET	443	49704	148.135.121.165	192.168.2.5

HTTP Request Dependency Graph

148.135.121.165

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	148.135.121.165	443	1476	C:\Windows\System32\sdiagnhost.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 10:38:08 UTC	194	OUT	GET /39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3 HTTP/1.1 Connection: Keep-Alive Content-Type: text/plain User-Agent: HCMUS-CTF Botnet Host: 148.135.121.165
2024-11-26 10:38:08 UTC	192	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 26 Nov 2024 10:38:08 GMT Content-Type: application/octet-stream Content-Length: 93 Connection: close Content-Type: text/plain
2024-11-26 10:38:08 UTC	93	IN	Data Raw: 54 68 69 73 20 69 73 20 61 20 66 61 6b 65 20 43 32 20 73 65 72 76 65 72 20 74 68 61 74 20 67 69 76 65 73 20 79 6f 75 20 74 68 65 20 66 6c 61 67 2e 20 48 65 72 65 20 79 6f 75 20 67 6f 3a 20 48 43 4d 55 53 2d 43 54 46 7b 63 34 74 63 48 2d 6d 33 2d 31 66 2d 7c 5f 7c 2d 63 34 4e 7d Data Ascii: This is a fake C2 server that gives you the flag. Here you go: HCMUS-CTF{c4tcH-m3-1f-\|_\|-c4N}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	148.135.121.165	443	4416	C:\Windows\System32\sdiagnhost.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 10:38:08 UTC	194	OUT	GET /39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3 HTTP/1.1 Connection: Keep-Alive Content-Type: text/plain User-Agent: HCMUS-CTF Botnet Host: 148.135.121.165
2024-11-26 10:38:08 UTC	192	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 26 Nov 2024 10:38:08 GMT Content-Type: application/octet-stream Content-Length: 93 Connection: close Content-Type: text/plain
2024-11-26 10:38:08 UTC	93	IN	Data Raw: 54 68 69 73 20 69 73 20 61 20 66 61 6b 65 20 43 32 20 73 65 72 76 65 72 20 74 68 61 74 20 67 69 76 65 73 20 79 6f 75 20 74 68 65 20 66 6c 61 67 2e 20 48 65 72 65 20 79 6f 75 20 67 6f 3a 20 48 43 4d 55 53 2d 43 54 46 7b 63 34 74 63 48 2d 6d 33 2d 31 66 2d 7c 5f 7c 2d 63 34 4e 7d Data Ascii: This is a fake C2 server that gives you the flag. Here you go: HCMUS-CTF{c4tcH-m3-1f-\|_\|-c4N}

Target ID:	0
Start time:	05:38:04
Start date:	26/11/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll"
Imagebase:	0x7ff76e920000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2097265530.0000023F26458000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2097166418.000000F46C712000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:38:04
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:38:04
Start date:	26/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1
Imagebase:	0x7ff7ee540000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:38:04
Start date:	26/11/2024
Path:	C:\Windows\System32\sdiagnhost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\System32\sdiagnhost.exe
Imagebase:	0x7ff69f440000
File size:	40'448 bytes
MD5 hash:	3A161A0124CE64840140D6A9943A5DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:38:04
Start date:	26/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1
Imagebase:	0x7ff6466b0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2144696138.000000219F0F2000.00000004.00000010.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000003.2144509875.0000015D67C38000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:38:04
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:38:04
Start date:	26/11/2024
Path:	C:\Windows\System32\sdiagnhost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\System32\sdiagnhost.exe
Imagebase:	0x7ff69f440000
File size:	40'448 bytes
MD5 hash:	3A161A0124CE64840140D6A9943A5DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:38:04
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	7.1%
Signature Coverage:	41.4%
Total number of Nodes:	99
Total number of Limit Nodes:	6

Executed Functions

Function 00000212450675CD Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1066memorynativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 00000212450676DE
NtMapViewOfSection.NTDLL ref: 00000212450677C9
VirtualAlloc.KERNELBASE ref: 0000021245067BCA
NtUnmapViewOfSection.NTDLL ref: 0000021245067C61
NtMapViewOfSection.NTDLL ref: 0000021245067CC3
VirtualProtect.KERNELBASE ref: 0000021245067CEA

Part of subcall function 00000212450685C5: LoadLibraryA.KERNELBASE ref: 0000021245068693

VirtualProtect.KERNELBASE ref: 0000021245067DC2
VirtualProtect.KERNELBASE ref: 0000021245067E02

Strings

@, xrefs: 00000212450676CC

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: SectionVirtual$ProtectView$AllocCreateLibraryLoadUnmap
String ID: @
API String ID: 491204081-2766056989
Opcode ID: c37129cb37b3c8bba6147fbaa10fd2a9893dc3c91af62d8663cd2f8e877685fb
Instruction ID: 6aae8a35e39c4cbfad17aa8f5428cc249b37c88cb2b80c5170a380e2ceef6772
Opcode Fuzzy Hash: c37129cb37b3c8bba6147fbaa10fd2a9893dc3c91af62d8663cd2f8e877685fb
Instruction Fuzzy Hash: A172E634614B59CFEB69DF28C8897E973E5FBAC700F10552DE88AC7281DB30E9568B41

Function 0000021245066DC5 Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000021245066E38

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
Instruction ID: a37c63b2e16395b922879ba7c4b2f58f27017266ed38773210545a99d142a011
Opcode Fuzzy Hash: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
Instruction Fuzzy Hash: 0DC19A34314D19CBEB68DF28C4997E9B3D5FFAC700F145129E48AC7186DB24E96AC781

Function 00000212453111C0 Relevance: .3, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3337913570.0000021245311000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000021245311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245311000_sdiagnhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94a9a69f4a1ab2ff4704a3eed6c67e80d4683e942e9756375f98649269b46e2
Instruction ID: c0ee8bb3560add537958022b5998126f99f73a65023186e7f6d2feb41d1cb63e
Opcode Fuzzy Hash: a94a9a69f4a1ab2ff4704a3eed6c67e80d4683e942e9756375f98649269b46e2
Instruction Fuzzy Hash: 4671957061CB488FEB59EF6898493A977D5FBA9300F00465EE48BC3296DF74D8068786

Function 0000021245065D15 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000212450685C5: LoadLibraryA.KERNELBASE ref: 0000021245068693

VirtualProtect.KERNELBASE ref: 0000021245065D91
VirtualProtect.KERNELBASE ref: 0000021245065DBA
VirtualProtect.KERNELBASE ref: 0000021245065DFF
VirtualProtect.KERNELBASE ref: 0000021245065E23

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
Instruction ID: 6f4b5c65f1948a6dfb0839e690bb3b27988beadabc23dac9b40f9615d4c143d9
Opcode Fuzzy Hash: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
Instruction Fuzzy Hash: 2C31AA35718A184FDB68EE1898497AA73DDEBE8710F00156DBC8FC32C9DD64DD1A46C1

Function 0000021245065D84 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000021245065D91
VirtualProtect.KERNELBASE ref: 0000021245065DBA
VirtualProtect.KERNELBASE ref: 0000021245065DFF
VirtualProtect.KERNELBASE ref: 0000021245065E23

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
Instruction ID: 56d25c7cc0ebd556e29348614b7c6a5fa70dc7141c9c344f0400972d0dbeb6f8
Opcode Fuzzy Hash: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
Instruction Fuzzy Hash: CD21A83570CA188BDB68AE5CA85939973D9EBE8710F10156DFC8FC32CADD24DD1646C1

Function 0000021245311440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 00000212453115F1

Strings

HCMU, xrefs: 000002124531148C

Memory Dump Source

Source File: 00000003.00000002.3337913570.0000021245311000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000021245311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245311000_sdiagnhost.jbxd

Similarity

API ID: Sleep
String ID: HCMU
API String ID: 3472027048-1408108644
Opcode ID: f4d16d696d8258c7e4b693e4f7ba327b9e3cf8e69538a5a4c7d8dbeb5bf79d3d
Instruction ID: 2b76b6ce4cf7e78dea2e42313e9fbd346ddd03a0902557706ebbab876e61f8fe
Opcode Fuzzy Hash: f4d16d696d8258c7e4b693e4f7ba327b9e3cf8e69538a5a4c7d8dbeb5bf79d3d
Instruction Fuzzy Hash: 31611730928E088BEF19AF38988D3E9B6D5FBA9310F504659F49AC31D7DA34DC958781

Function 00000212450685C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000021245068693

Strings

l, xrefs: 000002124506862D

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
Instruction ID: 74eb64707c49f546bcf3fcb4a9b20fca511d7a71c24b1cbd886c64964cbd16a9
Opcode Fuzzy Hash: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
Instruction Fuzzy Hash: DC31C634518B958FE765DB2CC048B65BBD9FFAD308F2466BCE1DAC7192D720D80A8701

Function 0000021245065E41 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000212450685C5: LoadLibraryA.KERNELBASE ref: 0000021245068693

VirtualProtect.KERNELBASE ref: 0000021245065E8F
VirtualProtect.KERNELBASE ref: 0000021245065EB7

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
Instruction ID: 698c1d0b644be22b73c8047306e314b10703b51faf3b8ac098f6cbd46f7ee5a8
Opcode Fuzzy Hash: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
Instruction Fuzzy Hash: 6511A534318B188BDBA8EF1898896AA73D9FBEC700F401569BC8AC7249DE20DD458781

Non-executed Functions

Function 000002124506A8C5 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
Instruction ID: bebec9b8619046d81a28f91d9835a96c2c97c895207d1f961fa11bebaa181783
Opcode Fuzzy Hash: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
Instruction Fuzzy Hash: 0652BF75504311EFEB60DF14C848BABBBE9EF98B10F04592DF9859B282D730E868CB51

Function 0000021245065ED1 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4d866763d3bed20dc280203f6102a30c73feaa7c60b621d7a564ee5d7695d8
Instruction ID: 9d81db0a46d98090d0d819943d74d468d5ec3778eacc55dfa4420462f718bc72
Opcode Fuzzy Hash: 1d4d866763d3bed20dc280203f6102a30c73feaa7c60b621d7a564ee5d7695d8
Instruction Fuzzy Hash: 75E17534718A598BEB68DF6898997EEB7E5FF58701F00522DE88AC3240DF30E955C781

Function 0000021245067195 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction ID: 787ed051c806f1397fde7409f43cb47622a372eafedad5803aae98eaf9c98e31
Opcode Fuzzy Hash: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction Fuzzy Hash: AFE17F31518B188FDB59EF28C889AEA77E5FF98300F10466DE88AC7155DF30E945CB82

Function 000002124506806D Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3337328614.0000021245060000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021245060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_21245060000_sdiagnhost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55def3579c95d66bb74bd3e75744c244041454eda364e5e205e1004b0ebe1f4c
Instruction ID: db00363d20c07d3dca5a1bac3bfb7582f20fe34386264a2e0a8fb61c339333f5
Opcode Fuzzy Hash: 55def3579c95d66bb74bd3e75744c244041454eda364e5e205e1004b0ebe1f4c
Instruction Fuzzy Hash: DCA12F31508A1C8FDB65EF28C889BDA77E9FF68315F10466EE44AC7161EB30D654CB81

Analysis Process: sdiagnhost.exePID: 4416, Parent PID: 1096COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	7.1%
Signature Coverage:	0%
Total number of Nodes:	99
Total number of Limit Nodes:	6

Executed Functions

Function 000001E9B9C375CD Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1066memorynativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 000001E9B9C376DE
NtMapViewOfSection.NTDLL ref: 000001E9B9C377C9
VirtualAlloc.KERNELBASE ref: 000001E9B9C37BCA
NtUnmapViewOfSection.NTDLL ref: 000001E9B9C37C61
NtMapViewOfSection.NTDLL ref: 000001E9B9C37CC3
VirtualProtect.KERNELBASE ref: 000001E9B9C37CEA

Part of subcall function 000001E9B9C385C5: LoadLibraryA.KERNELBASE ref: 000001E9B9C38693

VirtualProtect.KERNELBASE ref: 000001E9B9C37DC2
VirtualProtect.KERNELBASE ref: 000001E9B9C37E02

Strings

@, xrefs: 000001E9B9C376CC

Memory Dump Source

Source File: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E9B9C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1e9b9c30000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: SectionVirtual$ProtectView$AllocCreateLibraryLoadUnmap
String ID: @
API String ID: 491204081-2766056989
Opcode ID: c37129cb37b3c8bba6147fbaa10fd2a9893dc3c91af62d8663cd2f8e877685fb
Instruction ID: 09c33c393e9412e1fee5b9317c5624999a92e642fc97bafaaf604b9ad95b972e
Opcode Fuzzy Hash: c37129cb37b3c8bba6147fbaa10fd2a9893dc3c91af62d8663cd2f8e877685fb
Instruction Fuzzy Hash: BD72C830628B498FEB69DF28D886BED73E1FB98314F24452DD84EC7291DB34E9428741

Function 000001E9B9C36DC5 Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001E9B9C36E38

Memory Dump Source

Source File: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E9B9C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1e9b9c30000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
Instruction ID: 4c306becc3c5737bf2b657d11b728479e0e78655af91ef4d4e56bf654745864b
Opcode Fuzzy Hash: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
Instruction Fuzzy Hash: C9C1AA31328D495BEB59EB28E597BEDB3E1FB98300F284129DC4EC7295DB34E8058781

Function 000001E9B9C35D15 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001E9B9C385C5: LoadLibraryA.KERNELBASE ref: 000001E9B9C38693

VirtualProtect.KERNELBASE ref: 000001E9B9C35D91
VirtualProtect.KERNELBASE ref: 000001E9B9C35DBA
VirtualProtect.KERNELBASE ref: 000001E9B9C35DFF
VirtualProtect.KERNELBASE ref: 000001E9B9C35E23

Memory Dump Source

Source File: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E9B9C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1e9b9c30000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
Instruction ID: dcad4d86adef3cb6e0da3d8f6f03eed98cecbeb4158516b069fcfad036b93776
Opcode Fuzzy Hash: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
Instruction Fuzzy Hash: 6E31563172CA484BE758BA58E8567AE73D5E7C4360F14066DAC4FC32CAED74DD0686C1

Function 000001E9B9C35D84 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001E9B9C35D91
VirtualProtect.KERNELBASE ref: 000001E9B9C35DBA
VirtualProtect.KERNELBASE ref: 000001E9B9C35DFF
VirtualProtect.KERNELBASE ref: 000001E9B9C35E23

Memory Dump Source

Source File: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E9B9C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1e9b9c30000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
Instruction ID: b3126b570ec8c66641ebafb0f4f434fcaa322badc393c7497f5e2804c34a10c8
Opcode Fuzzy Hash: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
Instruction Fuzzy Hash: 87218E3132CA484BDB68BA5CF8567AD73D5E7C8760F14056AAC4FC32CADD78DD024686

Function 000001E9B9ED1440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 000001E9B9ED15F1

Strings

HCMU, xrefs: 000001E9B9ED148C

Memory Dump Source

Source File: 00000006.00000002.3337891605.000001E9B9ED1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001E9B9ED1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1e9b9ed1000_sdiagnhost.jbxd

Similarity

API ID: Sleep
String ID: HCMU
API String ID: 3472027048-1408108644
Opcode ID: f4d16d696d8258c7e4b693e4f7ba327b9e3cf8e69538a5a4c7d8dbeb5bf79d3d
Instruction ID: 8c9d11e8edc3756c7690da59404f78659e263a072b78f00828c2119f531e63b1
Opcode Fuzzy Hash: f4d16d696d8258c7e4b693e4f7ba327b9e3cf8e69538a5a4c7d8dbeb5bf79d3d
Instruction Fuzzy Hash: A161F830938E884FEB18AF68E489BED72D1FF59310F58C659F85AC71D6DA34D8808781

Function 000001E9B9C385C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001E9B9C38693

Strings

l, xrefs: 000001E9B9C3862D

Memory Dump Source

Source File: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E9B9C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1e9b9c30000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
Instruction ID: 223ef76ac060a26e3ba8f8e1db34c5f994a307922788fed3619cdf1c27b01bd6
Opcode Fuzzy Hash: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
Instruction Fuzzy Hash: 5331B43052CAC54FE755DB2CD044BA9BBE5FBA9308F2856ACC4DEC7192D734D8068B05

Function 000001E9B9C35E41 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001E9B9C385C5: LoadLibraryA.KERNELBASE ref: 000001E9B9C38693

VirtualProtect.KERNELBASE ref: 000001E9B9C35E8F
VirtualProtect.KERNELBASE ref: 000001E9B9C35EB7

Memory Dump Source

Source File: 00000006.00000002.3337339703.000001E9B9C30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E9B9C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1e9b9c30000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
Instruction ID: 2ef2756e997e6ee2b543e8b838ec741f59f4cb56e4a2cd8f9f2bbd08fa092e0c
Opcode Fuzzy Hash: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
Instruction Fuzzy Hash: 6611A53072CA484BDB94EB18E886AAE73E5FBD8341F04056AAC4EC7289DE34DD418781

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
148.135.121.165	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse
148.135.121.165	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ERI-ASUS	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	150.132.118.42
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	147.214.206.40
	apep.x86.elf	Get hash	malicious	Mirai	Browse	131.168.79.136
	zgp.elf	Get hash	malicious	Mirai	Browse	148.135.186.71
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	169.144.189.36
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	129.200.252.43
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	169.144.206.208
	yakuza.i586.elf	Get hash	malicious	Mirai	Browse	161.37.102.84

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	LgigaSKsL6.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	file.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.397375470102125
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	BjLxqVU7m4.dll
File size:	494'592 bytes
MD5:	bd804dfa6fafa1917f83060a30f7f1d0
SHA1:	68cc23c6877806705588ceb6fec57d913a543c1d
SHA256:	4b7a85411716775d966284e879a6bda87feade4c9f40cb94ade6e217793e8a84
SHA512:	707556ba18b3489bf808cb1d019cd28d4c7bbce782507e402c225aaae19a84e2b440e037faa1f971138c4cf21687f3bedabc3841fc743e58a46df2e914e0af54
SSDEEP:	12288:m40yN1KHlD9FmE02qUlLno8shIvaLzSAOXR4DbT8miyK/AIT/D:m40ynslDGLtUlLno8gIyLzSAOXufT8mc
TLSH:	15B4AE8C63AD4A7CE525CA341C47A784B2F3BC4C9650EF7A1A947CA23D1F581F87A9D0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.6i".X:".X:".X:i.[;'.X:i.];..X:i.\;(.X:2;[;+.X:2;\;,.X:2;];..X:i.Y;!.X:".Y:..X:i:Q;#.X:i:.:#.X:i:Z;#.X:Rich".X:........PE..d..

Entrypoint:	0x18005fe00
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67322CD2 [Mon Nov 11 16:12:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7ff3d1e87d95163015bce24ecab3c29c

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x77384	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7a000	0x108c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7d000	0x67c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x75a30	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x758f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6e000	0x268	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c391	0x6c400	bb677fae1f916ec8f6b527bf7b97ac2c	False	0.4373894883083141	data	5.363101479126426	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6e000	0x9ba6	0x9c00	52db703257b5aaa2998a36764458115c	False	0.42225060096153844	zlib compressed data	4.783106084134961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x78000	0x1d7c	0xc00	5f6274e895e20194e4daeab242f66ba8	False	0.15071614583333334	DOS executable (block device driver)	2.2457774802989823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x7a000	0x108c	0x1200	549c54645e00ef4e6ad04d654e5f2bb1	False	0.4453125	data	5.060326050579461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7c000	0xf8	0x200	0deaaac3f0dc5653aa759e15c976e2c4	False	0.3359375	data	2.5312981004807127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7d000	0x67c	0x800	fae7c8c79b00d77c9832e40025ac35ed	False	0.4990234375	data	4.935308952064295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BjLxqVU7m4.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 6520, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 6204, Parent PID: 6520

Windows Analysis Report
BjLxqVU7m4.dll

Function 0000021245066DC5 Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMON

Function 00000212453111C0 Relevance: .3, Instructions: 265
COMMON

Function 0000021245065D15 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Function 0000021245065D84 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Function 0000021245311440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229
COMMON

Function 00000212450685C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Function 0000021245065E41 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Function 000001E9B9C36DC5 Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMON

Function 000001E9B9C35D15 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Function 000001E9B9C35D84 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Function 000001E9B9ED1440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229
COMMON

Function 000001E9B9C385C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Function 000001E9B9C35E41 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON