Edit tour

Windows Analysis Report
yoyf.exe

Overview

General Information

Sample name:	yoyf.exe
Analysis ID:	1577489
MD5:	e3dcc770ca9c865a719c2b1f1c5b174e
SHA1:	3690617064fbcccba9eacc76be2e00cd34bac830
SHA256:	7a41fa61102269baa65f7f762cf868c3c6a506fb58b590b6ae1352b864f2831e
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

yoyf.exe (PID: 3268 cmdline: "C:\Users\user\Desktop\yoyf.exe" MD5: E3DCC770CA9C865A719C2B1F1C5B174E)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yoyf.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: yoyf.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.2% probability

Source: unknown

HTTPS traffic detected: 91.134.10.127:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: yoyf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\yoyf.exe

Code function: 4x nop then mov ecx, dword ptr [ebp-5Ch]

0_2_00F0A58D

Source: global traffic

HTTP traffic detected: GET /ByQRHy3/126-Final.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ByQRHy3/126-Final.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: i.ibb.co

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 18 Dec 2024 13:20:34 GMTContent-Type: image/pngContent-Length: 1031Connection: close

Source: yoyf.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: yoyf.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: yoyf.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: yoyf.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: yoyf.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: yoyf.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: yoyf.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: yoyf.exe, 00000000.00000002.3192146181.0000000002B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.co
Source: yoyf.exe, 00000000.00000002.3192146181.0000000002B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.cod
Source: yoyf.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: yoyf.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: yoyf.exe	String found in binary or memory: http://ocsp.sectigo.com0;
Source: yoyf.exe, 00000000.00000002.3192146181.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: yoyf.exe, 00000000.00000002.3192146181.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: yoyf.exe	String found in binary or memory: https://i.ibb.co/ByQRHy3/126-Final.webp
Source: yoyf.exe, 00000000.00000002.3192146181.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co/ByQRHy3/126-Final.webpT
Source: yoyf.exe, 00000000.00000002.3192146181.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co/ByQRHy3/126-Final.webpt
Source: yoyf.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 91.134.10.127:443 -> 192.168.2.6:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_00F058F0	0_2_00F058F0
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_00F09AB8	0_2_00F09AB8
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_00F02B63	0_2_00F02B63
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_00F00C50	0_2_00F00C50
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_00F04C40	0_2_00F04C40
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_00F0543C	0_2_00F0543C
Source: C:\Users\user\Desktop\yoyf.exe	Code function: 0_2_00F00C28	0_2_00F00C28

Source: yoyf.exe, 00000000.00000000.2187197989.0000000000560000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTestConnection.exeB vs yoyf.exe
Source: yoyf.exe, 00000000.00000002.3191794792.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs yoyf.exe
Source: yoyf.exe	Binary or memory string: OriginalFilenameTestConnection.exeB vs yoyf.exe

Source: classification engine

Classification label: mal64.evad.winEXE@1/1@1/1

Source: C:\Users\user\Desktop\yoyf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yoyf.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe

Mutant created: NULL

Source: yoyf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yoyf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\yoyf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yoyf.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: yoyf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: yoyf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(_0024VB_0024Me.zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{_0024VB_0024Me.Km40W();}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{object logTextBox = LogTextBox;NewLateBinding.LateSet(logTextBox, (Type)null, "Text", new object[1] { Operators.AddObject(NewLateBinding.LateGet(logTextBox, (Type)null, "Text", new object[0], (string[])null, (Type[])null, (bool[])null), (object)(g6Q3C + Environment.NewLine)) }, (string[])null, (Type[])null);}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{NewLateBinding.LateSet(LogTextBox, (Type)null, "Text", new object[1] { "" }, (string[])null, (Type[])null);}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{NewLateBinding.LateSet(LabelStatus, (Type)null, "Text", new object[1] { j4HAa }, (string[])null, (Type[])null);NewLateBinding.LateSet(LabelStatus, (Type)null, "BackColor", new object[1] { z6APa }, (string[])null, (Type[])null);}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, Pf6j2.cs	.Net Code: NewLateBinding.LateCall(zmort, (Type)null, "BeginInvoke", new object[1] { (q1JZy)([SpecialName] () =>{NewLateBinding.LateSetComplex(StartValueTextbox, (Type)null, "Text", new object[1] { e7R9E }, (string[])null, (Type[])null, false, true);NewLateBinding.LateSetComplex(NewLateBinding.LateGet(zmort, (Type)null, "Settings", new object[0], (string[])null, (Type[])null, (bool[])null), (Type)null, "CurrentDNI", new object[1] { e7R9E }, (string[])null, (Type[])null, false, true);NewLateBinding.LateSetComplex(NewLateBinding.LateGet(zmort, (Type)null, "Settings", new object[0], (string[])null, (Type[])null, (bool[])null), (Type)null, "LastDNI", new object[1] { NewLateBinding.LateGet(EndValueTextbox, (Type)null, "Text", new object[0], (string[])null, (Type[])null, (bool[])null) }, (string[])null, (Type[])null, false, true);NewLateBinding.LateCall(NewLateBinding.LateGet(zmort, (Type)null, "Settings", new object[0], (string[])null, (Type[])null, (bool[])null), (Type)null, "Save", new object[0], (string[])null, (Type[])null, (bool[])null, true);}) }, (string[])null, (Type[])null, (bool[])null, true)
Source: yoyf.exe, s0J7Z.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", obj2, (string[])null, (Type[])null, obj3, true)
Source: yoyf.exe, s0J7Z.cs	.Net Code: NewLateBinding.LateCall(typeFromHandle, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\yoyf.exe

Code function: 0_2_00F05990 pushfd ; iretd

0_2_00F05991

Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Memory allocated: ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Memory allocated: 4AB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe TID: 6812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 6812	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 6688	Thread sleep count: 313 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 6960	Thread sleep count: 182 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 5636	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe TID: 992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: yoyf.exe, 00000000.00000002.3191794792.0000000000F71000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[

Source: C:\Users\user\Desktop\yoyf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe	Queries volume information: C:\Users\user\Desktop\yoyf.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yoyf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\yoyf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yoyf.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Privateloader
yoyf.exe	100%	Avira	HEUR/AGEN.1362869

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.sectigo.com0;	0%	Avira URL Cloud	safe
http://i.ibb.cod	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
i.ibb.co	91.134.10.127	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://i.ibb.co/ByQRHy3/126-Final.webp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	yoyf.exe	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	yoyf.exe	false		high
https://sectigo.com/CPS0	yoyf.exe	false		high
https://i.ibb.co	yoyf.exe, 00000000.00000002.3192146181.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	yoyf.exe	false		high
http://i.ibb.co	yoyf.exe, 00000000.00000002.3192146181.0000000002B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	yoyf.exe	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	yoyf.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	yoyf.exe	false		high
http://ocsp.sectigo.com0;	yoyf.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	yoyf.exe	false		high
https://i.ibb.co/ByQRHy3/126-Final.webpT	yoyf.exe, 00000000.00000002.3192146181.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://i.ibb.co/ByQRHy3/126-Final.webpt	yoyf.exe, 00000000.00000002.3192146181.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://i.ibb.cod	yoyf.exe, 00000000.00000002.3192146181.0000000002B32000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	yoyf.exe, 00000000.00000002.3192146181.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.134.10.127	i.ibb.co	France		16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577489
Start date and time:	2024-12-18 14:19:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yoyf.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@1/1@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target yoyf.exe, PID 3268 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: yoyf.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.134.10.127	Filezilla.exe	Get hash	malicious	Unknown	Browse
91.134.10.127	https://citiscapegroupae-my.sharepoint.com/:li:/g/personal/asekhar_citiscapegroup_com/E9U24ACMrctKoLKfReMWVjMBfxodtw3c4oUIHo4oyReVhg?e=SgIv5D&xsdata=MDV8MDJ8ZGVyZWsuZGVscG9ydEBvbnRoZWRvdC5jby56YXw5ZWEzNzFkNDdmNTM0YzE2Yjg5YTA4ZGQwZTAwZjY1OXwxMGRjN2M5NjU5NzY0NjAxODgyYzlhYzdjMjg3MGVjY3wxfDB8NjM4NjgyMTE5NTE1MDk3NDExfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=S3JqYzUxeUd4SmtWMEVWUzBMU3JUREpWTEJiN3VmeFVrY09ucElOZDRzaz0%3d	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
i.ibb.co	FINAL_PDF.exe	Get hash	malicious	Unknown	Browse	91.134.10.168
	Filezilla.exe	Get hash	malicious	Unknown	Browse	91.134.10.127
	cv.exe	Get hash	malicious	Unknown	Browse	91.134.10.168
	Filezilla-stage2.exe	Get hash	malicious	Unknown	Browse	91.134.10.168
	https://rnicrosoft-secured-office.squarespace.com/sharepoint?e=test@test.com.au	Get hash	malicious	HTMLPhisher	Browse	91.134.82.79
	https://dsiete.co/share.html	Get hash	malicious	HTMLPhisher	Browse	91.134.9.160
	msedge.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	91.134.9.160
	https://citiscapegroupae-my.sharepoint.com/:li:/g/personal/asekhar_citiscapegroup_com/E9U24ACMrctKoLKfReMWVjMBfxodtw3c4oUIHo4oyReVhg?e=SgIv5D&xsdata=MDV8MDJ8ZGVyZWsuZGVscG9ydEBvbnRoZWRvdC5jby56YXw5ZWEzNzFkNDdmNTM0YzE2Yjg5YTA4ZGQwZTAwZjY1OXwxMGRjN2M5NjU5NzY0NjAxODgyYzlhYzdjMjg3MGVjY3wxfDB8NjM4NjgyMTE5NTE1MDk3NDExfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=S3JqYzUxeUd4SmtWMEVWUzBMU3JUREpWTEJiN3VmeFVrY09ucElOZDRzaz0%3d	Get hash	malicious	HTMLPhisher	Browse	91.134.10.127
	Fatura931Pendente956.pdf761.msi	Get hash	malicious	Unknown	Browse	91.134.82.79

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	Lu4421.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	51.89.44.68
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse	54.37.137.114
	YcxjdYUKIb.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse	167.114.27.228
	KE2yNJdV55.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	LA0gY3d103.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	139.99.188.124
	JnEZtj3vtN.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	uzI7DAON53.exe	Get hash	malicious	PureCrypter	Browse	139.99.188.124
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	139.99.188.124

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	hnsjdghf18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	91.134.10.127
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	91.134.10.127
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	91.134.10.127
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	91.134.10.127
	cali.exe	Get hash	malicious	AgentTesla	Browse	91.134.10.127
	VJQyKuHEUe.exe	Get hash	malicious	Unknown	Browse	91.134.10.127
	sxVHUOSqVC.exe	Get hash	malicious	Unknown	Browse	91.134.10.127
	R0SkdJNujW.exe	Get hash	malicious	Unknown	Browse	91.134.10.127
	nrGkqbCyKP.exe	Get hash	malicious	Unknown	Browse	91.134.10.127

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yoyf.exe.log

Download File

Process:	C:\Users\user\Desktop\yoyf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	5.361594852750487
Encrypted:	false
SSDEEP:	24:MLU84qpE4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeR:Mgv2HKlYHKh3owH8tHo6hAHKzeR
MD5:	D4BA6A88633E490E0B152485B7AF206C
SHA1:	87F1032510FA233CC2FA9B62745FADE94E8461CF
SHA-256:	7987C47DC9A18C34D39E334C97CBCEC0AA791A253A7B345AAB0FB61EDFF75F10
SHA-512:	F830889AD7DEAA84B7903F210891342B3879CB9A85392FA336DE69C7A21E02804276A60CDDF656B34B71876748215E13FEE4DE25FE95A97612833A76BD91CD00
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=n

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.080405319068242
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yoyf.exe
File size:	928'104 bytes
MD5:	e3dcc770ca9c865a719c2b1f1c5b174e
SHA1:	3690617064fbcccba9eacc76be2e00cd34bac830
SHA256:	7a41fa61102269baa65f7f762cf868c3c6a506fb58b590b6ae1352b864f2831e
SHA512:	c569ebd0b2286307ba5fd18deee905b550a4a84c19a54d0c4eb1a0f006acf7814cda0f44d8fb79c72e059e997fc49c2114cdfb698734b7570b967a5c8004b1b6
SSDEEP:	12288:bvsKwGRdLBBNNBqiLckdXZj8YNQDcodji13ywe4GOMvS5JfAu8G:bvs78RRNBqin7oYNCcoe3h9MeJ78G
TLSH:	B7154AC2134CFA81F73F5BB19154F8E583ABE9E688A1D64945C4A2DA37737807DE1883
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P..].........."...P......*........... ........@.. .......................`.......w....`................................

File Icon


Icon Hash:	2d16c7896d6d3dbd

Static PE Info

General

Entrypoint:	0x4cf38e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5D1CD450 [Wed Jul 3 16:14:08 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcf338	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x12648	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe0200	0x2968
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcd394	0xcd400	2e5338a06f55319fbb8c2ba8ab843484	False	0.5655117615712546	data	6.047523824732202	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x12648	0x12800	c7c676a1ddf20daf6eeacdad67552d29	False	0.5803816511824325	data	5.834962376629586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe4000	0xc	0x200	8945ffd1ca4e36c43c96a8c4b5ec00ab	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xd0514	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536, 16 important colors	0.25670731707317074
RT_ICON	0xd0b7c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colors	0.353494623655914
RT_ICON	0xd0e64	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384, 16 important colors	0.4036885245901639
RT_ICON	0xd104c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colors	0.4831081081081081
RT_ICON	0xd1174	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 205 important colors	0.39072494669509594
RT_ICON	0xd201c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 136 important colors	0.40974729241877256
RT_ICON	0xd28c4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672, 100 important colors	0.3773041474654378
RT_ICON	0xd2f8c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 54 important colors	0.2774566473988439
RT_ICON	0xd34f4	0x4620	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.979556595365419
RT_ICON	0xd7b14	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.2254149377593361
RT_ICON	0xda0bc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.324812382739212
RT_ICON	0xdb164	0x9e8	Device independent bitmap graphic, 25 x 48 x 32, image size 2496	0.3592271293375394
RT_ICON	0xdbb4c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3723404255319149
RT_ICON	0xdbfb4	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	0.38353658536585367
RT_ICON	0xdc61c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	0.5483870967741935
RT_ICON	0xdc904	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	0.5608108108108109
RT_ICON	0xdca2c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.7388059701492538
RT_ICON	0xdd8d4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.8447653429602888
RT_ICON	0xde17c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.8229768786127167
RT_ICON	0xde6e4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.6637966804979253
RT_ICON	0xe0c8c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.6862101313320825
RT_ICON	0xe1d34	0x424	Device independent bitmap graphic, 16 x 30 x 32, image size 0	0.42547169811320756
RT_GROUP_ICON	0xe2158	0xbc	data	0.601063829787234
RT_GROUP_ICON	0xe2214	0x84	data	0.6590909090909091
RT_VERSION	0xe2298	0x3b0	data	0.375

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:20:32.449776888 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:32.449827909 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:32.449913979 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:32.526597023 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:32.526633978 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:33.954801083 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:33.954898119 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:33.962450981 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:33.962461948 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:33.962794065 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:34.007013083 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:34.092864037 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:34.139343023 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:34.627697945 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:34.678889036 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:34.678904057 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:34.695323944 CET	49713	443	192.168.2.6	91.134.10.127
Dec 18, 2024 14:20:34.695426941 CET	443	49713	91.134.10.127	192.168.2.6
Dec 18, 2024 14:20:34.695514917 CET	49713	443	192.168.2.6	91.134.10.127

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:20:32.272718906 CET	61888	53	192.168.2.6	1.1.1.1
Dec 18, 2024 14:20:32.410778046 CET	53	61888	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 14:20:32.272718906 CET	192.168.2.6	1.1.1.1	0x6d31	Standard query (0)	i.ibb.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 14:20:32.410778046 CET	1.1.1.1	192.168.2.6	0x6d31	No error (0)	i.ibb.co	91.134.10.127	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:20:32.410778046 CET	1.1.1.1	192.168.2.6	0x6d31	No error (0)	i.ibb.co	91.134.10.182	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:20:32.410778046 CET	1.1.1.1	192.168.2.6	0x6d31	No error (0)	i.ibb.co	91.134.9.159	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:20:32.410778046 CET	1.1.1.1	192.168.2.6	0x6d31	No error (0)	i.ibb.co	91.134.82.79	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:20:32.410778046 CET	1.1.1.1	192.168.2.6	0x6d31	No error (0)	i.ibb.co	91.134.10.168	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:20:32.410778046 CET	1.1.1.1	192.168.2.6	0x6d31	No error (0)	i.ibb.co	91.134.9.160	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

i.ibb.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	91.134.10.127	443	3268	C:\Users\user\Desktop\yoyf.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:20:34 UTC	80	OUT	GET /ByQRHy3/126-Final.webp HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive
2024-12-18 13:20:34 UTC	144	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 18 Dec 2024 13:20:34 GMT Content-Type: image/png Content-Length: 1031 Connection: close
2024-12-18 13:20:34 UTC	1031	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 b4 00 00 00 b4 04 03 00 00 00 cf e3 1b 01 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 30 50 4c 54 45 26 a9 e2 ff ff ff df fc ff 26 bd f2 26 a9 e9 9c f0 ff df d8 e9 51 aa e3 ff f1 f3 ff e3 ec be fa ff be ca e5 51 d0 f8 9c bb e3 77 ad e3 77 e0 fc 4a 4b 7f 56 00 00 03 75 49 44 41 54 68 de ed 98 3f 6b db 40 14 c0 0f 4e a3 c0 bc 40 c5 b9 c2 86 f3 1a 5a 90 a1 14 02 a5 5d b4 88 40 70 3f 81 a0 43 a0 43 11 6d c6 4c 5d 3c a4 2d da 32 5f c7 4e 6e 3f 40 8b 32 66 d2 37 88 3e 40 28 c8 1f a0 f4 bd 93 1c d4 60 2b b2 89 a0 2d ef 47 a4 e8 df fd 74 7a 7a 77 d6 9d 10 0c c3 30 0c c3 30 0c c3 30 0c c3 30 0c f3 6f 23 7f f6 a6 9e 42 bc ee 86 da 6b 39 db 91 00 d2 be d4 a1 Data Ascii: PNGIHDRgAMAasRGB0PLTE&&&QQwwJKVuIDATh?k@N@Z]@p?CCmL]<-2_Nn?@2f7>@(`+-Gtzzw0000o#Bk9

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: yoyf.exePID: 3268, Parent PID: 4004

General

Target ID:	0
Start time:	08:20:30
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\yoyf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yoyf.exe"
Imagebase:	0x490000
File size:	928'104 bytes
MD5 hash:	E3DCC770CA9C865A719C2B1F1C5B174E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: yoyf.exePID: 3268, Parent PID: 4004COMMON

Executed Functions

Function 00F00C50 Relevance: 4.2, Strings: 3, Instructions: 440COMMON

Download Yara Rule

Strings

\, xrefs: 00F00F45
\, xrefs: 00F00CC2
\, xrefs: 00F00F55

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID: \$ \$ \
API String ID: 0-1935967978
Opcode ID: 0ee02df91c2bdda0553d2b8542f695add7533e407c710d0e5774bef78c009f25
Instruction ID: 09b11c405909f2a9f2ad88cedcdc5a9241917c116af8ed80a7d51bd55bd286f4
Opcode Fuzzy Hash: 0ee02df91c2bdda0553d2b8542f695add7533e407c710d0e5774bef78c009f25
Instruction Fuzzy Hash: B122B334E00218CFEB65DFA4D854B9DBBB2FF88300F1085A9E509AB2A5DB709D85DF51

Function 00F00C28 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

\, xrefs: 00F00F45
\, xrefs: 00F00CC2

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID: \$ \
API String ID: 0-1306316361
Opcode ID: a6c59c797d1d4ee0e2e46d47ed572b93b5f6fac676508d89f55fa8368b6bcb1a
Instruction ID: d24303b232a41d6e13be37dd10e2cf976c59773925fc399beea20cad93539bcd
Opcode Fuzzy Hash: a6c59c797d1d4ee0e2e46d47ed572b93b5f6fac676508d89f55fa8368b6bcb1a
Instruction Fuzzy Hash: 2022E634E00218CFDB65DFA4D854B9DBBB2FF89300F1081A9E509AB2A5DB709D86DF51

Function 00F058F0 Relevance: 1.0, Instructions: 951COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de59a968af15fd21a3fd61924fe1e311ac62a13dbb0c057ffe7f0ce10d18f112
Instruction ID: 8418236e52cdf0b9bdc71ecd0807b4952c7a0ae0a8a8c88f01f0bac449954a32
Opcode Fuzzy Hash: de59a968af15fd21a3fd61924fe1e311ac62a13dbb0c057ffe7f0ce10d18f112
Instruction Fuzzy Hash: 5F822935A00609DFCB14CF68C984AAEBBB2FF88724F158559E809DB2A1D774ED41EF50

Function 00F04C40 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56cd2668c22cec038672638b851a3939695001ad91a2bea22e7083d3aad6657
Instruction ID: 86114abb5afb73d772b2ae7f21f14953db51ca26a821d53d3d619bf8715aeb0f
Opcode Fuzzy Hash: f56cd2668c22cec038672638b851a3939695001ad91a2bea22e7083d3aad6657
Instruction Fuzzy Hash: 98329F71A002198FDB14DF79C854BAEBBF6BF88710F148569E509EB3A1DB709C41EB90

Function 00F09AB8 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a710188e7204201b2a9af0f9f41dc75af47113e77dee64059a6fe99c8d19702e
Instruction ID: df221cc183b247b5b5619b218a0143ab14bbeec32ea6239522eba1dd5c74969c
Opcode Fuzzy Hash: a710188e7204201b2a9af0f9f41dc75af47113e77dee64059a6fe99c8d19702e
Instruction Fuzzy Hash: 5DD1C431B092158FDB08AB76985463E7AE7AFC4711B18842EE40BE73D5EE74CC02B791

Function 00F0543C Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72441b4f7b5330c2aab39126e7443bd8bafe022bef92bb3178858cfcb9e222ef
Instruction ID: b6b79bde2e46bbd417840938fccde63048cdc98f3d9b479e17be5485b06ff5cf
Opcode Fuzzy Hash: 72441b4f7b5330c2aab39126e7443bd8bafe022bef92bb3178858cfcb9e222ef
Instruction Fuzzy Hash: A6E13F31E00519DFCB14CFA9C984AAEBBF2BF88715F598169E805AB2A1D770DC41EF50

Function 00F02B63 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6cc6c8d4f516793d54b1a21572f70ded355427f8e78e198bf56bc65e2abd1e
Instruction ID: 15d5279f492788afe96acba3e15812467687c47b59fd1af0f2df13e4b0e8e7fa
Opcode Fuzzy Hash: bc6cc6c8d4f516793d54b1a21572f70ded355427f8e78e198bf56bc65e2abd1e
Instruction Fuzzy Hash: 42C18735B04256CFDBA81B35881C33A7AB6AFC0752F38482ED886961D9CE34CC45B776

Function 00F0A58D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da031fbca07e699c44ab73e94ede6f5ef486f68e56acdc42ab7392e38bc1db68
Instruction ID: 89eaa31cdbca33b081ac4f312e71df47aca5904f2b3b56a59b86ae45ee212293
Opcode Fuzzy Hash: da031fbca07e699c44ab73e94ede6f5ef486f68e56acdc42ab7392e38bc1db68
Instruction Fuzzy Hash: BA014B70D02208CFCB18DFA1DA586BDBFB1BB4A300F20645AD812B7290CA308A04EF15

Function 00F04300 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ade13dd835364c1547ec12ee2de3d3e23c3e5b6dc9ddb81619fe91c67fc7fdb
Instruction ID: 890adcc13d9c020e0dd761c075ee1a96a7d58856982eea0196d0f62e255652d0
Opcode Fuzzy Hash: 7ade13dd835364c1547ec12ee2de3d3e23c3e5b6dc9ddb81619fe91c67fc7fdb
Instruction Fuzzy Hash: 25E1C070B002049FDB159F74C858B7E7BE6ABC8311F148429EA0ADB2D1DB74EC41EB91

Function 00F05995 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654754a39cd2ca1c4d0ad2d062bdcac25f729c26e41cd6612b3a71cf02719279
Instruction ID: e9922d60cc6d55b1da36eb1bec264dde2f78b27decdfa4f9f8a52a247ec10bce
Opcode Fuzzy Hash: 654754a39cd2ca1c4d0ad2d062bdcac25f729c26e41cd6612b3a71cf02719279
Instruction Fuzzy Hash: 90C14B30A006099FCB14CFA9C984A9EBBF6FF88714F148559E809EB2A1D774ED40EF50

Function 00F0828C Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448afbade631206ef1e1633c72351587f1b086f57c06cdb5ae009ee36f043c47
Instruction ID: 4b69ac77aaf1a7b853ea666cda3eca3a196beab85f51f7145b5302dedc7392ea
Opcode Fuzzy Hash: 448afbade631206ef1e1633c72351587f1b086f57c06cdb5ae009ee36f043c47
Instruction Fuzzy Hash: B2714F34B006468FCB14CF69C894A6D7BE5BF89790B1500A9E986DB3B1DF70DC42EB51

Function 00F04A38 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e704b1693b337b06fe5a37b3399d6a0c5eeff497ec3f7ca42a5d6ed907368424
Instruction ID: df504555012aa5814f6842f7ef71ab35c4eea8590fc46061b2e249c1167467c9
Opcode Fuzzy Hash: e704b1693b337b06fe5a37b3399d6a0c5eeff497ec3f7ca42a5d6ed907368424
Instruction Fuzzy Hash: DD616AB5F00105CFDB14CFA9C884AA9B7B2BF88315B258069D606AB3A5DB34FC41FB51

Function 00F03069 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541fd53f035fe66bbeaa8116dc6dbd5e66a282867f1de8585d0888670a0ed1fe
Instruction ID: def7970cf4a18f07fdc52cec042d78a64f956c7491a9be151794c3f0be2de31b
Opcode Fuzzy Hash: 541fd53f035fe66bbeaa8116dc6dbd5e66a282867f1de8585d0888670a0ed1fe
Instruction Fuzzy Hash: B051C174E012089FCB54DFAAD984ADDBBF2BF89300F20802AE819BB355DB306945DF50

Function 00F06568 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd050a3c32557269b4af1e201e5ccfdc1403c45ea5f41c9db4885612eeb1a2e
Instruction ID: 37648ca41a6071085c249afb6bd13957e20bc7e44b152702d2703ffaa87928d1
Opcode Fuzzy Hash: abd050a3c32557269b4af1e201e5ccfdc1403c45ea5f41c9db4885612eeb1a2e
Instruction Fuzzy Hash: BF41A335B042448FCB059B79DC646AE7BF6AFC9310B18406AE50AEB3E1CE319C15DB51

Function 00F0A6C0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfaeabb13fbe1298a159bbcb9e8ee89d5f9cfea715b3fd37f572d790cacd417
Instruction ID: f0e36404a8acefee6fe848ad86d28eba28e48e729491cb473d2ec09fd3c61974
Opcode Fuzzy Hash: 0dfaeabb13fbe1298a159bbcb9e8ee89d5f9cfea715b3fd37f572d790cacd417
Instruction Fuzzy Hash: C331A330B05248DFD704EB75D8586AEBFB6EF85300F14C4BAD109D72A6DE348D06A751

Function 00F036B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9ee42a18a5666aa6b78e3b563e51cd4437f42848e3d93948c914df4239fddd
Instruction ID: 6b469ec8f175029c61f33f773ebd0f5e045240c2a0e3598de98f935b40af35a6
Opcode Fuzzy Hash: 3f9ee42a18a5666aa6b78e3b563e51cd4437f42848e3d93948c914df4239fddd
Instruction Fuzzy Hash: 0931E575704109EFDF05AF64D848A6E7BB6FB88310F108029F909A7395DB35CE11EB91

Function 00F01633 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3d33145d871fcad33b8685422715236d79d6f138f8d4cbd56e3f2906ed727e
Instruction ID: 684e489fa3b16214dde8e4aeb8429f9f190367e7c21aee31a83747d578b8efc0
Opcode Fuzzy Hash: 4a3d33145d871fcad33b8685422715236d79d6f138f8d4cbd56e3f2906ed727e
Instruction Fuzzy Hash: D9313675D05208CFCB18DFB5D8808ACBBB1FF49311B24556DE81AAB290DB31AD02DF50

Function 00F08538 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e06895b328bdff54b2405d2a2aeca0f0686651c48fdf12975829845a1b62012
Instruction ID: 7cb978749757338818d7e7f262bb1eef10f62a14edd6dc5c49fd616ff3447d87
Opcode Fuzzy Hash: 2e06895b328bdff54b2405d2a2aeca0f0686651c48fdf12975829845a1b62012
Instruction Fuzzy Hash: 1221B331B001014BDB246B2A9C5477E259BAFD87A4F288079D646CB3D8DF66CC43B785

Function 00F08528 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a179f64a1abfaa7b1d51f5cd5611e80c586ea294a382f78c3ffbcb885bcbd8fb
Instruction ID: 8284c49e73eb64c9f23d5118c7a2183ada82aa6285e0f88f11226b62dd368b2b
Opcode Fuzzy Hash: a179f64a1abfaa7b1d51f5cd5611e80c586ea294a382f78c3ffbcb885bcbd8fb
Instruction Fuzzy Hash: A021D331B042018FDB252B3A9C6427D26ABAFD93B4B194079D586CB3E5DF65CC43B781

Function 00F01E2C Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d34565af825906e0c96482547d4b143c89f457c6ba1da37a3c05262f01ed263
Instruction ID: 03fdac8a40806024d97a66d721e2dcc559c082c45ca24576b4b323b91e4e8e78
Opcode Fuzzy Hash: 9d34565af825906e0c96482547d4b143c89f457c6ba1da37a3c05262f01ed263
Instruction Fuzzy Hash: B83117B0D01249DFDB10CFA9C590ADEBFF1BF48310F248469E919AB290DB749941DB90

Function 00F036A9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c727d488e4e9aa958f4c6fc7a17361aee665616c0d086d3cf4f06afd050abb6
Instruction ID: 31e8d11dd1576e3811f1ca428041cbe5f6886fb95c222cba9f28ac443fe2ef2e
Opcode Fuzzy Hash: 1c727d488e4e9aa958f4c6fc7a17361aee665616c0d086d3cf4f06afd050abb6
Instruction Fuzzy Hash: 1F313971A0D284AFD7165F34D868A6A3FB5EB85310F04406AE449DB3D2D638CE05F722

Function 00F01E38 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6b37f52ca00542dd11bd47f0717b833df681d22c0f0ec6a897a2c7c225cca1
Instruction ID: 6673cfbdd85129dca3fd368d5e475c568b481f9aec077a8eca708465a7d38121
Opcode Fuzzy Hash: ca6b37f52ca00542dd11bd47f0717b833df681d22c0f0ec6a897a2c7c225cca1
Instruction Fuzzy Hash: 0D310670D0124DDFDB14CFAAC580ADEBFF5BF48750F248029E909AB290DB749941DB90

Function 00F06767 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19dc5801b6faa3d52a68d5acc0f0847d5e76a5e57ddf1f617acc518e53346df
Instruction ID: 415b5e1f372667dc5200be21f3ed87ee734e65bfed3e76a623a163cf2d396422
Opcode Fuzzy Hash: b19dc5801b6faa3d52a68d5acc0f0847d5e76a5e57ddf1f617acc518e53346df
Instruction Fuzzy Hash: 0931C371E002168FCB05CFA8C8946AEBBB2BF85314F15C155D514DB3A1CB349C56EB91

Function 00F01518 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f876178b69449d03625f20af639e0e98aa4a66351ee7ad549e63f10b013c0d
Instruction ID: e0d798a76a032ea94690dde15233b68e7a61e76f367973341a4085742d842f8a
Opcode Fuzzy Hash: 35f876178b69449d03625f20af639e0e98aa4a66351ee7ad549e63f10b013c0d
Instruction Fuzzy Hash: D231C271E05248DFCB18DFAAD8909DDBBF2AF89300F24856EE409AB360DB315946CF50

Function 00F04848 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbae42c40710d77a4b203871ad69bb83ea7c9d9b1e22ace83afb85d488abe7d
Instruction ID: d6390123ede2c3a6943616718ed8d9a442529a080e77974a9b0c84e8c527d4d1
Opcode Fuzzy Hash: fdbae42c40710d77a4b203871ad69bb83ea7c9d9b1e22ace83afb85d488abe7d
Instruction Fuzzy Hash: 91212871B015518FD7199B35D85852EB3E2BFC5720718857ADA0ADB3D4CF30EC01A791

Function 00F052E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b753ed7b78f29d3891b6fcb56b8529c9f5384c7c1af7352d60f5a9cb061ce627
Instruction ID: 5b980bf3925da909546d826d06a86df8903763b3fb154702ac9fb4b4dbc12186
Opcode Fuzzy Hash: b753ed7b78f29d3891b6fcb56b8529c9f5384c7c1af7352d60f5a9cb061ce627
Instruction Fuzzy Hash: 61219D31904244DFCB10DF94D808BABBBF2EB44324F04856AE05A9B191E7B5DD48EF50

Function 00F058E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2549d52fb3bfdcf09d7939aa96f54a4a2f96657834dd92406c39d5fc988c158
Instruction ID: aceadce7afd01e531fbc557a26844defcd43adde00fc24205ffb5f37c13c4c11
Opcode Fuzzy Hash: c2549d52fb3bfdcf09d7939aa96f54a4a2f96657834dd92406c39d5fc988c158
Instruction Fuzzy Hash: B2215C71605954DFCB11CF6DC884A56B7A1EF467B0B154356E8A98B2E1D370E810EF90

Function 00F042F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2be8606c748d34117bfea3384b3dd373a7bf22b55396f9b0d7e612e63c8aeef
Instruction ID: 2d3f27e1d62854ad8c07b71ed7aab901fd0fe9a4dc24259d9a39fd0fc70d2289
Opcode Fuzzy Hash: d2be8606c748d34117bfea3384b3dd373a7bf22b55396f9b0d7e612e63c8aeef
Instruction Fuzzy Hash: 43110471B042148FC714DF25D848B6DB7B2ABC4321F198269EA19DB2D1DB34EC44F791

Function 00E7D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191564832.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7d000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcea3b30f2e9409726f40abb6c104b2c5885d7ea15a4b2b4c47d927e1fcde4
Instruction ID: 83f5ee6fd43d31f32a68dfc1f14023a500fa694c3bad5e7f762d1e44e502380f
Opcode Fuzzy Hash: 4cdcea3b30f2e9409726f40abb6c104b2c5885d7ea15a4b2b4c47d927e1fcde4
Instruction Fuzzy Hash: EF01D67140C3449AE7184A25DDC4B66FFE8EF51768F18D41BED0D6A292C7B89C40CA71

Function 00E7D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191564832.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7d000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73fa4eab3b7f41c7339ba94d1f3d095dff321c55366b1c553162fcdf1be8962
Instruction ID: c5b7a147a56d0f12a6bdde0fc7ab6f2f1005a6ef0bedfee0d6c647142e384833
Opcode Fuzzy Hash: e73fa4eab3b7f41c7339ba94d1f3d095dff321c55366b1c553162fcdf1be8962
Instruction Fuzzy Hash: 10F0C2714083449EE7148A05DCC4B62FFA8EF51728F18C05AED0C1B292C2789C44CB71

Function 00F0C1B0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ed9379f237c23e6417d2a0c1f0bcbb48f14c02913446c5408bed474e3c3f2f
Instruction ID: 94201d872c66c045c6898e0c16f6ce66e5edc905664b5ab6695c548cf4fddead
Opcode Fuzzy Hash: d5ed9379f237c23e6417d2a0c1f0bcbb48f14c02913446c5408bed474e3c3f2f
Instruction Fuzzy Hash: D6F0F870900209DED740EFA8C94529EBFF0AB08304F604A29D025E3681EB785281AF81

Function 00F0C1C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d85cbc093bbbf8f8f41cf67f9983a5906f62dceca0142d6a15eb13200d1cde4
Instruction ID: e188266e849f7d76f67ed86f6c8e62025d89ebcc66e226afa0d672db984f8a40
Opcode Fuzzy Hash: 9d85cbc093bbbf8f8f41cf67f9983a5906f62dceca0142d6a15eb13200d1cde4
Instruction Fuzzy Hash: FDE0C970D0020ADFDB50EFB8C50636EBFF4AB08304F60456AD115E2281E7B49645AFC1

Function 00F06625 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d280f70086fb25d55c161fd940fdbca736a7887efa1a7a59f69a4b3911568a
Instruction ID: 42a24635faa8a5b5e3f8e043bd8c7c3352baa6ce59e04ad7924b6991c745bf63
Opcode Fuzzy Hash: b7d280f70086fb25d55c161fd940fdbca736a7887efa1a7a59f69a4b3911568a
Instruction Fuzzy Hash: 33D0673AB011089FCB049F99EC409DDF7B6FB9C221B048126E915A3260C7319925DB90

Function 00F07F10 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec82516fabfc4f9746054d9d41cf86398e43d3977858a07000d4874b48702157
Instruction ID: 75f6b30002d5bfd6f1609a4de4a330b8a03006b1ca68f9d04da2ce58ac8a3371
Opcode Fuzzy Hash: ec82516fabfc4f9746054d9d41cf86398e43d3977858a07000d4874b48702157
Instruction Fuzzy Hash: C6E08C708093C54FDB0AE770AC584183F32EA82210704568AD0455B0FBEEA8088A8722

Function 00F07F20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3191742289.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_yoyf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f06c9cb17d249eb866abcab66cd3afb3f8374a378ccdc8c0f0555846ac056d1
Instruction ID: bea64b95c00562bdfdfa437e850960ef4b81a92b48935eee0742a3a177db7421
Opcode Fuzzy Hash: 6f06c9cb17d249eb866abcab66cd3afb3f8374a378ccdc8c0f0555846ac056d1
Instruction Fuzzy Hash: 21C0123400020A8BDA49F775F8499153BAAFAC0300B40A528A1092716AEFF8694B5A91

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yoyf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yoyf.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
yoyf.exe