Edit tour

Windows Analysis Report
hfs.exe

Overview

General Information

Sample name:	hfs.exe
Analysis ID:	1580504
MD5:	9e8557e98ed1269372ff0ace91d63477
SHA1:	d0c4192b65e36553f6fd2b83f3123f6ae8380dac
SHA256:	e678899d7ea9702184167b56655f91a69f8a0bdc9df65612762252c053c2cd7c
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Contains functionality to communicate with device drivers

Contains functionality to query locales information (e.g. system language)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

hfs.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\hfs.exe" MD5: 9E8557E98ED1269372FF0ACE91D63477)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hfs.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
hfs.exe	INDICATOR_TOOL_HFS_WebServer	Detects HFS Web Server	ditekSHen	0x37ac:$s1: SOFTWARE\Borland\Delphi\ 0x11b120:$s2: C:\code\mine\hfs\scriptLib.pas 0x125a40:$s2: C:\code\mine\hfs\scriptLib.pas 0x126054:$s3: hfs.;.htm;descript.ion;.comment;.md5;.corrupted;.lnk 0x157cd5:$s3: hfs.;.htm;descript.ion;.comment;.md5;.corrupted;.lnk 0x157478:$s4: Server: HFS

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1659053234.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.hfs.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0.0.hfs.exe.400000.0.unpack	INDICATOR_TOOL_HFS_WebServer	Detects HFS Web Server	ditekSHen	0x37ac:$s1: SOFTWARE\Borland\Delphi\ 0x11b120:$s2: C:\code\mine\hfs\scriptLib.pas 0x125a40:$s2: C:\code\mine\hfs\scriptLib.pas 0x126054:$s3: hfs.;.htm;descript.ion;.comment;.md5;.corrupted;.lnk 0x157cd5:$s3: hfs.;.htm;descript.ion;.comment;.md5;.corrupted;.lnk 0x157478:$s4: Server: HFS

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://rejetto.webfactional.com/hfs/ip.php

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: hfs.exe

ReversingLabs: Detection: 18%

Source: hfs.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /hfs/hfs.updateinfo.txt HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*User-Agent: HFS/2.3mHost: www.rejetto.com

Source: global traffic

DNS traffic detected: DNS query: www.rejetto.com

Source: hfs.exe, 00000000.00000003.1661844100.000000000078F000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.2925945040.00000000049B3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTP://TRENTRICHARDSON.COM
Source: hfs.exe, 00000000.00000003.1661844100.000000000078F000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.2925945040.00000000049B3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTP://TRENTRICHARDSON.COM/IMPROMPTU/GPL-LICENSE.TXT
Source: hfs.exe, 00000000.00000003.1661844100.000000000078F000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.2925945040.00000000049B3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTP://TRENTRICHARDSON.COM/IMPROMPTU/MIT-LICENSE.TXT
Source: hfs.exe, 00000000.00000002.2925945040.00000000049B3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.REJETTO.COM/HFS/
Source: hfs.exe, 00000000.00000002.2925945040.0000000004A09000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://GITHUB.COM/REJETTO/HFS2/RELEASES/DOWNLOAD/V2.4-RC07/HFS.EXE
Source: hfs.exe, 00000000.00000002.2925197366.00000000023AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.4/
Source: hfs.exe, 00000000.00000002.2924795973.000000000019A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.4/5
Source: hfs.exe, 00000000.00000002.2924982194.000000000074F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.4/LF
Source: hfs.exe	String found in binary or memory: http://2ip.ru
Source: hfs.exe	String found in binary or memory: http://checkip.dyndns.org
Source: hfs.exe	String found in binary or memory: http://hfsservice.rejetto.com/ipservices.php
Source: hfs.exe	String found in binary or memory: http://hfstest.rejetto.com/?port=
Source: hfs.exe	String found in binary or memory: http://jquery.com/
Source: hfs.exe	String found in binary or memory: http://jquery.org/license
Source: hfs.exe	String found in binary or memory: http://rejetto.webfactional.com/hfs/ip.php
Source: hfs.exe	String found in binary or memory: http://sizzlejs.com/
Source: hfs.exe	String found in binary or memory: http://trentrichardson.com
Source: hfs.exe	String found in binary or memory: http://trentrichardson.com/Impromptu/GPL-LICENSE.txt
Source: hfs.exe	String found in binary or memory: http://trentrichardson.com/Impromptu/MIT-LICENSE.txt
Source: hfs.exe	String found in binary or memory: http://www.alexnolan.net/ip/
Source: hfs.exe	String found in binary or memory: http://www.canyouseeme.org
Source: hfs.exe	String found in binary or memory: http://www.cjb.net/cgi-bin/dynip.cgi?username=
Source: hfs.exe	String found in binary or memory: http://www.mario-online.com/mio_indirizzo_ip.php
Source: hfs.exe	String found in binary or memory: http://www.melauto.it/public/rejetto/ip.php
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/forum/
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/forum/U
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs-donate
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs-donateU
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/U
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/guide/
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/guide/U
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/guide/intro.html
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/guide/intro.htmlU
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/hfs.updateinfo.txt
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/sw/?faq=hfs
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/sw/?faq=hfsU
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/sw/license.txt
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/sw/license.txtU
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/wiki/?title=HFS:_Event_scripts
Source: hfs.exe	String found in binary or memory: http://www.whatsmyrealip.com/
Source: hfs.exe, 00000000.00000002.2925197366.0000000002362000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.2925945040.0000000004A09000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rejetto/hfs2/releases/download/v2.4-rc07/hfs.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: hfs.exe, type: SAMPLE	Matched rule: Detects HFS Web Server Author: ditekSHen
Source: 0.0.hfs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HFS Web Server Author: ditekSHen

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_00407FCE: DeviceIoControl,

0_2_00407FCE

Source: hfs.exe, 00000000.00000000.1659053234.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs hfs.exe
Source: hfs.exe	Binary or memory string: OriginalFilename vs hfs.exe

Source: hfs.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: hfs.exe, type: SAMPLE	Matched rule: INDICATOR_TOOL_HFS_WebServer author = ditekSHen, description = Detects HFS Web Server
Source: 0.0.hfs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_HFS_WebServer author = ditekSHen, description = Detects HFS Web Server

Source: hfs.exe

Binary string: @\??\C:\Device\LanmanRedirector\U

Source: classification engine

Classification label: mal64.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\hfs.exe

File created: C:\Users\user\Desktop\test.tmp~1466682296.tmp

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Mutant created: \Sessions\1\BaseNamedObjects\HttpFileServer

Source: Yara match	File source: hfs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.hfs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1659053234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\hfs.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hfs.exe

ReversingLabs: Detection: 18%

Source: hfs.exe	String found in binary or memory: /Address family not supported by protocol family
Source: hfs.exe	String found in binary or memory: %number-addresses%
Source: hfs.exe	String found in binary or memory: %number-addresses-ever%
Source: hfs.exe	String found in binary or memory: %number-addresses-downloading%
Source: hfs.exe	String found in binary or memory: %item-added-dt%
Source: hfs.exe	String found in binary or memory: %item-added%
Source: hfs.exe	String found in binary or memory: log-server-start=
Source: hfs.exe	String found in binary or memory: log-server-stop=
Source: hfs.exe	String found in binary or memory: reload-on-startup=
Source: hfs.exe	String found in binary or memory: find-external-on-startup=
Source: hfs.exe	String found in binary or memory: do-not-log-address=
Source: hfs.exe	String found in binary or memory: last-external-address=
Source: hfs.exe	String found in binary or memory: copy-url-on-start=
Source: hfs.exe	String found in binary or memory: copy-url-on-addition=
Source: hfs.exe	String found in binary or memory: log-server-start
Source: hfs.exe	String found in binary or memory: log-server-stop
Source: hfs.exe	String found in binary or memory: copy-url-on-addition
Source: hfs.exe	String found in binary or memory: copy-url-on-start
Source: hfs.exe	String found in binary or memory: reload-on-startup
Source: hfs.exe	String found in binary or memory: find-external-on-startup
Source: hfs.exe	String found in binary or memory: do-not-log-address
Source: hfs.exe	String found in binary or memory: last-external-address
Source: hfs.exe	String found in binary or memory: -START "" /WAIT "%s" -q
Source: hfs.exe	String found in binary or memory: }//addPagingButton

Source: C:\Users\user\Desktop\hfs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Window found: window name: TButton

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: hfs.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: hfs.exe

Static file information: File size 2171904 > 1048576

Source: hfs.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x176800

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004079E6 push 00407A43h; ret		0_2_00407A3B
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004079E8 push 00407A43h; ret		0_2_00407A3B

Source: C:\Users\user\Desktop\hfs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: hfs.exe, 00000000.00000002.2924982194.000000000078E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9Zcj

Source: C:\Users\user\Desktop\hfs.exe

Code function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,

0_2_00407070

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	2 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hfs.exe	18%	ReversingLabs

Source	Detection	Scanner	Label
http://www.rejetto.com/hfs/guide/intro.html	0%	Avira URL Cloud	safe
http://www.rejetto.com/wiki/?title=HFS:_Event_scripts	0%	Avira URL Cloud	safe
http://www.rejetto.com/hfs/hfs.updateinfo.txt	0%	Avira URL Cloud	safe
http://www.alexnolan.net/ip/	0%	Avira URL Cloud	safe
http://192.168.2.4/	0%	Avira URL Cloud	safe
http://192.168.2.4/LF	0%	Avira URL Cloud	safe
HTTP://WWW.REJETTO.COM/HFS/	0%	Avira URL Cloud	safe
http://www.rejetto.com/sw/?faq=hfsU	0%	Avira URL Cloud	safe
http://www.cjb.net/cgi-bin/dynip.cgi?username=	0%	Avira URL Cloud	safe
http://www.rejetto.com/hfs/U	0%	Avira URL Cloud	safe
http://192.168.2.4/5	0%	Avira URL Cloud	safe
HTTP://TRENTRICHARDSON.COM/IMPROMPTU/GPL-LICENSE.TXT	0%	Avira URL Cloud	safe
http://rejetto.webfactional.com/hfs/ip.php	100%	Avira URL Cloud	malware
http://www.rejetto.com/hfs/guide/intro.htmlU	0%	Avira URL Cloud	safe
http://www.rejetto.com/sw/license.txt	0%	Avira URL Cloud	safe
http://www.melauto.it/public/rejetto/ip.php	0%	Avira URL Cloud	safe
http://www.rejetto.com/sw/license.txtU	0%	Avira URL Cloud	safe
http://www.rejetto.com/hfs/guide/U	0%	Avira URL Cloud	safe
http://www.mario-online.com/mio_indirizzo_ip.php	0%	Avira URL Cloud	safe
http://www.rejetto.com/hfs-donateU	0%	Avira URL Cloud	safe
http://trentrichardson.com/Impromptu/MIT-LICENSE.txt	0%	Avira URL Cloud	safe
http://hfsservice.rejetto.com/ipservices.php	0%	Avira URL Cloud	safe
http://www.rejetto.com/hfs-donate	0%	Avira URL Cloud	safe
http://www.rejetto.com/forum/	0%	Avira URL Cloud	safe
http://www.rejetto.com/hfs/guide/	0%	Avira URL Cloud	safe
http://hfstest.rejetto.com/?port=	0%	Avira URL Cloud	safe
http://www.rejetto.com/sw/?faq=hfs	0%	Avira URL Cloud	safe
http://www.rejetto.com/forum/U	0%	Avira URL Cloud	safe
HTTP://TRENTRICHARDSON.COM	0%	Avira URL Cloud	safe
http://www.whatsmyrealip.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.rejetto.com	94.23.66.84	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
HTTP://WWW.REJETTO.COM/HFS/	hfs.exe, 00000000.00000002.2925945040.00000000049B3000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.canyouseeme.org	hfs.exe	false		high
http://jquery.org/license	hfs.exe	false		high
http://www.rejetto.com/hfs/guide/intro.html	hfs.exe	false	Avira URL Cloud: safe	unknown
http://192.168.2.4/	hfs.exe, 00000000.00000002.2925197366.00000000023AA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.168.2.4/LF	hfs.exe, 00000000.00000002.2924982194.000000000074F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cjb.net/cgi-bin/dynip.cgi?username=	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/wiki/?title=HFS:_Event_scripts	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.alexnolan.net/ip/	hfs.exe	false	Avira URL Cloud: safe	unknown
http://sizzlejs.com/	hfs.exe	false		high
http://www.rejetto.com/sw/?faq=hfsU	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs/U	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs/hfs.updateinfo.txt	hfs.exe	false	Avira URL Cloud: safe	unknown
HTTP://TRENTRICHARDSON.COM/IMPROMPTU/GPL-LICENSE.TXT	hfs.exe, 00000000.00000003.1661844100.000000000078F000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.2925945040.00000000049B3000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs/guide/U	hfs.exe	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	hfs.exe	false		high
http://192.168.2.4/5	hfs.exe, 00000000.00000002.2924795973.000000000019A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rejetto.webfactional.com/hfs/ip.php	hfs.exe	false	Avira URL Cloud: malware	unknown
http://www.rejetto.com/hfs/guide/intro.htmlU	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.melauto.it/public/rejetto/ip.php	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs-donateU	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.mario-online.com/mio_indirizzo_ip.php	hfs.exe	false	Avira URL Cloud: safe	unknown
https://github.com/rejetto/hfs2/releases/download/v2.4-rc07/hfs.exe	hfs.exe, 00000000.00000002.2925197366.0000000002362000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.2925945040.0000000004A09000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.rejetto.com/sw/license.txt	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs/	hfs.exe	false		unknown
http://www.rejetto.com/sw/license.txtU	hfs.exe	false	Avira URL Cloud: safe	unknown
HTTPS://GITHUB.COM/REJETTO/HFS2/RELEASES/DOWNLOAD/V2.4-RC07/HFS.EXE	hfs.exe, 00000000.00000002.2925945040.0000000004A09000.00000004.00001000.00020000.00000000.sdmp	false		high
http://trentrichardson.com/Impromptu/GPL-LICENSE.txt	hfs.exe	false		unknown
http://trentrichardson.com/Impromptu/MIT-LICENSE.txt	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/forum/	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs-donate	hfs.exe	false	Avira URL Cloud: safe	unknown
HTTP://TRENTRICHARDSON.COM/IMPROMPTU/MIT-LICENSE.TXT	hfs.exe, 00000000.00000003.1661844100.000000000078F000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.2925945040.00000000049B3000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://2ip.ru	hfs.exe	false		high
http://hfsservice.rejetto.com/ipservices.php	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs/guide/	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/forum/U	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.whatsmyrealip.com/	hfs.exe	false	Avira URL Cloud: safe	unknown
HTTP://TRENTRICHARDSON.COM	hfs.exe, 00000000.00000003.1661844100.000000000078F000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.2925945040.00000000049B3000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://trentrichardson.com	hfs.exe	false		unknown
http://hfstest.rejetto.com/?port=	hfs.exe	false	Avira URL Cloud: safe	unknown
http://jquery.com/	hfs.exe	false		high
http://www.rejetto.com/sw/?faq=hfs	hfs.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.23.66.84	www.rejetto.com	France		16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580504
Start date and time:	2024-12-24 19:48:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hfs.exe
Detection:	MAL
Classification:	mal64.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: hfs.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.23.66.84	hfs.exe	Get hash	malicious	Unknown	Browse	www.rejetto.com/hfs/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.rejetto.com	MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac.zip	Get hash	malicious	Unknown	Browse	94.23.66.84
	hfs.exe	Get hash	malicious	Unknown	Browse	94.23.66.84
	ijxxKAiHHB.exe	Get hash	malicious	Unknown	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Unknown	Browse	185.20.49.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	armv5l.elf	Get hash	malicious	Mirai	Browse	139.99.86.60
	nklarm7.elf	Get hash	malicious	Unknown	Browse	91.121.98.217
	jklm68k.elf	Get hash	malicious	Unknown	Browse	139.99.246.133
	splmips.elf	Get hash	malicious	Unknown	Browse	94.23.162.140
	jklmips.elf	Get hash	malicious	Unknown	Browse	192.99.129.83
	armv7l.elf	Get hash	malicious	Unknown	Browse	51.71.12.108
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	139.99.188.124
	7A2lfjTYNf.lnk	Get hash	malicious	Unknown	Browse	139.99.188.124
	6fW0guYpsH.lnk	Get hash	malicious	Unknown	Browse	139.99.188.124
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	149.202.242.118

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.57278230008726
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	hfs.exe
File size:	2'171'904 bytes
MD5:	9e8557e98ed1269372ff0ace91d63477
SHA1:	d0c4192b65e36553f6fd2b83f3123f6ae8380dac
SHA256:	e678899d7ea9702184167b56655f91a69f8a0bdc9df65612762252c053c2cd7c
SHA512:	c1a338c0414ac68d7ce24df06f3b665a56feae15063332324fea3250f1e77c19209ea3d89fe3a06d48974cce70bd9c65d59b7e2fbaf27c3f01ac2e898057e9ec
SSDEEP:	49152:UR0LvNmmh9otEKMx9XSNVBOw+V4UvEbAThhiqvyo98ZcW7SZ:UR0xmmh9GEKgpSNVBr72QN
TLSH:	ECA56B22F690C437D17736799CA793C56928BB502E14990B3AE87F4CBF793C13D1229A
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	1b3b13333101860c

Static PE Info

General

Entrypoint:	0x579ca0
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	eb58f6a65d91e853b4dcfa5f6c10386b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFECh
push ebx
xor eax, eax
mov dword ptr [ebp-14h], eax
mov eax, 005771F0h
call 00007F953C9BA54Bh
mov ebx, dword ptr [00582958h]
xor eax, eax
push ebp
push 00579E14h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, dword ptr [005825DCh]
mov eax, dword ptr [eax]
mov dword ptr [eax+14h], 0057704Ch
push 00000011h
call 00007F953C9BB1C6h
movsx eax, ax
test ah, FFFFFF80h
jne 00007F953CB2C75Eh
mov eax, dword ptr [005825DCh]
mov eax, dword ptr [eax]
mov edx, 00579E2Ch
call 00007F953CA43F7Dh
test al, al
jne 00007F953CB2C722h
mov eax, dword ptr [005825DCh]
mov eax, dword ptr [eax]
mov ecx, dword ptr [eax+0Ch]
lea eax, dword ptr [ebp-14h]
mov edx, 00579E44h
call 00007F953C9B8162h
mov eax, dword ptr [ebp-14h]
xor ecx, ecx
mov edx, 00000010h
call 00007F953CAC49FFh
mov eax, 00000001h
call 00007F953C9B7D4Dh
mov eax, dword ptr [005825DCh]
mov eax, dword ptr [eax]
cmp byte ptr [eax+08h], 00000000h
jne 00007F953CB2C70Ch
call 00007F953CB29A9Bh
test al, al
je 00007F953CB2C703h
mov eax, dword ptr [005825DCh]
mov eax, dword ptr [eax]
call 00007F953CA43FFFh
jmp 00007F953CB2C7A0h
mov eax, dword ptr [ebx]
call 00007F953CA4208Bh
mov eax, dword ptr [00582A14h]
mov eax, dword ptr [eax]
mov dl, 01h
call 00007F953CA58825h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x191000	0x3966	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ad000	0x77600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x197000	0x15764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x196018	0x2d	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x196000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x191acc	0x8d8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1766b8	0x176800	3f942d6c37616e0d8d9ac5fd5876e441	False	0.46303404539385845	data	6.429015159978142	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x178000	0x1e64	0x2000	f4582be31f56c88cbd18ab7ba9099d38	False	0.549072265625	data	6.18976186886786	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17a000	0x8c94	0x8e00	9f9a41de15042165e91ffa796cbd7dc1	False	0.5568056778169014	data	5.687851591548669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x183000	0xd974	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x191000	0x3966	0x3a00	87db3a2d95e6a0a244ebc9dc6a2f460d	False	0.31276939655172414	data	5.164467768035724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x195000	0x44	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x196000	0x45	0x200	c7f385b277b29965aeda94ad0884eccc	False	0.142578125	data	0.9956758247090713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x197000	0x15764	0x15800	eec81278c172ce8dcc7aa4a87e5d3dd7	False	0.5875726744186046	data	6.701161684807333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1ad000	0x77600	0x77600	e474116bbf0bad0c701fe37e23c3c0d9	False	0.3714721040575916	data	5.963918185992459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
GIF	0x1aea00	0x179e	GIF image data, version 89a, 387 x 169	English	United States	1.0018193847171684
TEXT	0x1b01a0	0x30b	ASCII text, with CRLF line terminators	English	United States	0.4672657252888318
TEXT	0x1b04ac	0x109	ASCII text, with CRLF line terminators	English	United States	0.8377358490566038
TEXT	0x1b05b8	0xc779	HTML document, ASCII text, with CRLF line terminators	English	United States	0.29681778125917946
TEXT	0x1bcd34	0x236	HTML document, ASCII text, with CRLF line terminators	English	United States	0.4911660777385159
TEXT	0x1bcf6c	0x56	ASCII text, with CRLF line terminators	English	United States	0.6395348837209303
TEXT	0x1bcfc4	0x1c9	ASCII text, with CRLF line terminators	English	United States	0.6258205689277899
TEXT	0x1bd190	0x14b	ASCII text, with CRLF line terminators	English	United States	0.6374622356495468
TEXT	0x1bd2dc	0x119ee	ASCII text, with very long lines (820)	English	United States	0.3407459750048494
TEXT	0x1ceccc	0xc1	ASCII text, with CRLF line terminators	English	United States	0.7409326424870466
TEXT	0x1ced90	0x124	ASCII text, with CRLF line terminators	English	United States	0.7157534246575342
UNICODEDATA	0x1ceeb4	0x723f	data			0.36769583205115053
UNICODEDATA	0x1d60f4	0x7ebd	data			0.42552011095700415
UNICODEDATA	0x1ddfb4	0x6a8	data			0.5985915492957746
UNICODEDATA	0x1de65c	0xaf7d	data			0.4191430161380078
UNICODEDATA	0x1e95dc	0xd3cf	data			0.4500857569666009
UNICODEDATA	0x1f69ac	0x14c5	data			0.6482979123565921
RT_CURSOR	0x1f7e74	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x1f7fa8	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x1f80dc	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x1f8210	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x1f8344	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x1f8478	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x1f85ac	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x1f86e0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x1f88b0	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x1f8a94	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x1f8c64	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x1f8e34	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x1f9004	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x1f91d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x1f93a4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x1f9574	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x1f9744	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x1f9914	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x1f99d4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x1f9ab4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x1f9b94	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x1f9c74	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x1f9d34	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x1f9df4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x1f9ed4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x1f9f94	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x1fa074	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x1fa15c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x1fa21c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x1fa2fc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.5184647302904565
RT_ICON	0x1fc8a4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States	0.49120217288615964
RT_ICON	0x200acc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.723826714801444
RT_ICON	0x201374	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5657514450867052
RT_DIALOG	0x2018dc	0x52	data			0.7682926829268293
RT_DIALOG	0x201930	0x52	data			0.7560975609756098
RT_STRING	0x201984	0x9c	data			0.41025641025641024
RT_STRING	0x201a20	0x808	data			0.14688715953307394
RT_STRING	0x202228	0x858	data			0.14887640449438203
RT_STRING	0x202a80	0x898	data			0.1390909090909091
RT_STRING	0x203318	0x7a8	data			0.16887755102040816
RT_STRING	0x203ac0	0x944	data			0.12310286677908938
RT_STRING	0x204404	0x9f4	data			0.12676609105180534
RT_STRING	0x204df8	0x5f0	data			0.3092105263157895
RT_STRING	0x2053e8	0x248	data			0.4160958904109589
RT_STRING	0x205630	0x27c	data			0.3663522012578616
RT_STRING	0x2058ac	0x224	data			0.4635036496350365
RT_STRING	0x205ad0	0x45c	data			0.3870967741935484
RT_STRING	0x205f2c	0x414	data			0.39846743295019155
RT_STRING	0x206340	0x314	data			0.3946700507614213
RT_STRING	0x206654	0x424	data			0.42452830188679247
RT_STRING	0x206a78	0x21c	data			0.5314814814814814
RT_STRING	0x206c94	0xc8	data			0.67
RT_STRING	0x206d5c	0x18c	data			0.5353535353535354
RT_STRING	0x206ee8	0x230	data			0.49642857142857144
RT_STRING	0x207118	0x41c	data			0.37927756653992395
RT_STRING	0x207534	0x398	data			0.3815217391304348
RT_STRING	0x2078cc	0x37c	data			0.3968609865470852
RT_STRING	0x207c48	0x368	data			0.3394495412844037
RT_STRING	0x207fb0	0x43c	data			0.3763837638376384
RT_STRING	0x2083ec	0xcc	data			0.5392156862745098
RT_STRING	0x2084b8	0xb0	data			0.6534090909090909
RT_STRING	0x208568	0x27c	data			0.4716981132075472
RT_STRING	0x2087e4	0x3bc	data			0.32426778242677823
RT_STRING	0x208ba0	0x368	data			0.37844036697247707
RT_STRING	0x208f08	0x2d4	data			0.39917127071823205
RT_RCDATA	0x2091dc	0x5c	data			0.782608695652174
RT_RCDATA	0x209238	0x10	data			1.5
RT_RCDATA	0x209248	0x7a0	data			0.5911885245901639
RT_RCDATA	0x2099e8	0x18d	Delphi compiled form 'TdiffFrm'			0.7581863979848866
RT_RCDATA	0x209b78	0x16a7	Delphi compiled form 'TfilepropFrm'			0.3386790826004484
RT_RCDATA	0x20b220	0xcfd	Delphi compiled form 'TfolderKindFrm'			0.42857142857142855
RT_RCDATA	0x20bf20	0x370	Delphi compiled form 'TipsEverFrm'			0.5886363636363636
RT_RCDATA	0x20c290	0x29d	Delphi compiled form 'TlistSelectFrm'			0.5919282511210763
RT_RCDATA	0x20c530	0x3cf	Delphi compiled form 'TlonginputFrm'			0.556923076923077
RT_RCDATA	0x20c900	0x13ff7	Delphi compiled form 'TmainFrm'			0.31347438073030487
RT_RCDATA	0x2208f8	0x419	Delphi compiled form 'TnewuserpassFrm'			0.47569113441372735
RT_RCDATA	0x220d14	0x2676	Delphi compiled form 'ToptionsFrm'			0.3191143611618932
RT_RCDATA	0x22338c	0x396	Delphi compiled form 'TpurgeFrm'			0.5108932461873639
RT_RCDATA	0x223724	0x363	Delphi compiled form 'TrunScriptFrm'			0.6147635524798154
RT_RCDATA	0x223a88	0x2fb	Delphi compiled form 'TshellExtFrm'			0.6120576671035387
RT_GROUP_CURSOR	0x223d84	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x223d98	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x223dac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x223dc0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x223dd4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x223de8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x223dfc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x223e10	0x3e	data	English	United States	0.8709677419354839
RT_VERSION	0x223e50	0x318	data	Italian	Italy	0.4823232323232323
RT_MANIFEST	0x224168	0x29f	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4977645305514158

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, RemoveDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, SendDlgItemMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FlashWindow, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateCaret, CopyImage, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharUpperA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	GradientFill
gdi32.dll	UnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectType, GetObjectA, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExtCreatePen, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrlenW, lstrcpynW, lstrcpyA, lstrcmpA, WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, TerminateProcess, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, ResumeThread, ResetEvent, ReadFile, QueryPerformanceFrequency, QueryPerformanceCounter, PeekNamedPipe, OutputDebugStringA, OpenProcess, MultiByteToWideChar, MulDiv, MoveFileA, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalHandle, GlobalLock, GlobalGetAtomNameA, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameW, GetFullPathNameA, GetFileTime, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeviceIoControl, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringW, CompareStringA, CloseHandle
advapi32.dll	RegSetValueExA, RegQueryValueExW, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExW, RegOpenKeyExA, RegFlushKey, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	Shell_NotifyIconA, ShellExecuteA, SHGetFileInfoA, SHFileOperationA, DragQueryFileA, DragAcceptFiles
shell32.dll	SHGetPathFromIDListA, SHGetMalloc, SHBrowseForFolderA
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
comdlg32.dll	ChooseFontA, GetSaveFileNameA, GetOpenFileNameA
winmm.dll	timeGetTime, PlaySoundA
kernel32.dll	GetVersionExA
kernel32.dll	MulDiv
shell32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Italian	Italy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 19:50:32.775115013 CET	49764	80	192.168.2.4	94.23.66.84
Dec 24, 2024 19:50:32.895611048 CET	80	49764	94.23.66.84	192.168.2.4
Dec 24, 2024 19:50:32.895716906 CET	49764	80	192.168.2.4	94.23.66.84
Dec 24, 2024 19:50:32.896003962 CET	49764	80	192.168.2.4	94.23.66.84
Dec 24, 2024 19:50:33.015527964 CET	80	49764	94.23.66.84	192.168.2.4
Dec 24, 2024 19:50:34.143939018 CET	80	49764	94.23.66.84	192.168.2.4
Dec 24, 2024 19:50:34.144526005 CET	80	49764	94.23.66.84	192.168.2.4
Dec 24, 2024 19:50:34.144613028 CET	49764	80	192.168.2.4	94.23.66.84
Dec 24, 2024 19:50:34.147121906 CET	49764	80	192.168.2.4	94.23.66.84
Dec 24, 2024 19:50:34.266575098 CET	80	49764	94.23.66.84	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 19:50:32.430716991 CET	55960	53	192.168.2.4	1.1.1.1
Dec 24, 2024 19:50:32.774113894 CET	53	55960	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 19:50:32.430716991 CET	192.168.2.4	1.1.1.1	0x11b4	Standard query (0)	www.rejetto.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 19:50:32.774113894 CET	1.1.1.1	192.168.2.4	0x11b4	No error (0)	www.rejetto.com		94.23.66.84	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.rejetto.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49764	94.23.66.84	80	6720	C:\Users\user\Desktop\hfs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 19:50:32.896003962 CET	151	OUT	GET /hfs/hfs.updateinfo.txt HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / User-Agent: HFS/2.3m Host: www.rejetto.com
Dec 24, 2024 19:50:34.143939018 CET	656	IN	HTTP/1.1 200 OK date: Tue, 24 Dec 2024 18:50:33 GMT content-type: text/plain content-length: 253 server: OVHcloud accept-ranges: bytes vary: Accept-Encoding pragma: no-cache cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 x-frame-options: SAMEORIGIN x-iplb-request-id: 082E7BBD:1315_5E174254:0050_676B0279_10086:683F x-iplb-instance: 52159 connection: close Data Raw: 48 46 53 20 75 70 64 61 74 65 20 69 6e 66 6f 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 5d 0d 0a 32 2e 34 2e 30 20 52 43 37 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 20 62 75 69 6c 64 5d 0d 0a 33 31 39 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 20 75 72 6c 5d 0d 0a 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 6a 65 74 74 6f 2f 68 66 73 32 2f 72 65 6c 65 61 73 65 73 2f 64 6f 77 6e 6c 6f 61 64 2f 76 32 2e 34 2d 72 63 30 37 2f 68 66 73 2e 65 78 65 0d 0a 5b 6e 6f 74 69 63 65 5d 0d 0a 48 46 53 20 32 2e 33 2f 32 2e 34 20 69 73 20 76 75 6c 6e 65 72 61 62 6c 65 20 74 6f 20 69 6d 70 6f 72 74 61 6e 74 20 61 74 74 61 63 6b 73 21 20 43 6f 6e 73 69 64 65 72 20 75 73 69 6e 67 20 48 46 53 20 33 20 69 6e 73 74 65 61 64 2e 0d 0a 5b 45 4f 46 5d 0d 0a Data Ascii: HFS update info[last stable]2.4.0 RC7[last stable build]319[last stable url]https://github.com/rejetto/hfs2/releases/download/v2.4-rc07/hfs.exe[notice]HFS 2.3/2.4 is vulnerable to important attacks! Consider using HFS 3 instead.[EOF]

Target ID:	0
Start time:	13:49:20
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\hfs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hfs.exe"
Imagebase:	0x400000
File size:	2'171'904 bytes
MD5 hash:	9E8557E98ED1269372FF0ACE91D63477
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1659053234.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.9%
Total number of Nodes:	48
Total number of Limit Nodes:	3

Executed Functions

Function 00407070 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184
registrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004070AA
RegOpenKeyExA.KERNELBASE(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004070C8
RegOpenKeyExA.KERNELBASE(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004070E6
GetLocaleInfoA.KERNELBASE(00000000), ref: 0040719F
LoadLibraryExA.KERNELBASE(00000000,00000000,00000002), ref: 00407259
LoadLibraryExA.KERNELBASE(00000000,00000000,00000002), ref: 0040728F

Strings

Software\Borland\Delphi\Locales, xrefs: 004070DC
., xrefs: 004071DC
Software\Borland\Locales, xrefs: 004070A0, 004070BE

Memory Dump Source

Source File: 00000000.00000002.2924840311.0000000000407000.00000040.00000001.01000000.00000003.sdmp, Offset: 00407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_407000_hfs.jbxd

Similarity

API ID: Open$LibraryLoad$InfoLocale
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 4041025014-3917250287
Opcode ID: 4bc055594a0b34e814b33aaf8fc9219e5e9fc34e973681e86cc46028133426e9
Instruction ID: c5ff98c6a6139f93c6704c79ab18b06f40684caa607cb0862b16daa4c1cf1b01
Opcode Fuzzy Hash: 4bc055594a0b34e814b33aaf8fc9219e5e9fc34e973681e86cc46028133426e9
Instruction Fuzzy Hash: 80517171E0420C7EFB21D6A49C46FEF77AC9B04744F4441B6BA04F66C2E678AE448B69

Function 00407F7E Relevance: 1.5, APIs: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(?,?,?), ref: 00407F97

Memory Dump Source

Source File: 00000000.00000002.2924840311.0000000000407000.00000040.00000001.01000000.00000003.sdmp, Offset: 00407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_407000_hfs.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: aac90e20a50084a577ced6f325ddde7fae3f822483f87fcda839c5e40715e318
Instruction ID: c790e31c200fdd215013f6f20d056eb62fdbe26bf6d17a02c93ee99176357472
Opcode Fuzzy Hash: aac90e20a50084a577ced6f325ddde7fae3f822483f87fcda839c5e40715e318
Instruction Fuzzy Hash: 6BD05E73A14208FFCB00DFADDC05D9E73ECEB18254B108429F418D7100D239EA009B24

Function 00407F80 Relevance: 1.5, APIs: 1, Instructions: 18
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(?,?,?), ref: 00407F97

Memory Dump Source

Source File: 00000000.00000002.2924840311.0000000000407000.00000040.00000001.01000000.00000003.sdmp, Offset: 00407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_407000_hfs.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 485a42cfd74afe0bd6fd3a83a5c21534c4123a8668d01e8793639fac456bf432
Instruction ID: 349e1c842927ee80bb4e6aaef0f9b1f8cd2ec333b2a73608cae7dd49179f51a1
Opcode Fuzzy Hash: 485a42cfd74afe0bd6fd3a83a5c21534c4123a8668d01e8793639fac456bf432
Instruction Fuzzy Hash: 21D05E73914208FFCB00DFA9D805D8E73ECEB18254B108429F418D7100D239EA009B24

Function 00421970 Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2924854727.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_hfs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65c068728c9befbfb0bd2696387d1c550580650a046a058749063818c853c7b
Instruction ID: d1efd2674946ddcb1477498d5fd98560e8a1a96f26c859c93cd1a0151d6e3682
Opcode Fuzzy Hash: e65c068728c9befbfb0bd2696387d1c550580650a046a058749063818c853c7b
Instruction Fuzzy Hash: EA115474E04648EFDB00DFA8D851AADFBF4EB45304F5180AAE504B7390D7355E41CB54

Function 00421B30 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2924854727.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_hfs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e97f87f3650c6f85148b80b62df0b5d7665720ffbccf451877ef4d4b30a3dd6
Instruction ID: 6589792cef98e809a9812f7c702a5b4da44f9991f1cefcbb9db66082a6a87442
Opcode Fuzzy Hash: 4e97f87f3650c6f85148b80b62df0b5d7665720ffbccf451877ef4d4b30a3dd6
Instruction Fuzzy Hash: 0D115E34A00148EFCB00DBA9D882D8DBBF5EF54304FA184A6E404E7661E774AF44CB59

Function 00421BEA Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2924854727.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_hfs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6f4cad14f15868b6e16b35edbab0d0b0f9e8558c8b281c2a1114a9fb214b43
Instruction ID: 9d60802b55ce9ca12f46bf9c0685bb143f0351e90864b0859f2ecfdc362365b2
Opcode Fuzzy Hash: 4b6f4cad14f15868b6e16b35edbab0d0b0f9e8558c8b281c2a1114a9fb214b43
Instruction Fuzzy Hash: 9601F538B40294BED716AF66E8017ADBFF8EF2A700FD540E6E40052271DB395D41C61C

Function 004213E8 Relevance: .0, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2924854727.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_hfs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f64d00ef102ad1af902d2e05236edb25d0ea4c129a09f24e2c0ec02db4d65ab
Instruction ID: 8edcc4c43b3520b0e993df5f19bf5dbf676e64913b229a4b9fb3c6233d21f5cd
Opcode Fuzzy Hash: 9f64d00ef102ad1af902d2e05236edb25d0ea4c129a09f24e2c0ec02db4d65ab
Instruction Fuzzy Hash: 79F03C38704214FFC710EF55F95196977F8EB643147F18066F808A3662EA39AE02AB4C

Non-executed Functions

Function 00407FCE Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2924840311.0000000000407000.00000040.00000001.01000000.00000003.sdmp, Offset: 00407000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_407000_hfs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47502fed7009dd2242633c869eb6d4c5e6d7f210b0dba8c156ea9c0ec4b88f2
Instruction ID: c1fed7b65ea2b632cabae2a3fa9ac6ceb8095e1cb4539e7ca024ea703b2bd8d1
Opcode Fuzzy Hash: f47502fed7009dd2242633c869eb6d4c5e6d7f210b0dba8c156ea9c0ec4b88f2
Instruction Fuzzy Hash:

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hfs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
hfs.exe

Function 00407070 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184
registrylibraryCOMMON

Function 00407F7E Relevance: 1.5, APIs: 1, Instructions: 19
synchronizationCOMMON

Function 00407F80 Relevance: 1.5, APIs: 1, Instructions: 18
synchronizationCOMMON

Function 00421970 Relevance: .1, Instructions: 54
COMMON

Function 00421B30 Relevance: .1, Instructions: 53
COMMON

Function 00421BEA Relevance: .0, Instructions: 43
COMMON

Function 004213E8 Relevance: .0, Instructions: 35
COMMON