Windows
Analysis Report
443_2003_https-df.exe
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
443_2003_https-df.exe (PID: 2820 cmdline:
"C:\Users\ user\Deskt op\443_200 3_https-df .exe" MD5: 8D9C0F42BAF129D1B430A01463DD7870) WerFault.exe (PID: 1412 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 2 820 -s 181 2 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
{
"Type": "Metasploit Connect",
"URL": "http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_2 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Click to see the 1 entries |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | URLs: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_00000001400042B6 |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process created: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
78% | Virustotal | Browse | ||
84% | ReversingLabs | Win64.Hacktool.MetaSploit | ||
100% | Avira | TR/Crypt.XPACK.Gen7 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
good.com | 74.82.86.0 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
74.82.86.0 | good.com | Canada | 18705 | RIMBLACKBERRYCA | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1636969 |
Start date and time: | 2025-03-13 09:47:13 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 443_2003_https-df.exe |
Detection: | MAL |
Classification: | mal96.troj.winEXE@2/6@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, s ppsvc.exe, WerFault.exe, SIHCl ient.exe, SgrmBroker.exe, conh ost.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 40.69.147.202, 20. 190.159.131, 23.199.214.10, 4. 175.87.197 - Excluded domains from analysis
(whitelisted): onedsblobvmssp rdcus02.centralus.cloudapp.azu re.com, fs.microsoft.com, logi n.live.com, slscr.update.micro soft.com, blobcollector.events .data.trafficmanager.net, ctld l.windowsupdate.com, umwatson. events.data.microsoft.com, c.p ki.goog, fe3cr.delivery.mp.mic rosoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
04:48:42 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
good.com | Get hash | malicious | SystemBC | Browse |
| |
Get hash | malicious | Outlook Phishing, HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
RIMBLACKBERRYCA | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | FatalRAT, GhostRat, Nitol | Browse |
|
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0024690629542772 |
Encrypted: | false |
SSDEEP: | 192:G03w+Tukcq0kigMJNOjZThGzuiFQZ24lO8pGw:z3PTukcxkigvjizuiFQY4lO8Yw |
MD5: | C9310E05E3D7E4820A5D100A2FF53974 |
SHA1: | F7E01B17A802A1B1D69F0F20EEA32EF27E6847B9 |
SHA-256: | FCB2B7F3549BA1086B637C032595EC367B518C49D4F8A8F3F1ABA6DBCA236DDF |
SHA-512: | E266C00CA636D4B193F0D92449855BFF7235643E99DC0B1A56A74E75DF0078A91A35A4D4CEC8D2D048819221880CEBCBA4316A2C68FCB985ADCCB8A6F4CA7EFF |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 149324 |
Entropy (8bit): | 1.4891538757814387 |
Encrypted: | false |
SSDEEP: | 384:vAS7GmDclnQwv//vl2qnvRWi0IeEZSkFrgYy6syQaEjork:4gRsnQwH/nZWi0FwF/y6syQaEjork |
MD5: | 3215E0294E86B565B2FE3F2B648A4F69 |
SHA1: | 56B76251EB533F220136788A62EAFC08FA00715D |
SHA-256: | E7564559044064DFF21A360DCD16C3EC3E0DEF922EEEF4D12FAD722AF2719DE0 |
SHA-512: | F31A492278E0836697767A9A4D75851F7B831AA6B897E3B99A28C8DC632BFD441D79F8F9D159F408B8C2923F7B0E11044306407AE6686E0947C2D61160954DE3 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8800 |
Entropy (8bit): | 3.70785656086467 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJvx0a6YKCKgmf+4bdpDt89blCGy0fW3m:R6lXJJ56YvKgmf+BlCGJfn |
MD5: | 7FE14344C9D2F175A3D3FABBDDF6F509 |
SHA1: | 3773A4C9ECB7F39BEF623392D8C055B034DFFB2F |
SHA-256: | 6BE7A3CA288E669CEC3C608F4A78E3D8F060915E880C9A3D28732518FEFB1490 |
SHA-512: | 2CC234D2EC5FBFF965C8AEAFFB6BCF63DDD9ACD679116C957FE9599108DEA2B2D3656175117E1191D01A06777D0DBB7895E537C86414519929E9EBB835462DDF |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4719 |
Entropy (8bit): | 4.502213460567407 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsGJg771I9daWpW8VYFYm8M4JDAOKFByq85kLOeLLBJ8d:uIjfcI7Ob7V9J81lZLdJ8d |
MD5: | 9BD85AA9BEFAF1061F4A35563EE02C5D |
SHA1: | 80E8B848B1BEA88547A18C6C4952590908C9064D |
SHA-256: | C5CD3A6B873D38B50523429F197B7F9C1E7A013D506F333380B52B19D7985B8A |
SHA-512: | ED2B7ABAE1B6CD4225B58E466AEC965258C8207FED21A1FC1AD61ACE4FF12725E960CC31C6B10DB6CBD97BDA381701057E0690B7B299B6E863328037BAF49E9F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.398660495630439 |
Encrypted: | false |
SSDEEP: | 6144:X/4fiJoH0ncNXiUjt10q7G/gaocYGBoAWQqZaK7FIeC/FacXMMYfY8a:v4vF7MY6WQqYVtbcMc |
MD5: | 47998880EC7914FF94A9E08DD82CE61B |
SHA1: | DC532EE2E960D1968241F7E7E608E5EC2461239D |
SHA-256: | AD237E7E1C08DE8B09ECC4009D4DCD2900858C9EE7D5C4101C2CD8C4EEDDF7E6 |
SHA-512: | 6D3B347EED576BBA446CC6AF9BBFCD476C9C8166D7000D88501377491A31A632421556391F0C03C4C3A994C41C4CF6EFBA19408BF6EE48E47F45450EE26FD9AC |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 3.7645686670896703 |
Encrypted: | false |
SSDEEP: | 768:lZrDoy6VGYxDdwRx2baNWG0bBAmpsIL1c+YRM:lZ5YzwW8n |
MD5: | BAD7EBB9A66BA3B375B333BEE35AA2B0 |
SHA1: | DC41FC14C831B9E9B8DA7053A39BCA8A8210337D |
SHA-256: | C73FCC75346234ED1FA785C8185618FAF9D81632577AE431E5DEC89D7BC5B18C |
SHA-512: | 40DAF9028D784846DD4723777E9470B5114EA0619CB63B5657DFD27667E1787905DD5AA79273D61D61D5AE7A053766058C9897EFC3A411698D57D4E81BF25BC9 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 1.7373895378352873 |
TrID: |
|
File name: | 443_2003_https-df.exe |
File size: | 7'168 bytes |
MD5: | 8d9c0f42baf129d1b430a01463dd7870 |
SHA1: | 4054be8879b458c034340b19311baa42218c216d |
SHA256: | b3ffbb213580aac6f9dc8d7ea321bd61be3e5cd41647e29aabeaedee2bfc4b83 |
SHA512: | 02831aafecd02359f63e8f13f50835ccd1e76abfd23b9586156351ca3ce5f7e1cb9846a6c64f538c9a9c9d2b96a0317a10ae5b6ef4631d67b30da61ba3b8db02 |
SSDEEP: | 24:eFGStrJ9u0/6ikY/nZd8rBQAV2G1Y+HKkn2DOIRwQ78IW29buoR9svcJBepmB:is0mYb4BQWq+H7CO1Q7PWAqoRikJDB |
TLSH: | D2E1B32372391CF6C89C463B4A63D04B65489B347F27E3FA8B14020FB9F201139B1C86 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9$..}E..}E..}E..Z...~E..}E~..E..t=..|E..t=..|E..Rich}E..................PE..d...}<.K..........#......0...........@.........@... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x140004000 |
Entrypoint Section: | .jcho |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4BC63C7D [Wed Apr 14 22:06:53 2010 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b4c6fff030479aa3b12625be67bf4914 |
Instruction |
---|
cld |
dec eax |
and esp, FFFFFFF0h |
call 00007EFF0CE85E81h |
inc ecx |
push ecx |
inc ecx |
push eax |
push edx |
push ecx |
dec eax |
xor edx, edx |
push esi |
dec eax |
mov edx, dword ptr [edx+60h] |
dec eax |
mov edx, dword ptr [edx+18h] |
dec eax |
mov edx, dword ptr [edx+20h] |
dec eax |
movzx ecx, word ptr [edx+4Ah] |
dec eax |
mov esi, dword ptr [edx+50h] |
dec ebp |
xor ecx, ecx |
dec eax |
xor eax, eax |
lodsb |
cmp al, 61h |
jl 00007EFF0CE85DB4h |
sub al, 20h |
inc ecx |
ror ecx, 0Dh |
inc ecx |
add ecx, eax |
loop 00007EFF0CE85D9Fh |
push edx |
inc ecx |
push ecx |
dec eax |
mov edx, dword ptr [edx+20h] |
mov eax, dword ptr [edx+3Ch] |
dec eax |
add eax, edx |
cmp word ptr [eax+18h], 020Bh |
jne 00007EFF0CE85E28h |
mov eax, dword ptr [eax+00000088h] |
dec eax |
test eax, eax |
je 00007EFF0CE85E19h |
dec eax |
add eax, edx |
inc esp |
mov eax, dword ptr [eax+20h] |
mov ecx, dword ptr [eax+18h] |
dec ecx |
add eax, edx |
push eax |
jecxz 00007EFF0CE85E08h |
dec eax |
dec ecx |
inc ecx |
mov esi, dword ptr [eax+ecx*4] |
dec ebp |
xor ecx, ecx |
dec eax |
add esi, edx |
dec eax |
xor eax, eax |
lodsb |
inc ecx |
ror ecx, 0Dh |
inc ecx |
add ecx, eax |
cmp al, ah |
jne 00007EFF0CE85DA3h |
dec esp |
add ecx, dword ptr [esp+08h] |
inc ebp |
cmp ecx, edx |
jne 00007EFF0CE85D8Ah |
pop eax |
inc esp |
mov eax, dword ptr [eax+24h] |
dec ecx |
add eax, edx |
inc cx |
mov ecx, dword ptr [eax+ecx*2] |
inc esp |
mov eax, dword ptr [eax+1Ch] |
dec ecx |
add eax, edx |
inc ecx |
mov eax, dword ptr [eax+ecx*4] |
dec eax |
add eax, edx |
inc ecx |
pop eax |
inc ecx |
pop eax |
pop esi |
pop ecx |
pop edx |
inc ecx |
pop eax |
inc ecx |
pop ecx |
inc ecx |
pop edx |
dec eax |
sub esp, 20h |
inc ecx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4358 | 0x6c | .jcho |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x43c8 | 0x8 | .jcho |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x104e | 0x1200 | a4a5deae25708a9e05f50bcad7075c86 | False | 0.025390625 | data | 0.16810049402497224 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x84 | 0x200 | 31b58e4b44359a1fdeebdccbe8f7a423 | False | 0.158203125 | data | 0.9669929845987311 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.jcho | 0x4000 | 0x3d0 | 0x400 | d3df8e69479d1cf00626de02acc9eeda | False | 0.8193359375 | data | 6.142036294099521 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
KERNEL32.dll | VirtualAlloc, ExitProcess |
Download Network PCAP: filtered – full
- Total Packets: 12
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 13, 2025 09:48:31.447102070 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:31.447150946 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:31.447246075 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:31.477185965 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:31.477202892 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:33.947495937 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:33.947597980 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:34.067949057 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:34.067984104 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:34.068376064 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:34.068433046 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:34.071067095 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:34.116317987 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:34.636802912 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:34.636934996 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:34.636964083 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:34.637008905 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:34.637648106 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Mar 13, 2025 09:48:34.637698889 CET | 443 | 49683 | 74.82.86.0 | 192.168.2.9 |
Mar 13, 2025 09:48:34.637756109 CET | 49683 | 443 | 192.168.2.9 | 74.82.86.0 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 13, 2025 09:48:31.420587063 CET | 49227 | 53 | 192.168.2.9 | 1.1.1.1 |
Mar 13, 2025 09:48:31.439805984 CET | 53 | 49227 | 1.1.1.1 | 192.168.2.9 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 13, 2025 09:48:31.420587063 CET | 192.168.2.9 | 1.1.1.1 | 0x402d | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 13, 2025 09:48:31.439805984 CET | 1.1.1.1 | 192.168.2.9 | 0x402d | No error (0) | 74.82.86.0 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.9 | 49683 | 74.82.86.0 | 443 | 2820 | C:\Users\user\Desktop\443_2003_https-df.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-13 08:48:34 UTC | 346 | OUT | |
2025-03-13 08:48:34 UTC | 198 | IN | |
2025-03-13 08:48:34 UTC | 210 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 04:48:30 |
Start date: | 13/03/2025 |
Path: | C:\Users\user\Desktop\443_2003_https-df.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x140000000 |
File size: | 7'168 bytes |
MD5 hash: | 8D9C0F42BAF129D1B430A01463DD7870 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 04:48:34 |
Start date: | 13/03/2025 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6099a0000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 34.2% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 12 |
Total number of Limit Nodes: | 1 |
Graph
Callgraph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|