Windows
Analysis Report
443_2003_https-df.exe
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
443_2003_https-df.exe (PID: 7004 cmdline:
"C:\Users\ user\Deskt op\443_200 3_https-df .exe" MD5: 8D9C0F42BAF129D1B430A01463DD7870) WerFault.exe (PID: 6160 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 004 -s 107 6 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
- cleanup
{
"Type": "Metasploit Connect",
"URL": "http://good.com:443/8vQ22xQg7LNTDlIMNMPQYArU3f6H02_CZ8OOidXHMpAcnJyNIO6pn76hpViAmussoSRLD1bYoU6XZKlPgy7zC1CqcV1CM8wQUy9ZNCBo7-biF1YmM12TNtT9dyohlNI7ULo8ROSViioXkYj1b3ud_S"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_2 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
Windows_Trojan_Metasploit_0f5a852d | Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. | unknown |
| |
Click to see the 1 entries |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Remote Access Functionality
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | URLs: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 1_2_00000001400042B6 |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Process created: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 2 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
78% | Virustotal | Browse | ||
84% | ReversingLabs | Win64.Hacktool.MetaSploit | ||
100% | Avira | TR/Crypt.XPACK.Gen7 |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
good.com | 74.82.70.131 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
74.82.70.131 | good.com | Canada | 18705 | RIMBLACKBERRYCA | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1636969 |
Start date and time: | 2025-03-13 09:52:25 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 29s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 443_2003_https-df.exe |
Detection: | MAL |
Classification: | mal96.troj.winEXE@2/6@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WerFault.exe, WMIA DAP.exe, SIHClient.exe, conhos t.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 40.71.93.126, 40.1 26.31.73, 4.175.87.197 - Excluded domains from analysis
(whitelisted): onedsblobvmssp rdeus02.eastus.cloudapp.azure. com, login.live.com, slscr.upd ate.microsoft.com, blobcollect or.events.data.trafficmanager. net, ctldl.windowsupdate.com, umwatson.events.data.microsoft .com, c.pki.goog, fe3cr.delive ry.mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
good.com | Get hash | malicious | SystemBC | Browse |
| |
Get hash | malicious | Outlook Phishing, HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
RIMBLACKBERRYCA | Get hash | malicious | Mirai | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | Remcos, GuLoader | Browse |
| ||
Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
| ||
Get hash | malicious | GuLoader | Browse |
|
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0043118873206132 |
Encrypted: | false |
SSDEEP: | 96:IaFuu8d9sbhEod7JfTQXIDcQqc6mcEKcw34eE+HbHg/KAgOg0dl/phsv5o1OyWCB:rAuk9D0kigMSjZThGzuiFNZ24lO87 |
MD5: | 816CD8139B4D91B343BBE2FD5B5669D6 |
SHA1: | 26EF2DD05D0EE26A8268BC8EF5D2149FB58818B5 |
SHA-256: | BD1ADF49D3C67F976463F8D87089F709B6936F8FB0E148FBADFD6F510A810812 |
SHA-512: | 0688D06C54431B8ED4AE7BBA1591AFF6F30145D32B1AEA8563688A49FFB7806F7570E7C1B65AFFB81B01BF4D160EC0A683BD96B37B4C4A490F3DA8ADC935179C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 160232 |
Entropy (8bit): | 1.4455567755816838 |
Encrypted: | false |
SSDEEP: | 768:Q9yIcQwFsCuvAjvgfQ7YAgc4bha62wl9nb:QfmsCuojvgfQ7YAgc4bha6lpb |
MD5: | 4C68CF5BD7F33C1A8634D0FD61F20EFC |
SHA1: | E377645193489767B605CBD408334261FA2473C6 |
SHA-256: | 3088D5D3B17D1C855992AC9CD6590152260B512063E754F8479A849D21CF62DF |
SHA-512: | 053CBA7AD2105624D5040FCF9A622FD9C11B03CC2B26EA790473DBE10E5B83D0C755B24739B4350A1538C3B782B9DD2AB6A69DC70F267AEF32FE6FA47FC1F45A |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8796 |
Entropy (8bit): | 3.7088820347658764 |
Encrypted: | false |
SSDEEP: | 192:R6l7wVeJlun+JB6YZ3M5gmfZ4bQpD989bSEcfRGm:R6lXJEW6Y5KgmfZUSnf5 |
MD5: | 55F5B04232CF560F9EA65012DD2FD3D8 |
SHA1: | BEB9F65D1B8BF9624E6D39636244BE6E68BED464 |
SHA-256: | C9D04123B874D0E5FCA9351C837CDD7EED13D9853E507235A967427FCB04A7F6 |
SHA-512: | E1B57A7B1FB9A3D88A0CC150F289D06527EE62872244495153654055753ABF8E30A85948508B6DD5E77847879931DE1F6387BCD98720C429EACFF4EA673C67E7 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4719 |
Entropy (8bit): | 4.505808223938844 |
Encrypted: | false |
SSDEEP: | 48:cvIwWl8zsfJg771I9GZWpW8VYWRYm8M4JDtOKFNyq85kCOhLLBJBd:uIjfBI7No7VoJJJMCLdJBd |
MD5: | 74BA99FF1048E90ACC17715F863A6C48 |
SHA1: | 80A577EBFF5F6E196A8BC1828887119C8FEB3FF5 |
SHA-256: | 4DCE9CA2A9DF3162AEC3E3128C5FC289A787CF1B31ACA8336A63A827815BD3C5 |
SHA-512: | 4FE0D8DA1B5F370B22540C5D78D9D66D935C28B46482711861C481CB39BC7BB26FD391497C050B22166DCE0C3B5B4B1B59D996B7107A05BCA4B9718824900444 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1835008 |
Entropy (8bit): | 4.473442401912993 |
Encrypted: | false |
SSDEEP: | 6144:q9Zfpi6ceLPx9skLmb0fUZWSP3aJG8nAge03BQqZaKFFIeC/DNcXRtdLrI:eZHtUZWOcxQqYzruhtC |
MD5: | 18886A7E33CC39A4A70276BEEF3F4EEC |
SHA1: | 6452F4999F663EF588066E6C60F3BC2FE32B6219 |
SHA-256: | C98B82A7E261E52502066C5B9E87093E70AE5B7DB28AC02E7307726AD9E997B8 |
SHA-512: | 2113766E13C26580C4C92CC23B766740375AFEBE2A9B5C45F1C078C991C1F1905254D466FE30F8B50AE9DDF2AD6C935342D4121F2B57B0EE5E1D3DAB8D2A5C2B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 3.922787775675884 |
Encrypted: | false |
SSDEEP: | 768:yvwDoUrCjyutmUu/fR86dzsjO2qloWysUe/a9X:yvkuMUuHhIbms |
MD5: | 14C6160A38CB8FEDF4E16D851D6CB4AA |
SHA1: | D872E876F61941A74B9C620195894105511FD0D2 |
SHA-256: | 74F0146024163CEF2AFC3BBDDA34AF3FCE4876D6677D99CCE0CF36B1A8CDA67B |
SHA-512: | A960007DD8FD3F944DEB8097569BB49F16EC8F8E270475788C47BD2682A07CDC0A1E352DE94E7B7CF2CB21EE3EF9EE8259DDF998188E3C09AA3B54CE5C55D143 |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 1.7373895378352873 |
TrID: |
|
File name: | 443_2003_https-df.exe |
File size: | 7'168 bytes |
MD5: | 8d9c0f42baf129d1b430a01463dd7870 |
SHA1: | 4054be8879b458c034340b19311baa42218c216d |
SHA256: | b3ffbb213580aac6f9dc8d7ea321bd61be3e5cd41647e29aabeaedee2bfc4b83 |
SHA512: | 02831aafecd02359f63e8f13f50835ccd1e76abfd23b9586156351ca3ce5f7e1cb9846a6c64f538c9a9c9d2b96a0317a10ae5b6ef4631d67b30da61ba3b8db02 |
SSDEEP: | 24:eFGStrJ9u0/6ikY/nZd8rBQAV2G1Y+HKkn2DOIRwQ78IW29buoR9svcJBepmB:is0mYb4BQWq+H7CO1Q7PWAqoRikJDB |
TLSH: | D2E1B32372391CF6C89C463B4A63D04B65489B347F27E3FA8B14020FB9F201139B1C86 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9$..}E..}E..}E..Z...~E..}E~..E..t=..|E..t=..|E..Rich}E..................PE..d...}<.K..........#......0...........@.........@... |
Icon Hash: | 90cececece8e8eb0 |
Entrypoint: | 0x140004000 |
Entrypoint Section: | .jcho |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x4BC63C7D [Wed Apr 14 22:06:53 2010 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b4c6fff030479aa3b12625be67bf4914 |
Instruction |
---|
cld |
dec eax |
and esp, FFFFFFF0h |
call 00007F4F04C09661h |
inc ecx |
push ecx |
inc ecx |
push eax |
push edx |
push ecx |
dec eax |
xor edx, edx |
push esi |
dec eax |
mov edx, dword ptr [edx+60h] |
dec eax |
mov edx, dword ptr [edx+18h] |
dec eax |
mov edx, dword ptr [edx+20h] |
dec eax |
movzx ecx, word ptr [edx+4Ah] |
dec eax |
mov esi, dword ptr [edx+50h] |
dec ebp |
xor ecx, ecx |
dec eax |
xor eax, eax |
lodsb |
cmp al, 61h |
jl 00007F4F04C09594h |
sub al, 20h |
inc ecx |
ror ecx, 0Dh |
inc ecx |
add ecx, eax |
loop 00007F4F04C0957Fh |
push edx |
inc ecx |
push ecx |
dec eax |
mov edx, dword ptr [edx+20h] |
mov eax, dword ptr [edx+3Ch] |
dec eax |
add eax, edx |
cmp word ptr [eax+18h], 020Bh |
jne 00007F4F04C09608h |
mov eax, dword ptr [eax+00000088h] |
dec eax |
test eax, eax |
je 00007F4F04C095F9h |
dec eax |
add eax, edx |
inc esp |
mov eax, dword ptr [eax+20h] |
mov ecx, dword ptr [eax+18h] |
dec ecx |
add eax, edx |
push eax |
jecxz 00007F4F04C095E8h |
dec eax |
dec ecx |
inc ecx |
mov esi, dword ptr [eax+ecx*4] |
dec ebp |
xor ecx, ecx |
dec eax |
add esi, edx |
dec eax |
xor eax, eax |
lodsb |
inc ecx |
ror ecx, 0Dh |
inc ecx |
add ecx, eax |
cmp al, ah |
jne 00007F4F04C09583h |
dec esp |
add ecx, dword ptr [esp+08h] |
inc ebp |
cmp ecx, edx |
jne 00007F4F04C0956Ah |
pop eax |
inc esp |
mov eax, dword ptr [eax+24h] |
dec ecx |
add eax, edx |
inc cx |
mov ecx, dword ptr [eax+ecx*2] |
inc esp |
mov eax, dword ptr [eax+1Ch] |
dec ecx |
add eax, edx |
inc ecx |
mov eax, dword ptr [eax+ecx*4] |
dec eax |
add eax, edx |
inc ecx |
pop eax |
inc ecx |
pop eax |
pop esi |
pop ecx |
pop edx |
inc ecx |
pop eax |
inc ecx |
pop ecx |
inc ecx |
pop edx |
dec eax |
sub esp, 20h |
inc ecx |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4358 | 0x6c | .jcho |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x43c8 | 0x8 | .jcho |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x104e | 0x1200 | a4a5deae25708a9e05f50bcad7075c86 | False | 0.025390625 | data | 0.16810049402497224 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x84 | 0x200 | 31b58e4b44359a1fdeebdccbe8f7a423 | False | 0.158203125 | data | 0.9669929845987311 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.jcho | 0x4000 | 0x3d0 | 0x400 | d3df8e69479d1cf00626de02acc9eeda | False | 0.8193359375 | data | 6.142036294099521 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
DLL | Import |
---|---|
KERNEL32.dll | VirtualAlloc, ExitProcess |
Download Network PCAP: filtered – full
- Total Packets: 12
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 13, 2025 09:53:44.384361029 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:44.384401083 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:44.384483099 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:44.398005962 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:44.398025036 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:46.675270081 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:46.675396919 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:46.763468027 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:46.763504028 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:46.763788939 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:46.763889074 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:46.765553951 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:46.812325001 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:47.207443953 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:47.207525969 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:47.207550049 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:47.207619905 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:47.208234072 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Mar 13, 2025 09:53:47.208292961 CET | 443 | 49683 | 74.82.70.131 | 192.168.2.6 |
Mar 13, 2025 09:53:47.208359957 CET | 49683 | 443 | 192.168.2.6 | 74.82.70.131 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 13, 2025 09:53:44.345118999 CET | 50729 | 53 | 192.168.2.6 | 1.1.1.1 |
Mar 13, 2025 09:53:44.360882998 CET | 53 | 50729 | 1.1.1.1 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 13, 2025 09:53:44.345118999 CET | 192.168.2.6 | 1.1.1.1 | 0xb4c | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 13, 2025 09:53:44.360882998 CET | 1.1.1.1 | 192.168.2.6 | 0xb4c | No error (0) | 74.82.70.131 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.6 | 49683 | 74.82.70.131 | 443 | 7004 | C:\Users\user\Desktop\443_2003_https-df.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-13 08:53:46 UTC | 346 | OUT | |
2025-03-13 08:53:47 UTC | 198 | IN | |
2025-03-13 08:53:47 UTC | 210 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 1 |
Start time: | 04:53:42 |
Start date: | 13/03/2025 |
Path: | C:\Users\user\Desktop\443_2003_https-df.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x140000000 |
File size: | 7'168 bytes |
MD5 hash: | 8D9C0F42BAF129D1B430A01463DD7870 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 04:53:46 |
Start date: | 13/03/2025 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7dcb80000 |
File size: | 570'736 bytes |
MD5 hash: | FD27D9F6D02763BDE32511B5DF7FF7A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 34.2% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 12 |
Total number of Limit Nodes: | 1 |
Graph
Callgraph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|