Windows
Analysis Report
http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Confidence: | 60% |
Signatures
Classification
- System is w11x64_office
cmd.exe (PID: 6548 cmdline:
C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " http://dow nload.bjca .org.cn/do wnload/hel p/certific ate/CertAp pEnv_Setup .exe" > cm dline.out 2>&1 MD5: 7B2C2B671D3F48A01B334A0070DEC0BD) conhost.exe (PID: 6644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 9698384842DA735D80D278A427A229AB) wget.exe (PID: 6968 cmdline:
wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttp://down load.bjca. org.cn/dow nload/help /certifica te/CertApp Env_Setup. exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
- cleanup
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
- • Networking
- • System Summary
- • Malware Analysis System Evasion
- • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 3 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 3 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
download.bjca.org.cn.w.kunlunca.com | 61.170.79.113 | true | false | unknown | |
download.bjca.org.cn | unknown | unknown | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
61.170.79.113 | download.bjca.org.cn.w.kunlunca.com | China | 4812 | CHINANET-SH-APChinaTelecomGroupCN | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1671062 |
Start date and time: | 2025-04-22 15:15:42 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 30s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | urldownload.jbs |
Sample URL: | http://download.bjca.org.cn/download/help/certificate/CertAppEnv_Setup.exe |
Analysis system description: | Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean1.win@4/1@1/1 |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - Excluded IPs from analysis (wh
itelisted): 184.29.183.29 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, ctldl.windowsupdate.com - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: http:/
/download.bjca.org.cn/download /help/certificate/CertAppEnv_S etup.exe
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | modified |
Size (bytes): | 399 |
Entropy (8bit): | 5.139812615666659 |
Encrypted: | false |
SSDEEP: | 12:H0kwYkplktmLuoF3kplk6t1De5Rhh8ooB3v:roFMxePP8Zf |
MD5: | 3FAD9D182FEBF087A772191CF185726E |
SHA1: | 163BE3B283D926460F9C150B4FFC9F9EB1DE051E |
SHA-256: | EA6E54E62D763E26621A757ED6DAB1E46F616F640689627A169BEF8D37715E45 |
SHA-512: | 9CBE8798BC1FE3ACB49A77BF480FCD3527E0935647E086E3B5A69AFBC34960662DFF9F75BB974879F96B94551C2CD2626B6B4DF9478B1213AA39A1A72D9AACB7 |
Malicious: | false |
Reputation: | low |
Preview: |
Download Network PCAP: filtered – full
- Total Packets: 7
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 22, 2025 15:16:37.090017080 CEST | 60825 | 80 | 192.168.2.24 | 61.170.79.113 |
Apr 22, 2025 15:16:38.097575903 CEST | 60825 | 80 | 192.168.2.24 | 61.170.79.113 |
Apr 22, 2025 15:16:38.382617950 CEST | 80 | 60825 | 61.170.79.113 | 192.168.2.24 |
Apr 22, 2025 15:16:38.382702112 CEST | 60825 | 80 | 192.168.2.24 | 61.170.79.113 |
Apr 22, 2025 15:16:38.383625031 CEST | 60825 | 80 | 192.168.2.24 | 61.170.79.113 |
Apr 22, 2025 15:16:38.641097069 CEST | 80 | 60825 | 61.170.79.113 | 192.168.2.24 |
Apr 22, 2025 15:16:38.641160011 CEST | 60825 | 80 | 192.168.2.24 | 61.170.79.113 |
Apr 22, 2025 15:16:38.668365955 CEST | 80 | 60825 | 61.170.79.113 | 192.168.2.24 |
Apr 22, 2025 15:16:38.849124908 CEST | 80 | 60825 | 61.170.79.113 | 192.168.2.24 |
Apr 22, 2025 15:16:38.887326956 CEST | 60825 | 80 | 192.168.2.24 | 61.170.79.113 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 22, 2025 15:16:36.320318937 CEST | 64788 | 53 | 192.168.2.24 | 1.1.1.1 |
Apr 22, 2025 15:16:37.084569931 CEST | 53 | 64788 | 1.1.1.1 | 192.168.2.24 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 22, 2025 15:16:36.320318937 CEST | 192.168.2.24 | 1.1.1.1 | 0xa0a | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | download.bjca.org.cn.w.kunlunca.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | 61.170.79.113 | A (IP address) | IN (0x0001) | false | ||
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | 61.170.79.107 | A (IP address) | IN (0x0001) | false | ||
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | 61.170.79.112 | A (IP address) | IN (0x0001) | false | ||
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | 61.170.79.114 | A (IP address) | IN (0x0001) | false | ||
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | 61.170.79.109 | A (IP address) | IN (0x0001) | false | ||
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | 61.170.79.108 | A (IP address) | IN (0x0001) | false | ||
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | 61.170.79.110 | A (IP address) | IN (0x0001) | false | ||
Apr 22, 2025 15:16:37.084569931 CEST | 1.1.1.1 | 192.168.2.24 | 0xa0a | No error (0) | 61.170.79.111 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.24 | 60825 | 61.170.79.113 | 80 | 6968 | C:\Windows\SysWOW64\wget.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 22, 2025 15:16:38.383625031 CEST | 242 | OUT | |
Apr 22, 2025 15:16:38.849124908 CEST | 820 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 09:16:34 |
Start date: | 22/04/2025 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xda0000 |
File size: | 245'760 bytes |
MD5 hash: | 7B2C2B671D3F48A01B334A0070DEC0BD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 09:16:34 |
Start date: | 22/04/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7bdef0000 |
File size: | 1'040'384 bytes |
MD5 hash: | 9698384842DA735D80D278A427A229AB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 09:16:35 |
Start date: | 22/04/2025 |
Path: | C:\Windows\SysWOW64\wget.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 3'895'184 bytes |
MD5 hash: | 3DADB6E2ECE9C4B3E1E322E617658B60 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |