Play interactive tour

Edit tour

Analysis Report IObitUnlocker.sys

Overview

General Information

Sample Name:	IObitUnlocker.sys
Analysis ID:	340296
MD5:	47aa03a10ac3a407f8f30f1088edcbc9
SHA1:	b5d78a1d3ae93bd343c6d65e64c0945d1d558758
SHA256:	c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66
Errors Nothing to analyse, Joe Sandbox has not found any analysis process or sample Corrupt sample or wrongly selected analyzer. Details: A device attached to the system is not functioning.

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Classification

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: IObitUnlocker.sys

ReversingLabs: Detection: 12%

Machine Learning detection for sample

Show sources

Source: IObitUnlocker.sys

Joe Sandbox ML: detected

Source: IObitUnlocker.sys

Static PE information: certificate valid

Source:

Binary string: f:\iobitsvn\c++\unlocker\driver\objchk_win7_amd64\amd64\IObitUnlocker.pdb source: IObitUnlocker.sys

Source: IObitUnlocker.sys	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: IObitUnlocker.sys	String found in binary or memory: http://ocsp.thawte.com0
Source: IObitUnlocker.sys	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: IObitUnlocker.sys	String found in binary or memory: http://s.symcd.com06
Source: IObitUnlocker.sys	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: IObitUnlocker.sys	String found in binary or memory: http://s2.symcb.com0
Source: IObitUnlocker.sys	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: IObitUnlocker.sys	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: IObitUnlocker.sys	String found in binary or memory: http://sv.symcd.com0&
Source: IObitUnlocker.sys	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: IObitUnlocker.sys	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: IObitUnlocker.sys	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: IObitUnlocker.sys	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: IObitUnlocker.sys	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: IObitUnlocker.sys	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: IObitUnlocker.sys	String found in binary or memory: http://www.symauth.com/cps0(
Source: IObitUnlocker.sys	String found in binary or memory: http://www.symauth.com/rpa00
Source: IObitUnlocker.sys	String found in binary or memory: https://d.symcb.com/cps0%
Source: IObitUnlocker.sys	String found in binary or memory: https://d.symcb.com/rpa0
Source: IObitUnlocker.sys	String found in binary or memory: https://d.symcb.com/rpa0.

Source: IObitUnlocker.sys	Binary string: \Device\HarddiskDmVolumes\
Source: IObitUnlocker.sys	Binary string: \Device\IObitUnlockerDevice
Source: IObitUnlocker.sys	Binary string: \Device\HarddiskVolume1\unlocker.log

Source: classification engine

Classification label: mal52.winSYS@0/0@0/0

Source: IObitUnlocker.sys

ReversingLabs: Detection: 12%

Source: IObitUnlocker.sys

Static PE information: certificate valid

Source: IObitUnlocker.sys

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: f:\iobitsvn\c++\unlocker\driver\objchk_win7_amd64\amd64\IObitUnlocker.pdb source: IObitUnlocker.sys

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IObitUnlocker.sys	4%	Virustotal		Browse
IObitUnlocker.sys	5%	Metadefender		Browse
IObitUnlocker.sys	12%	ReversingLabs	Win64.PUA.IObitUnlocker
IObitUnlocker.sys	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	IObitUnlocker.sys	false		high
http://www.symauth.com/cps0(	IObitUnlocker.sys	false		high
http://www.symauth.com/rpa00	IObitUnlocker.sys	false		high
http://ocsp.thawte.com0	IObitUnlocker.sys	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	340296
Start date:	15.01.2021
Start time:	15:38:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 1m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IObitUnlocker.sys
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	0
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.winSYS@0/0@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .sys Unable to launch sample, stop analysis
Errors:	Nothing to analyse, Joe Sandbox has not found any analysis process or sample Corrupt sample or wrongly selected analyzer. Details: A device attached to the system is not functioning.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (native) x86-64, for MS Windows
Entropy (8bit):	6.534009084883959
TrID:	Win64 Device Driver (generic) (12004/3) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	IObitUnlocker.sys
File size:	66824
MD5:	47aa03a10ac3a407f8f30f1088edcbc9
SHA1:	b5d78a1d3ae93bd343c6d65e64c0945d1d558758
SHA256:	c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66
SHA512:	3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101
SSDEEP:	1536:h0xAAJD9GvR6+SmcoWtW6RxJUVe9UVKghwR1xn:hyDw6+SmcoW0ixyVeWV8RLn
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.r.................=...................................................Rich............................PE..d....(BY.........."

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1c064
Entrypoint Section:	INIT
Digitally signed:	true
Imagebase:	0x10000
Subsystem:	native
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x594228AA [Thu Jun 15 06:26:50 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	878e0ad08d61b8eeabe5f33873401f2d

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/23/2015 1:00:00 AM 3/24/2018 12:59:59 AM
Subject Chain	CN=IObit Information Technology, O=IObit Information Technology, L=Chengdu, S=Sichuan, C=CN
Version:	3
Thumbprint MD5:	015DE39AFB8FF135DFCAFC5E64FAAF37
Thumbprint SHA-1:	72E43BDF20C3532371DD5A0A4BB27E0B3DA44248
Thumbprint SHA-256:	691719047BDADC45AC3537CD867753EDEDA21C07FB7626E1A91962A9740E890E
Serial:	454A6CD2E1E63CA9D542DFDAB518FED9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec esp
mov eax, edx
dec esp
mov ecx, ecx
call 00007FA5E8C2F83Ah
dec ecx
mov edx, eax
dec ecx
mov ecx, ecx
dec eax
add esp, 28h
jmp 00007FA5E8C24A73h
int3
int3
mov al, C0h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
rol dh, 00000000h
add byte ptr [eax], al
nop
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push 000000C2h
add byte ptr [eax], al
add byte ptr [eax+000000C2h], al
add byte ptr [eax], al
add byte ptr [eax+000000C2h], bl
add byte ptr [eax], al
add byte ptr [edx+eax*8+00000000h], ch
add byte ptr [eax], al
mov esi, 000000C2h
add byte ptr [eax], al
add ah, dl
retn 0000h
add byte ptr [eax], al
add byte ptr [eax], al
in al, dx
retn 0000h
add byte ptr [eax], al
add byte ptr [eax], al
inc dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ss
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, C3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop esp
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jo 00007FA5E8C2F865h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov bx, es
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmpsb
ret
add byte ptr [eax], al

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc084	0x28	INIT
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb000	0x3a8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9e00	0x6708
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x91c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x1b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7fed	0x8000	False	0.358184814453	data	5.40373293752	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x4e8	0x600	False	0.4296875	data	3.59156431085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.data	0xa000	0x170	0x200	False	0.125	data	0.611685037312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
.pdata	0xb000	0x3a8	0x400	False	0.5322265625	data	3.89550684067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
INIT	0xc000	0x6e6	0x800	False	0.4638671875	data	4.72418546261	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xd000	0x370	0x400	False	0.3837890625	data	2.94391235696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.reloc	0xe000	0x24	0x200	False	0.052734375	GLS_BINARY_LSB_FIRST	0.153703185652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xd060	0x30c	data	English	United States

Imports

DLL

Import

ntoskrnl.exe

ExAllocatePoolWithTag, IoDeleteSymbolicLink, ExFreePoolWithTag, IoDeleteDevice, IofCompleteRequest, IoCreateSymbolicLink, IoCreateDevice, RtlAssert, _wcsnicmp, ZwReadFile, IoGetRelatedDeviceObject, MmGetSystemRoutineAddress, KeInitializeEvent, ExInterlockedPopEntryList, KeDelayExecutionThread, IoFileObjectType, ZwWaitForSingleObject, ZwClose, ObReferenceObjectByHandle, KeWaitForSingleObject, RtlCompareUnicodeString, IoAllocateIrp, ObfDereferenceObject, ZwWriteFile, DbgPrint, IofCallDriver, _wcsicmp, PsGetProcessPeb, PsLookupProcessByProcessId, ZwQuerySymbolicLinkObject, RtlInitUnicodeString, KeSetEvent, RtlAppendUnicodeToString, IoCreateFile, ZwQuerySystemInformation, ZwOpenSymbolicLinkObject, KeUnstackDetachProcess, ObQueryNameString, ZwCreateFile, wcsrchr, ZwQueryDirectoryFile, _vsnwprintf, RtlAppendUnicodeStringToString, ZwDuplicateObject, IoFreeIrp, ZwOpenProcess, PsGetCurrentProcessId, MmIsAddressValid, ZwTerminateProcess, ZwQueryInformationFile, ExInterlockedPushEntryList, KeStackAttachProcess, KeBugCheckEx, __C_specific_handler

Version Infos

Description	Data
LegalCopyright	IObit Copyright 2005-2013
InternalName	IObitUnlocker.sys
FileVersion	1.2.0.1 built by: WinDDK
CompanyName	IObit
ProductName	IObitUnlocker
ProductVersion	1.2.0.1
FileDescription	IObitUnlocker Driver
OriginalFilename	IObitUnlocker.sys
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report IObitUnlocker.sys

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

System Behavior

Disassembly