Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wp-signup.php

Overview

General Information

Sample Name:wp-signup.php
Analysis ID:619968
MD5:2f1c426b9c3e4b01427bdc69262ee8de
SHA1:b1b180e5a0fbe2ccb2b5b96427ce8b09431cfc8e
SHA256:b827cdd9d417abaf9050bc1377aa67127a12f0128f59391714239668c03a011d
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OpenWith.exe (PID: 5144 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
wp-signup.phpwebshell_php_dynamic_bigPHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374kArnim Rupp
  • 0x0:$new_php2: <?php
  • 0x0:$php_short: <?
  • 0x3df:$dynamic1: $ZlwBhrDSDRgGg($
  • 0x58c:$dynamic1: $QDDCsV($
  • 0x594:$dynamic1: $ZgrYiIWZWqok($
  • 0x5cc:$dynamic1: $QDDCsV($
  • 0x5d4:$dynamic1: $ZgrYiIWZWqok($
  • 0x60e:$dynamic1: $QDDCsV($
  • 0x616:$dynamic1: $ZgrYiIWZWqok($
  • 0x736:$dynamic1: $ZgrYiIWZWqok($
  • 0x762:$dynamic1: $ZgrYiIWZWqok($
  • 0x78b:$dynamic1: $ZgrYiIWZWqok($
  • 0x7b9:$dynamic1: $ZgrYiIWZWqok($
  • 0x801:$dynamic1: $NQBUfBHfuZziBLZ($
  • 0x828:$dynamic1: $ytXwLStiWQIO($
  • 0x860:$dynamic1: $NQBUfBHfuZziBLZ($
  • 0x891:$dynamic1: $ZgrYiIWZWqok($
  • 0x8cc:$dynamic1: $ZgrYiIWZWqok($
  • 0x933:$dynamic1: $ncnzwPdp($
  • 0x94b:$dynamic1: $ZlwBhrDSDRgGg($
  • 0xacf:$dynamic1: $GMXhdyVt($
wp-signup.phpwebshell_php_by_string_obfuscationPHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimmingArnim Rupp
  • 0x162:$opbs18: e'.'v'.'a'.'l
  • 0x3c8:$opbs24: e'.'co'.'d
  • 0x0:$php_short: <?
  • 0x0:$php_new2: <?php

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: wp-signup.php, type: SAMPLEMatched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: wp-signup.php, type: SAMPLEMatched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_01
Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: clean1.winPHP@1/0@0/0
Source: wp-signup.phpJoe Sandbox Cloud Basic: Detection: clean Score: 2Perma Link
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11712.1001.23.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory11
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
wp-signup.php5%VirustotalBrowse
wp-signup.php11%MetadefenderBrowse
wp-signup.php7%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:619968
Start date and time: 04/05/202206:05:432022-05-04 06:05:43 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 29s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:wp-signup.php
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winPHP@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.82.210.154, 40.126.32.68, 20.190.160.22, 40.126.32.74, 40.126.32.136, 20.190.160.14, 40.126.32.133, 40.126.32.134, 40.126.32.76, 20.40.129.122
  • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com, login.live.com, www.tm.lg.prod.aadmsa.akadns.net, arc.trafficmanager.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-frc.francecentral.cloudapp.azure.com, arc.msn.com, login.msa.msidentity.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
06:06:43API Interceptor1x Sleep call for process: OpenWith.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PHP script, ASCII text, with very long lines
Entropy (8bit):6.043265800578498
TrID:
    File name:wp-signup.php
    File size:179123
    MD5:2f1c426b9c3e4b01427bdc69262ee8de
    SHA1:b1b180e5a0fbe2ccb2b5b96427ce8b09431cfc8e
    SHA256:b827cdd9d417abaf9050bc1377aa67127a12f0128f59391714239668c03a011d
    SHA512:fe02cf7147ccc60e9eb97dad405d2a30a9acbffe14550f7890eb52edb01166dd901be59d3edbd61fe9db5319e4e6793d98e21b575441b796c04cbd5e3b40b205
    SSDEEP:3072:LcnNvEQnoYYLqUX10OG3aRDZ8IZZqpWxunF9Yzff1ktethFzCUPfWiyhPEilI//:Oo1qM10OGKFZmW4Yzff1zgUnWiyai2X
    TLSH:7A04230B699A3286F54D619112A4407D2BD430048B9C51D273FA1FDDB88EB19AF9FFE0
    File Content Preview:<?php.set_time_limit(0);.ini_set('memory_limit', '-1');.$ChJEsJbrSOGlr = array(..'usgytpFkh' => 'admin',..'palWPdgjTXOHXXOD' => '33e268b738572087a821e9ea5108d332',..'saefHqYkzpt' => '0',..'loVXxveqHpqlKR' => '403',..'shaUGtAh' => '1',..'poDaHYYNUiJShbvvg'

    File Icon

    Icon Hash:74f0e4e4e4e4e0e4

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:06:06:42
    Start date:04/05/2022
    Path:C:\Windows\System32\OpenWith.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\OpenWith.exe -Embedding
    Imagebase:0x7ff641440000
    File size:111120 bytes
    MD5 hash:D179D03728E95E040A889F760C1FC402
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    No disassembly