Windows
Analysis Report
OpenSSH-Win64.zip
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Creates files with lurking names (e.g. Crack.exe)
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64
unarchiver.exe (PID: 6808 cmdline:
C:\Windows \SysWOW64\ unarchiver .exe" "C:\ Users\user \Desktop\O penSSH-Win 64.zip MD5: F737DE1D0C50E20064ACCB6647B50F6C) 7za.exe (PID: 6840 cmdline:
C:\Windows \System32\ 7za.exe" x -pinfecte d -y -o"C: \Users\use r\AppData\ Local\Temp \mnewwgmq. irc" "C:\U sers\user\ Desktop\Op enSSH-Win6 4.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) conhost.exe (PID: 6868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • Compliance
- • Software Vulnerabilities
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • System Summary
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_027902A8 | |
Source: | Code function: | 0_2_027902A8 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
System Summary |
---|
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Code function: | 0_2_00DC2477 | |
Source: | Code function: | 0_2_027902A8 | |
Source: | Code function: | 0_2_02790298 |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |