Edit tour

Windows Analysis Report
squirrel.exe

Overview

General Information

Sample Name:	squirrel.exe
Analysis ID:	799988
MD5:	407cf58bf93ea428c6444813119740a2
SHA1:	86cda5e68c7f5e6d3ddbe7ed76765e258b04290d
SHA256:	2b42847d184c2542e95a90da7f9c8baa212e0e2d729cc66af140b8a2750dfa6f
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains long sleeps (>= 3 min)

Classification

Process Tree

System is w10x64

squirrel.exe (PID: 5912 cmdline: C:\Users\user\Desktop\squirrel.exe MD5: 407CF58BF93EA428C6444813119740A2)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: squirrel.exe

Static PE information: certificate valid

Source: squirrel.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: squirrel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: squirrel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: squirrel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: squirrel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: squirrel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: squirrel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: squirrel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: squirrel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: squirrel.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: squirrel.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: squirrel.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: squirrel.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: squirrel.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: squirrel.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: squirrel.exe	String found in binary or memory: https://api.github.com/
Source: squirrel.exe	String found in binary or memory: https://api.github.com/#
Source: squirrel.exe	String found in binary or memory: https://github.com/myuser/myrepo

Source: squirrel.exe

Static PE information: No import functions for PE file found

Source: squirrel.exe	Binary or memory string: originalFileName vs squirrel.exe
Source: squirrel.exe, 00000000.00000002.257857415.0000000000A92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: originalFileName vs squirrel.exe
Source: squirrel.exe, 00000000.00000002.258117422.0000000000C52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUpdate.exe. vs squirrel.exe
Source: squirrel.exe, 00000000.00000002.258151069.00000000010FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs squirrel.exe
Source: squirrel.exe	Binary or memory string: originalFileName vs squirrel.exe
Source: squirrel.exe	Binary or memory string: OriginalFilenameUpdate.exe. vs squirrel.exe

Source: C:\Users\user\Desktop\squirrel.exe	Code function: 0_2_00007FFBAD430660		0_2_00007FFBAD430660
Source: C:\Users\user\Desktop\squirrel.exe	Code function: 0_2_00007FFBAD430587		0_2_00007FFBAD430587

Source: squirrel.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\squirrel.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: squirrel.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\squirrel.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\squirrel.exe C:\Users\user\Desktop\squirrel.exe
Source: C:\Users\user\Desktop\squirrel.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01

Source: C:\Users\user\Desktop\squirrel.exe

File created: C:\Users\user\Desktop\Squirrel-Unset.log

Jump to behavior

Source: squirrel.exe	String found in binary or memory: Z) # Lookahead for non-space at line-start, or end of doc
Source: squirrel.exe	String found in binary or memory: squirrel-install
Source: squirrel.exe	String found in binary or memory: --squirrel-install
Source: squirrel.exe	String found in binary or memory: Update.exe not found, not a Squirrel-installed app?
Source: squirrel.exe	String found in binary or memory: Failed to invoke post-install
Source: squirrel.exe	String found in binary or memory: --squirrel-install {0}
Source: squirrel.exe	String found in binary or memory: a=\|process-start-args=
Source: squirrel.exe	String found in binary or memory: b=\|baseUrl={Provides a base URL to prefix the RELEASES file packages with-a=\|process-start-args=iArguments that will be used when starting executable-l=\|shortcut-locations=
Source: squirrel.exe	String found in binary or memory: ((?=^[ ]{{0,{0}}}[^ \t\n])\|\Z) # Lookahead for non-space at line-start, or end of doc
Source: squirrel.exe	String found in binary or memory: onError%Downloading file: 1Failed downloading URL: #Downloading url: 1Failed to download url: !squirrel-install3Starting automatic update7Failed to check for updates5Failed to download updates/Failed to apply updates9Failed to set up uninstaller){0} {1}{2} {3} # {4}
Source: squirrel.exe	String found in binary or memory: Scanning {0}mIgnoring {0} as the target framework is not compatible%Writing {0} to {1}UCouldn't find file for package in {1}: {0}%--squirrel-install%--squirrel-updated'--squirrel-obsolete)--squirrel-uninstall'--squirrel-firstrunAFailed to handle Squirrel events[\StringFileInfo\040904B0\SquirrelAwareVersion)SquirrelAwareVersion;Failed to promote Tray icon:
Source: squirrel.exe	String found in binary or memory: ..\Update.exegUpdate.exe not found, not a Squirrel-installed app?
Source: squirrel.exe	String found in binary or memory: update.MNo release to install, running the appIFailed to install package to app dirIFailed to update local releases file;Failed to invoke post-install;Starting fixPinnedExecutables)Fixing up tray icons
Source: squirrel.exe	String found in binary or memory: -delta.nupkg$iCannot apply combinations of delta and full packagesQCouldn't run Squirrel hook, continuing: ---squirrel-updated {0}---squirrel-install {0}9Squirrel Enabled Apps: [{0}]wNo apps are marked as Squirrel-aware! Going to run them all-Failed to delete key: /--squirrel-obsolete {0}7Couldn't delete directory: QCoudln't run Squirrel hook, continuing: WcleanDeadVersions: checking for version {0}kcleanDeadVersions: exclude current version folder {0}ccleanDeadVersions: exclude new version folder {0}#"{0}" --uninstall

Source: classification engine

Classification label: clean3.winEXE@2/3@0/0

Source: squirrel.exe, SharpCompress/Common/Zip/WinzipAesCryptoStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: squirrel.exe, SharpCompress/Compressors/LZMA/AesDecoderStream.cs	Cryptographic APIs: 'CreateDecryptor'
Source: squirrel.exe, SharpCompress/Compressors/LZMA/AesDecoderStream.cs	Cryptographic APIs: 'TransformBlock'
Source: squirrel.exe, SharpCompress/Compressors/LZMA/AesDecoderStream.cs	Cryptographic APIs: 'TransformBlock'

Source: squirrel.exe, Squirrel/Utility.cs	Task registration methods: 'CreateZipFromDirectory'
Source: squirrel.exe, Squirrel/UpdateManager.cs	Task registration methods: 'CreateUninstallerRegistryEntry'
Source: squirrel.exe, Squirrel/Update/Program.cs	Task registration methods: 'createSetupEmbeddedZip', 'createExecutableStubForExe', 'createMsiPackage'
Source: squirrel.exe, Squirrel/IUpdateManager.cs	Task registration methods: 'CreateUninstallerRegistryEntry'

Source: squirrel.exe

Static file information: File size 1870640 > 1048576

Source: squirrel.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: squirrel.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: squirrel.exe

Static PE information: certificate valid

Source: squirrel.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1be200

Source: squirrel.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\squirrel.exe

Code function: 0_2_00007FFBAD4371AF push esp; iretd

0_2_00007FFBAD4371B0

Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\squirrel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\squirrel.exe TID: 5972

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\squirrel.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\squirrel.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\squirrel.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\squirrel.exe

Queries volume information: C:\Users\user\Desktop\squirrel.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\squirrel.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Process Injection	1 Masquerading	OS Credential Dumping	21 Virtualization/Sandbox Evasion	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
squirrel.exe	0%	ReversingLabs
squirrel.exe	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/myuser/myrepo	squirrel.exe	false	high
https://api.github.com/#	squirrel.exe	false	high
https://api.github.com/	squirrel.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	799988
Start date and time:	2023-02-07 02:27:18 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	squirrel.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/3@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3.2% (good quality ratio 3.2%) Quality average: 77.6% Quality standard deviation: 13.1%
HCA Information:	Successful, ratio: 95% Number of executed functions: 4 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\squirrel.exe.log

Download File

Process:	C:\Users\user\Desktop\squirrel.exe
File Type:	CSV text
Category:	modified
Size (bytes):	1265
Entropy (8bit):	5.3482778101486135
Encrypted:	false
SSDEEP:	24:ML9E4KrgKDE4KGKN08AKh7E4/wxQlEE48S6uE4zUAE4KvFc:MxHKEYHKGD8Ao7H/wxQlEH8cHz7HKK
MD5:	9368D03BA0999F4DBC877ED5F57D3AE9
SHA1:	6BD070A89464DEE1B3F90CF4C11BE8960238D4C5
SHA-256:	63F4634CBF8DD04A2DCDE8ADF07324F7FA33B8A49949BEBC96907C135EA11F60
SHA-512:	D02E216B26DF374D9ED5102A118CD6DFC84CBC71CDC66744C1DE88B0DE1081AFE3CD1EF1215A66F1176D0462763973424AB3E9A4524ED671D15E3C35CE3AD2FE
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\83c7ede68d13b2882d9b382e05efed26\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\46a2c27668386512a2b68c0ab20c8ca2\PresentationFramework.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Wi

C:\Users\user\Desktop\Squirrel-Unset.log

Download File

Process:	C:\Users\user\Desktop\squirrel.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	67
Entropy (8bit):	4.707349452552437
Encrypted:	false
SSDEEP:	3:5nF9/cW3KfF/5QEBM2F2UZHsOBEREov:ZcCKfFSVUB4Bv
MD5:	73D6B5C041AD48BABA69D50BD6154206
SHA1:	93F80BE15E793E91B7871C7DCB2EC5AFB0488923
SHA-256:	775C8BCF12B871380BAF3FD33FCA6FCE26A32204170AAD89AADB7D8C5B3E7CC5
SHA-512:	B14EBD26A34E208FB3B87C19908AB4884F20C3C3288E1FF7606D3A43F56CF4C1D1ABD47D7756F42BC32BA06C71680AFA9DB0287F1824B1D7870976C15E3E6006
Malicious:	false
Reputation:	low
Preview:	.[07/02/23 02:29:09] info: Program: Starting Squirrel Updater: ..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\squirrel.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2549
Entropy (8bit):	4.0792338041347564
Encrypted:	false
SSDEEP:	48:MPdT9BD+jBjatHqdMYvtHi2WxBk2GjKRW+XvcEwP1:M1pkjBjaGvQajfUcEwt
MD5:	9D268E08D7029210710B483F3D386161
SHA1:	485F034EF95A572FE2EEBDF06317B6168A29256A
SHA-256:	B0D94CB0F14A340406F485FCCBDD04B109A5B8EAFD310691EFE44833604B6B9D
SHA-512:	2A4CD6B7FA17EDDF075043765495769E7582AC7B1232841221AFF8794745999710AED108B63CB05A16EA3807C230664BE74A53E9D8AA7C69483426FD17A6A739
Malicious:	false
Reputation:	low
Preview:	Usage: Squirrel.exe command [OPTS]..Manages Squirrel packages....Commands.. --install=VALUE Install the app whose package is in the specified.. directory.. --uninstall Uninstall the app the same dir as Update.exe.. --download=VALUE Download the releases specified by the URL and.. write new results to stdout as JSON.. --checkForUpdate=VALUE Check for one available update and writes new.. results to stdout as JSON.. --update=VALUE Update the application to the latest remote.. version specified by URL.. --releasify=VALUE Update or generate a releases directory with a.. given NuGet package.. --createShortcut=VALUE Create a shortcut for the given executable name.. --removeShortcut=VALUE Remove a shortcut for the given executable name.. --updateSelf=VALUE Copy

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.928080870228547
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	squirrel.exe
File size:	1870640
MD5:	407cf58bf93ea428c6444813119740a2
SHA1:	86cda5e68c7f5e6d3ddbe7ed76765e258b04290d
SHA256:	2b42847d184c2542e95a90da7f9c8baa212e0e2d729cc66af140b8a2750dfa6f
SHA512:	e9f903f11851deceb19240a3f42740b35a3eebf7039b6550f9b99affacc2ef04993b2f109d442ad21e60ac9b13939e7d94bbc6303991b7bc5759de3aa6ad0a95
SSDEEP:	24576:rav+UvzLSrrg5P47tuwtOdoZoT60zOipX6LMGDI+HZ0VhtbvZzGnMKH27:pr7tnrnc5Vh1am
TLSH:	EF856A11A7D88E2BE56E26BAF431055963F2E9826373F78B2B48707D2BD37544D02363
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8..c.........."...................... ....@...... ..............................b^....@................................

File Icon


Icon Hash:	70cce6b2ba8ce470

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x630FB738 [Wed Aug 31 19:32:08 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	9/2/2021 5:00:00 PM 9/26/2023 4:59:59 PM
Subject Chain	CN="Postman, Inc.", O="Postman, Inc.", L=San Francisco, S=California, C=US
Version:	3
Thumbprint MD5:	B5318363B6AB4E1770DABA8A8B81F07D
Thumbprint SHA-1:	3B19835AEBF81A3643A7DFCC18B29B5EBF7DF168
Thumbprint SHA-256:	D3CC79314E510DDE8463754F900F88C8F707D0EF6460D621863D35A0AB220468
Serial:	0FAD7ED2A113874E1194198F2553727F

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c2000	0x7e78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1c6400	0x2730	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1be028	0x1be200	False	0.3737303866629308	data	5.8827036722604085	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1c2000	0x7e78	0x8000	False	0.58123779296875	data	6.160420939085719	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1c21ec	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024
RT_ICON	0x1c2654	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_ICON	0x1c36fc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0x1c5ca4	0x364b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x1c92f0	0x3e	data
RT_VERSION	0x1c9330	0x33c	data
RT_VERSION	0x1c966c	0x258	data	English	United States
RT_MANIFEST	0x1c98c4	0x5b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

Statistics

Click to jump to process

Memory Usage

• squirrel.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• squirrel.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: squirrel.exePID: 5912, Parent PID: 3452

Function Logs

General

Target ID:	0
Start time:	02:29:06
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\squirrel.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\squirrel.exe
Imagebase:	0xa90000
File size:	1870640 bytes
MD5 hash:	407CF58BF93EA428C6444813119740A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Other File Operations

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6012, Parent PID: 5912

Function Logs

General

Target ID:	1
Start time:	02:29:09
Start date:	07/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: squirrel.exePID: 5912, Parent PID: 3452COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FFBAD430587 Relevance: 2.6, Strings: 1, Instructions: 1357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+<, xrefs: 00007FFBAD43063E

Memory Dump Source

Source File: 00000000.00000002.258657160.00007FFBAD430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad430000_squirrel.jbxd

Similarity

API ID:
String ID: +<
API String ID: 0-1800757418
Opcode ID: 2a478724e4c1abd29141e235ae89f50d9f2eacdb378f7859438b1a7cea015084
Instruction ID: 2767fc6f251465cc24fbcbc0d59ecf8621aa27c7484fcd4abac4a06e85a7643a
Opcode Fuzzy Hash: 2a478724e4c1abd29141e235ae89f50d9f2eacdb378f7859438b1a7cea015084
Instruction Fuzzy Hash: 06828C72A0D65A4FEB5AE73CD4921F977D0FF89320B1401BAD58AC71A3ED286847C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD430660 Relevance: .7, Instructions: 689
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.258657160.00007FFBAD430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad430000_squirrel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9449d27e485b7731c9fa7153943991bda6adc5c59fe92c9aaa41314db953114
Instruction ID: ec733520472a0e2be2dcb86a6ddf8f056b7730681df31e655ed9be1f43efb0cb
Opcode Fuzzy Hash: e9449d27e485b7731c9fa7153943991bda6adc5c59fe92c9aaa41314db953114
Instruction Fuzzy Hash: 3922B47460DA094FDB5AEB2CC4859B9F7E1FF99310B1046B9D45AC32A6EE24FC42C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD436D58 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocConsole.KERNELBASE ref: 00007FFBAD436DEF

Memory Dump Source

Source File: 00000000.00000002.258657160.00007FFBAD430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad430000_squirrel.jbxd

Similarity

API ID: AllocConsole
String ID:
API String ID: 4167703944-0
Opcode ID: 0a9d526e8ffcd3b9fbb65936167b3f1c9c3f90bd5affc8d891c098d3b058d43b
Instruction ID: 1899ebe26d233e0ac8c8da905b37c3bdf7f2978718f4b61767612d72cc115d49
Opcode Fuzzy Hash: 0a9d526e8ffcd3b9fbb65936167b3f1c9c3f90bd5affc8d891c098d3b058d43b
Instruction Fuzzy Hash: 4F31D57190CB4C8FEB29DFA8D846BE9BBF0EF56321F00426ED089D3552DA746846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD436C89 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AttachConsole.KERNELBASE ref: 00007FFBAD436D14

Memory Dump Source

Source File: 00000000.00000002.258657160.00007FFBAD430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad430000_squirrel.jbxd

Similarity

API ID: AttachConsole
String ID:
API String ID: 986699043-0
Opcode ID: ea4828f1b784695e62eccdc63fc3fa53ac6e63f291ecf1f9c1ec0ba900a8126d
Instruction ID: 2fcfa1d115c0bdf8ecbe6f6115b75ef842d782411c530ea04e8b27c5baaf93ca
Opcode Fuzzy Hash: ea4828f1b784695e62eccdc63fc3fa53ac6e63f291ecf1f9c1ec0ba900a8126d
Instruction Fuzzy Hash: FC21C17090CB4C8FDB19DF68D8496E9BBF0EF66321F04426FD049D3152DA646856CB51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report squirrel.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\squirrel.exe.log

C:\Users\user\Desktop\Squirrel-Unset.log

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: squirrel.exePID: 5912, Parent PID: 3452

General

File Activities

File Opened

File Created

File Written

Windows Analysis Report
squirrel.exe