Windows Analysis Report HeOkukP.dll

System process connects to network (likely due to code injection or exploit)

Source: HeOkukP.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Networking

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.22.66.16 80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.22.66.16 185.22.66.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PSKZ PSKZ

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.rapidfilestorage.com

Source: rundll32.exe, 00000009.00000003.1368971478.000000000339A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json)
Source: rundll32.exe, 00000009.00000002.1369354017.0000000003340000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1369059378.000000000333A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368849550.0000000003333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json;
Source: rundll32.exe, 00000007.00000003.1336450668.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.00000000028E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonB
Source: rundll32.exe, 00000009.00000003.1368849550.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.000000000339C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368526440.000000000339A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.000000000339A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonLz
Source: rundll32.exe, 00000005.00000003.1336500957.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336963668.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsond
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonu
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C233B0	5_2_04C233B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD33B0	7_2_04BD33B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056533B0	9_2_056533B0

Source: HeOkukP.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal88.evad.winDLL@10/0@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\2_PhpuzIakkdPWqpI

Source: HeOkukP.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Program Files\Mozilla Firefox\application.ini

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1

Source: HeOkukP.dll	Virustotal: Detection: 40%
Source: HeOkukP.dll	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HeOkukP.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Uses code obfuscation techniques (call, push, ret)

Source: HeOkukP.dll

Static file information: File size 6726144 > 1048576

Source: HeOkukP.dll

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x5ec800

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C364F0 push eax; ret	5_2_04C3650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C23395 push ecx; ret	5_2_04C233A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD3395 push ecx; ret	7_2_04BD33A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BE64F0 push eax; ret	7_2_04BE650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056664F0 push eax; ret	9_2_0566650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05653395 push ecx; ret	9_2_056533A8

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.3 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: rundll32.exe, 00000007.00000003.1335961205.0000000002963000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337105449.0000000002968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336429087.0000000002967000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336312907.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1337134914.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1335961205.0000000002963000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337105449.0000000002968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336429087.0000000002967000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.0000000003340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000003.1336352369.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336028674.0000000002AD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 5_2_04C2F0EF EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C211A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_04C211A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD11A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_04BD11A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056511A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_056511A4

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.22.66.16 80

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_04C2E1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	5_2_04C233B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	5_2_04C22C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	7_2_04BD33B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_04BDE1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_04BD2C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	9_2_05652C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __crtGetLocaleInfoA_stat,	9_2_0565E1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__calloc_crt,__invoke_watson,	9_2_056533B0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.22.66.16	env-3936544.jcloud.kz	Kazakhstan		48716	PSKZ	true

Contacted Domains

Name	IP	Active
env-3936544.jcloud.kz	185.22.66.16	true
www.rapidfilestorage.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rapidfilestorage.com/clrls/cl_rls.json	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HeOkukP.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://www.rapidfilestorage.com/clrls/cl_rls.jsonB	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.jsonLz	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.json)	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.json;	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.jsond	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.json	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/clrls/cl_rls.jsonu	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: env-3936544.jcloud.kz

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: HeOkukP.dll	Virustotal: Detection: 40%			Perma Link
Source: HeOkukP.dll	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: HeOkukP.dll

Joe Sandbox ML: detected

System process connects to network (likely due to code injection or exploit)

Source: HeOkukP.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Networking

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.22.66.16 80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.22.66.16 185.22.66.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PSKZ PSKZ

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /clrls/cl_rls.json HTTP/1.1Host: www.rapidfilestorage.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.rapidfilestorage.com

Source: rundll32.exe, 00000009.00000003.1368971478.000000000339A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json)
Source: rundll32.exe, 00000009.00000002.1369354017.0000000003340000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1369059378.000000000333A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368849550.0000000003333000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.json;
Source: rundll32.exe, 00000007.00000003.1336450668.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.00000000028E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonB
Source: rundll32.exe, 00000009.00000003.1368849550.0000000003394000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.000000000339C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368526440.000000000339A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.000000000339A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonLz
Source: rundll32.exe, 00000005.00000003.1336500957.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336963668.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsond
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/clrls/cl_rls.jsonu
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336201784.0000000002B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336352369.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337153187.000000000297D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336364192.0000000002971000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336389193.0000000002978000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336450668.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368930066.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1368971478.00000000033B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.00000000033B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C233B0	5_2_04C233B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD33B0	7_2_04BD33B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056533B0	9_2_056533B0

Source: HeOkukP.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal88.evad.winDLL@10/0@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\2_PhpuzIakkdPWqpI

Source: HeOkukP.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Program Files\Mozilla Firefox\application.ini

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1

Source: HeOkukP.dll	Virustotal: Detection: 40%
Source: HeOkukP.dll	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HeOkukP.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HeOkukP.dll,#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Uses code obfuscation techniques (call, push, ret)

Source: HeOkukP.dll

Static file information: File size 6726144 > 1048576

Source: HeOkukP.dll

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x5ec800

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C364F0 push eax; ret	5_2_04C3650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C23395 push ecx; ret	5_2_04C233A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD3395 push ecx; ret	7_2_04BD33A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BE64F0 push eax; ret	7_2_04BE650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056664F0 push eax; ret	9_2_0566650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_05653395 push ecx; ret	9_2_056533A8

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.3 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: rundll32.exe, 00000007.00000003.1335961205.0000000002963000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337105449.0000000002968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336429087.0000000002967000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: rundll32.exe, 00000005.00000003.1336028674.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1335749105.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336312907.0000000002B57000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1337134914.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1335961205.0000000002963000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1336974130.0000000002935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336229595.0000000002935000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1337105449.0000000002968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1336429087.0000000002967000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1369354017.0000000003340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000003.1336352369.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1336998419.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1336028674.0000000002AD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\rundll32.exe

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04C211A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_04C211A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04BD11A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_04BD11A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_056511A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_056511A4

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.22.66.16 80

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HeOkukP.dll",#1