Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561692
MD5:	03ca3823af479cb440c0283066b794b1
SHA1:	fa607b381f390512effe17926dfe1783a48e1364
SHA256:	a3e66240301c3b9a402704082ce72ed1055a5c3248406d3a0a1f1ac075798408
Tags:	exeuser-Bitsight
Infos:

Detection

JasonRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected JasonRAT

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Sigma detected: Potentially Suspicious Malware Callback Communication

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 31%
Source: file.exe	Virustotal: Detection: 37%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e60000.0.unpack

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 62.60.153.28:7777 -> 192.168.2.8:49704

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 62.60.153.28:7777

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: IROST-ASIR IROST-ASIR

Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28

Source: file.exe, 00000000.00000002.3879557807.0000000001562000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe, 00000000.00000002.3882886677.000000001C3DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabs
Source: file.exe, 00000000.00000002.3879557807.00000000015B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ens
Source: file.exe, 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3880025576.000000000338F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected JasonRAT

Source: Yara match	File source: 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B1326FF	0_2_00007FFB4B1326FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B1305D8	0_2_00007FFB4B1305D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B134684	0_2_00007FFB4B134684
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B137E95	0_2_00007FFB4B137E95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B1308BC	0_2_00007FFB4B1308BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B132929	0_2_00007FFB4B132929
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B130590	0_2_00007FFB4B130590

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1435075958.0000000000E62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBaal.exe" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameBaal.exe" vs file.exe

Source: file.exe, ----------------------------------------.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: file.exe, ----------------------------------------.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: file.exe, -----------------------------------------.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: file.exe, -----------------------------------------.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@0/2

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\winLog.txt

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Jason_XohomamJtomapasstan

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 31%
Source: file.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msdmo.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e60000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e60000.0.unpack

.NET source code contains potential unpacker

Source: file.exe, -----------------------------------------.cs	.Net Code: _206B_200F_200E_206B_202E_200D_202A_200E_202D_206F_206E_202A_202B_206F_200D_206F_202A_200C_202B_200D_206E_206F_206F_200F_206B_206A_202B_200C_202E_206F_200F_200C_206E_202E_202A_200F_202D_200B_202B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: file.exe, -----------------------------------------.cs	.Net Code: _202A_202C_200E_202E_202A_206D_206E_202D_202C_202D_200D_200E_202A_202A_200F_200F_202B_202D_200F_206A_206E_202E_202E_200E_202C_202C_200E_202D_200F_206D_200E_206F_200E_202A_202E_200E_206C_206C_206D_200E_202E System.AppDomain.Load(byte[])
Source: file.exe, -Module-.cs	.Net Code: _200E_202D_206A_206D_202A_206F_202D_206B_206A_206A_200E_202A_206F_200D_206C_206A_200B_206A_200E_206D_200B_200D_200F_206D_202B_202D_200B_200E_202D_202C_206D_200B_202A_206D_200B_200D_200D_202E_202E_200D_202E System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: file.exe

Static PE information: 0xF90FB8E8 [Wed May 31 22:19:20 2102 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B13A7A8 push eax; retf	0_2_00007FFB4B13A7BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B13E850 push ss; ret	0_2_00007FFB4B13E857
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B1300BD pushad ; iretd	0_2_00007FFB4B1300C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B137569 push ebx; iretd	0_2_00007FFB4B13756A

Boot Survival

Yara detected JasonRAT

Source: Yara match	File source: 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected JasonRAT

Source: Yara match	File source: 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1400000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1B200000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 457	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 9357	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: foregroundWindowGot 1293	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 6396	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5324	Thread sleep count: 457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5324	Thread sleep count: 9357 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3424	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.3882658755.000000001C0B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3882658755.000000001C0BF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3879557807.0000000001562000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Enables debug privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected JasonRAT

Source: Yara match	File source: 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.3882457306.000000001C000000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States		15169	GOOGLEUS	false
62.60.153.28	unknown	Iran (ISLAMIC Republic Of)		15611	IROST-ASIR	true

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 31%
Source: file.exe	Virustotal: Detection: 37%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e60000.0.unpack

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 62.60.153.28:7777 -> 192.168.2.8:49704

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 62.60.153.28:7777

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: IROST-ASIR IROST-ASIR

Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.153.28

Source: file.exe, 00000000.00000002.3879557807.0000000001562000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: file.exe, 00000000.00000002.3882886677.000000001C3DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabs
Source: file.exe, 00000000.00000002.3879557807.00000000015B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ens
Source: file.exe, 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3880025576.000000000338F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected JasonRAT

Source: Yara match	File source: 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B1326FF	0_2_00007FFB4B1326FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B1305D8	0_2_00007FFB4B1305D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B134684	0_2_00007FFB4B134684
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B137E95	0_2_00007FFB4B137E95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B1308BC	0_2_00007FFB4B1308BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B132929	0_2_00007FFB4B132929
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B130590	0_2_00007FFB4B130590

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1435075958.0000000000E62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBaal.exe" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameBaal.exe" vs file.exe

Source: file.exe, ----------------------------------------.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: file.exe, ----------------------------------------.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: file.exe, -----------------------------------------.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: file.exe, -----------------------------------------.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@0/2

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\winLog.txt

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Jason_XohomamJtomapasstan

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 31%
Source: file.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msdmo.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e60000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e60000.0.unpack

.NET source code contains potential unpacker

Source: file.exe, -----------------------------------------.cs	.Net Code: _206B_200F_200E_206B_202E_200D_202A_200E_202D_206F_206E_202A_202B_206F_200D_206F_202A_200C_202B_200D_206E_206F_206F_200F_206B_206A_202B_200C_202E_206F_200F_200C_206E_202E_202A_200F_202D_200B_202B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: file.exe, -----------------------------------------.cs	.Net Code: _202A_202C_200E_202E_202A_206D_206E_202D_202C_202D_200D_200E_202A_202A_200F_200F_202B_202D_200F_206A_206E_202E_202E_200E_202C_202C_200E_202D_200F_206D_200E_206F_200E_202A_202E_200E_206C_206C_206D_200E_202E System.AppDomain.Load(byte[])
Source: file.exe, -Module-.cs	.Net Code: _200E_202D_206A_206D_202A_206F_202D_206B_206A_206A_200E_202A_206F_200D_206C_206A_200B_206A_200E_206D_200B_200D_200F_206D_202B_202D_200B_200E_202D_202C_206D_200B_202A_206D_200B_200D_200D_202E_202E_200D_202E System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: file.exe

Static PE information: 0xF90FB8E8 [Wed May 31 22:19:20 2102 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B13A7A8 push eax; retf	0_2_00007FFB4B13A7BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B13E850 push ss; ret	0_2_00007FFB4B13E857
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B1300BD pushad ; iretd	0_2_00007FFB4B1300C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FFB4B137569 push ebx; iretd	0_2_00007FFB4B13756A

Boot Survival

Yara detected JasonRAT

Source: Yara match	File source: 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected JasonRAT

Source: Yara match	File source: 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1400000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1B200000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 457	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 9357	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: foregroundWindowGot 1293	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 6396	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5324	Thread sleep count: 457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5324	Thread sleep count: 9357 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3424	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Binary or memory string: Hyper-V RAW

Enables debug privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected JasonRAT

Source: Yara match	File source: 00000000.00000002.3880025576.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 2508, type: MEMORYSTR

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.3882457306.000000001C000000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

ID:	1561692
Product:	CloudBasic
Start time:	05:11:05
Start date:	24.11.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	03ca3823af479cb440c0283066b794b1
SHA1:	fa607b381f390512effe17926dfe1783a48e1364
SHA256:	a3e66240301c3b9a402704082ce72ed1055a5c3248406d3a0a1f1ac075798408
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	D7A584714697CE12A21615932401222C	42A98EF7A748211B919D0972E468E47242263D18	F74B802F9447CA3617F43EE7126296E7C79676642D259631AF481A9523149046

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
file.exe