ID: 205432 Sample Name: shellcode.exe Cookbook: default.jbs Time: 00:40:30 Date: 04/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report shellcode.exe 3 Overview 3 General Information 3 Detection 3 Confidence 3 Classification 4 Analysis Advice 4 Mitre Att&ck Matrix 5 Signature Overview 5 AV Detection: 5 System Summary: 5 Data Obfuscation: 5 Malware Configuration 5 Behavior Graph 5 Simulations 6 Behavior and APIs 6 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Memory Dumps 7 Unpacked PEs 7 Sigma Overview 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 8 Domains and IPs 8 Contacted Domains 8 Contacted IPs 8 Static File Info 8 General 8 File Icon 8 Static PE Info 8 General 8 Entrypoint Preview 9 Data Directories 10 Sections 10 Imports 11 Network Behavior 11 Code Manipulations 11 Statistics 11 System Behavior 11 Disassembly 11
Copyright Joe Security LLC 2020 Page 2 of 11 Analysis Report shellcode.exe
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 205432 Start date: 04.02.2020 Start time: 00:40:30 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 15s Hypervisor based Inspection enabled: false Report type: light Sample file name: shellcode.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 1 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal52.winEXE@0/0@0/0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Unable to launch sample, stop analysis Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Errors: Nothing to analyse, Joe Sandbox has not found any analysis process or sample Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 52 0 - 100 false
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2020 Page 3 of 11 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample is corrupt or needs to be run on a newer Windows version
Copyright Joe Security LLC 2020 Page 4 of 11 Mitre Att&ck Matrix
No Mitre Att&ck techniques found
Signature Overview
• AV Detection • System Summary • Data Obfuscation
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for submitted file
System Summary:
PE file has nameless sections
Yara signature match
Classification label
Sample is known by Antivirus
PE file has a high image base, often used for DLLs
Contains modern PE file flags such as dynamic base (ASLR) or NX
Data Obfuscation:
PE file contains sections with non-standard names
Malware Configuration
No configs have been found
Behavior Graph
Copyright Joe Security LLC 2020 Page 5 of 11 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Behavior Graph Visual Basic
ID: 205432 Delphi
Sample: shellcode.exe Java Startdate: 04/02/2020 .Net C# or VB.NET Architecture: WINDOWS C, C++ or other language Score: 52 Is malicious
Internet
Multi AV Scanner detection PE file has nameless for submitted file sections
Simulations
Behavior and APIs
No simulations
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link shellcode.exe 13% Virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2020 Page 6 of 11 No Antivirus matches
Yara Overview
Initial Sample
Source Rule Description Author Strings shellcode.exe SUSP_XORed_Mozilla Detects suspicious Florian Roth 0x3a676:$xo1: cATGBBO\x01\x1B\x1E XORed keyword - Mozilla/5.0 SUSP_XORed_Mozilla Detects suspicious Florian Roth 0x276:$xo1: cATGBBO\x01\x1B\x1E XORed keyword - Mozilla/5.0
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Copyright Joe Security LLC 2020 Page 7 of 11 Created / dropped Files
No created / dropped files found
Domains and IPs
Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
Static File Info
General File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Entropy (8bit): 6.429574856787312 TrID: Win64 Dynamic Link Library (generic) (102004/3) 87.93% Win64 Executable (generic) (12005/4) 10.35% DOS Executable Generic (2002/1) 1.73% File name: shellcode.exe File size: 260608 MD5: e6fc3f3b116128018095323b00962a55 SHA1: 70d222c07e4749bd0adbb6511bbc9c3ff1f9cbc1 SHA256: a54ea71f8f161b7c4c8599da60645b814a911193b6cc1f7 f761fd8daee240906 SHA512: fc0e2b712ee5c9b1dec71bb9f87d74bc8a449f38e8b0ff44 290fef83675ec3f18f2c8864ec3a9540452e06f32f6c5665 196d7cb31aeda67da8eebdf3307f5968 SSDEEP: 3072:DJwpS2NACV4qAbypuljJGnJYoTjqETdtbsnOfFw XVa/o7w494YJGga1TmHnaH:DJwpYVNcn3pTdNe+WX Vioz4RCH File Content Preview: MZARUH..H.. ...H...... H..H...c....A....Vh....ZH...... | ._a.dmp.K..c.y..0\.A.~...... )..X%...NN.\h...... hN..%....]g...,. 2Z...... D..?0...y.L.%~".@S..]c.d.:.lb....."P>...\.....,.._(....n. w...... (...1U..dm...... v./..;..-3.P.]...... nM...... ].PE..d..
File Icon
Icon Hash: 00828e8e8686b000
Static PE Info
General Entrypoint: 0x18001bad4 Entrypoint Section: Digitally signed: false Imagebase: 0x180000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED DLL Characteristics: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x4F898936 [Sat Apr 14 14:27:02 2012 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 2
Copyright Joe Security LLC 2020 Page 8 of 11 General File Version Major: 5 File Version Minor: 2 Subsystem Version Major: 5 Subsystem Version Minor: 2 Import Hash: e26673d9406c9578735b762e3908442f
Entrypoint Preview
Instruction dec eax mov dword ptr [esp+08h], ebx dec eax mov dword ptr [esp+10h], esi push edi dec eax sub esp, 20h dec ecx mov edi, eax mov ebx, edx dec eax mov esi, ecx cmp edx, 01h jne 00007FAA186DBB97h call 00007FAA186E2864h dec esp mov eax, edi mov edx, ebx dec eax mov ecx, esi dec eax mov ebx, dword ptr [esp+30h] dec eax mov esi, dword ptr [esp+38h] dec eax add esp, 20h pop edi jmp 00007FAA186DBB98h int3 int3 int3 dec eax mov eax, esp dec eax mov dword ptr [eax+20h], ebx dec esp mov dword ptr [eax+18h], eax mov dword ptr [eax+10h], edx dec eax mov dword ptr [eax+08h], ecx push esi push edi inc ecx push esi dec eax sub esp, 50h dec ecx mov esi, eax mov ebx, edx dec esp mov esi, ecx mov edx, 00000001h mov dword ptr [eax-48h], edx test ebx, ebx jne 00007FAA186DBBA1h
Copyright Joe Security LLC 2020 Page 9 of 11 Instruction cmp dword ptr [00027238h], ebx jne 00007FAA186DBB99h xor eax, eax jmp 00007FAA186DBC67h lea eax, dword ptr [ebx-01h] cmp eax, 01h jnbe 00007FAA186DBBCAh dec eax mov eax, dword ptr [00011F08h] dec eax test eax, eax je 00007FAA186DBB9Ch mov edx, ebx call eax mov edx, eax mov dword ptr [esp+20h], eax test edx, edx je 00007FAA186DBBA9h dec esp mov eax, esi mov edx, ebx dec ecx mov ecx, esi call 00007FAA186DB989h mov edx, eax mov dword ptr [esp+20h], eax test eax, eax jne 00007FAA186DBB99h xor eax, eax jmp 00007FAA186DBC27h dec esp mov eax, esi mov edx, ebx dec ecx mov ecx, esi call 00007FAA186E6F4Bh
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x3bbe0 0x52 IMAGE_DIRECTORY_ENTRY_IMPORT 0x3a6bc 0x64 IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x49000 0x1fe0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x4b000 0x604 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x38b50 0x70 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2c000 0x698 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics 0x1000 0x2a1e0 0x2a200 False 0.536947097552 data 6.41105116133 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ 0x2c000 0xfc32 0xfe00 False 0.483821358268 data 5.89813333505 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ
Copyright Joe Security LLC 2020 Page 10 of 11 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics 0x3c000 0xc568 0x2600 False 0.313733552632 data 4.11855071654 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ 0x49000 0x1fe0 0x2000 False 0.497314453125 data 5.44596689976 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ 0x4b000 0xf54 0x1000 False 0.25634765625 data 2.84761281826 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Imports
DLL Import
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Disassembly
Copyright Joe Security LLC 2020 Page 11 of 11