Automated Malware Analysis Report for Iconv.Dll

ID: 128399 Sample Name: iconv.dll Cookbook: default.jbs Time: 01:10:55 Date: 03/05/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report iconv.dll 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Malware Analysis System Evasion: 6 Anti Debugging: 6 HIPS / PFW / Operating System Protection Evasion: 6 Behavior Graph 6 Simulations 7 Behavior and APIs 7 Antivirus and Machine Learning Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Screenshots 8 Thumbnails 8 Startup 9 Created / dropped Files 9 Domains and IPs 9 Contacted Domains 9 Contacted IPs 10 Static File Info 10 General 10 File Icon 10 Static PE Info 10 General 10 Entrypoint Preview 10 Rich Headers 12 Data Directories 12 Sections 12 Resources 12 Imports 13 Exports 13 Version Infos 13 Possible Origin 13 Network Behavior 13

Copyright Joe Security LLC 2019 Page 2 of 17 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 14 Analysis Process: loaddll32.exe PID: 3512 Parent PID: 4104 14 General 14 File Activities 14 Analysis Process: rundll32.exe PID: 4076 Parent PID: 3512 14 General 14 Analysis Process: rundll32.exe PID: 4300 Parent PID: 3512 15 General 15 Analysis Process: rundll32.exe PID: 4292 Parent PID: 3512 15 General 15 Analysis Process: rundll32.exe PID: 4288 Parent PID: 3512 15 General 15 Analysis Process: rundll32.exe PID: 4540 Parent PID: 3512 15 General 15 Analysis Process: rundll32.exe PID: 4588 Parent PID: 3512 16 General 16 Analysis Process: rundll32.exe PID: 4596 Parent PID: 3512 16 General 16 Analysis Process: rundll32.exe PID: 4264 Parent PID: 3512 16 General 16 Disassembly 16 Code Analysis 17

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 128399 Start date: 03.05.2019 Start time: 01:10:55 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 47s Hypervisor based Inspection enabled: false Report type: light Sample file name: iconv.dll Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 12 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winDLL@17/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .dll Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 2 0 - 100 true

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Initial Privilege Defense Credential Command and Access Execution Persistence Escalation Evasion Access Discovery Lateral Movement Collection Exfiltration Control Valid Windows Remote Winlogon Process Process Input System Service Application Input Data Data Obfuscation Accounts Management Helper DLL Injection 1 Injection 1 Capture 1 Discovery Deployment Capture 1 Compressed Software

Signature Overview

• Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

System Summary:

Tries to load missing DLLs

Classification label

PE file has an executable .text section and no other executable section

Reads software policies

Runs a DLL by calling functions

Spawns processes

Malware Analysis System Evasion:

Program does not show much activity (idle)

Anti Debugging:

Program does not show much activity (idle)

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Behavior Graph

Copyright Joe Security LLC 2019 Page 6 of 17 Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info ID: 128399 Is Dropped

Sample: iconv.dll Is Windows Process Startdate: 03/05/2019 Number of created Registry Values Architecture: WINDOWS Number of created Files Score: 2 Visual Basic

Delphi started Java

.Net C# or VB.NET loaddll32.exe C, C++ or other language

Is malicious

1 Internet

started started started

rundll32.exe rundll32.exe rundll32.exe

5 other processes

Simulations

Behavior and APIs

Time Type Description 01:11:55 API Interceptor 2x Sleep call for process: loaddll32.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link iconv.dll 2% virustotal Browse iconv.dll 0% metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 loaddll32.exe (PID: 3512 cmdline: loaddll32.exe 'C:\Users\user\Desktop\iconv.dll' MD5: 229B30A06FA656B0EF73C53B67977DCC) rundll32.exe (PID: 4076 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,_libiconv_version MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4300 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4292 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_close MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4288 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_open MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4540 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_set_relocation_prefix MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4588 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconvctl MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4596 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconvlist MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4264 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,locale_charset MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Wi ndows Entropy (8bit): 7.316650828024265 TrID: Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: iconv.dll File size: 892928 MD5: d7cbbedfad7ad68e12bf6ffcc01c3080 SHA1: a21c860b81ed158e91b2b921b752f48fda6d6f1e SHA256: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a 6608f821becd646efb SHA512: 739a2913f882b712a4d20f831530a411081644704b9ae23 4f4623b4fb2400f6a36486454f6a25dc8676ef5c570d3e23 698b9a35bb3c2712ddb7e050661f36924 SSDEEP: 24576:hamf2FfWl8KuqGavkg3NyNIbbbIoIBAUZLY:hx+ s8KuqGaX0ToIBAUZLY File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... Z...;...;.. .;...$...;..H'...;...$...;...$...;...;...;...... ;...=...;..4....;..Rich.;...... PE..L...... @...... !......

File Icon

Icon Hash: 74f0e4ecccdce0e4

Static PE Info

General Entrypoint: 0x1000d0b7 Entrypoint Section: .text Digitally signed: false Imagebase: 0x10000000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED DLL Characteristics: Time Stamp: 0x400493B0 [Wed Jan 14 00:56:16 2004 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: e7aa0aeef61e4ca89f4b87b602f40e02

Entrypoint Preview

Instruction

Copyright Joe Security LLC 2019 Page 10 of 17 Instruction push ebp mov ebp, esp push ebx mov ebx, dword ptr [ebp+08h] push esi mov esi, dword ptr [ebp+0Ch] push edi mov edi, dword ptr [ebp+10h] test esi, esi jne 00007F432870FC0Bh cmp dword ptr [100D6168h], 00000000h jmp 00007F432870FC28h cmp esi, 01h je 00007F432870FC07h cmp esi, 02h jne 00007F432870FC24h mov eax, dword ptr [100D6178h] test eax, eax je 00007F432870FC0Bh push edi push esi push ebx call eax test eax, eax je 00007F432870FC0Eh push edi push esi push ebx call 00007F432870FB1Ah test eax, eax jne 00007F432870FC06h xor eax, eax jmp 00007F432870FC50h push edi push esi push ebx call 00007F432870FC58h cmp esi, 01h mov dword ptr [ebp+0Ch], eax jne 00007F432870FC0Eh test eax, eax jne 00007F432870FC39h push edi push eax push ebx call 00007F432870FAF6h test esi, esi je 00007F432870FC07h cmp esi, 03h jne 00007F432870FC28h push edi push esi push ebx call 00007F432870FAE5h test eax, eax jne 00007F432870FC05h and dword ptr [ebp+0Ch], eax cmp dword ptr [ebp+0Ch], 00000000h je 00007F432870FC13h mov eax, dword ptr [100D6178h] test eax, eax je 00007F432870FC0Ah push edi push esi

Copyright Joe Security LLC 2019 Page 11 of 17 Instruction push ebx call eax mov dword ptr [ebp+0Ch], eax mov eax, dword ptr [ebp+0Ch] pop edi pop esi pop ebx pop ebp retn 000Ch jmp dword ptr [1000E02Ch] cmp dword ptr [esp+08h], 01h jne 00007F432870FC15h cmp dword ptr [100D6178h], 00000000h jne 00007F432870FC0Ch push dword ptr [esp+04h] call dword ptr [1000E000h] push 00000001h pop eax retn 000Ch add byte ptr [eax], al add byte ptr [eax], al

Rich Headers

Programming Language: [EXP] VC++ 6.0 SP5 build 8804 [LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0xd5990 0x101 .rdata IMAGE_DIRECTORY_ENTRY_IMPORT 0xd5844 0x3c .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0xd7000 0x6a8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0xd8000 0x92c .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0xe000 0x44 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xc17a 0xd000 False 0.43075796274 data 6.30592873877 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0xe000 0xc7a91 0xc8000 False 0.747775878906 data 7.41222619181 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0xd6000 0x17c 0x1000 False 0.03955078125 data 0.606907436296 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0xd7000 0x6a8 0x1000 False 0.1748046875 data 1.71351888294 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0xd8000 0x113c 0x2000 False 0.253173828125 data 2.67014215625 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_VERSION 0xd7060 0x648 data English United States Copyright Joe Security LLC 2019 Page 12 of 17 Imports

DLL Import MSVCRT.dll memset, malloc, memcmp, free, qsort, strlen, strcmp, _errno, _initterm, _adjust_fdiv, sprintf, abort, memcpy KERNEL32.dll DisableThreadLibraryCalls, GetACP

Exports

Name Ordinal Address _libiconv_version 1 0x100d6010 libiconv 2 0x1000cbf9 libiconv_close 3 0x1000cc2f libiconv_open 4 0x1000bf77 libiconv_set_relocation_prefix 5 0x1000cf15 libiconvctl 6 0x1000cc3d libiconvlist 7 0x1000cd21 locale_charset 8 0x1000ce83

Version Infos

Description Data LegalCopyright Copyright (C) 1999-2003 InternalName iconv.dll FileVersion 1.9 CompanyName Free Software Foundation LegalTrademarks Comments This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License. You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA ProductName libiconv: character set conversion library ProductVersion 1.9 FileDescription LGPLed libiconv for Windows NT/2000/XP and Windows 95/98/ME OriginalFilename iconv.dll Translation 0x0409 0x0000

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Copyright Joe Security LLC 2019 Page 13 of 17 • loaddll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3512 Parent PID: 4104

General

Start time: 01:11:54 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\loaddll32.exe Wow64 process (32bit): true Commandline: loaddll32.exe 'C:\Users\user\Desktop\iconv.dll' Imagebase: 0xd20000 File size: 112640 bytes MD5 hash: 229B30A06FA656B0EF73C53B67977DCC Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: rundll32.exe PID: 4076 Parent PID: 3512

General

Start time: 01:11:54 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,_libiconv_version Imagebase: 0x920000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

General

Start time: 01:11:57 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: rundll32.exe PID: 4292 Parent PID: 3512

General

Start time: 01:12:00 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_close Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: rundll32.exe PID: 4288 Parent PID: 3512

General

Start time: 01:12:03 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_open Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: rundll32.exe PID: 4540 Parent PID: 3512

General

Start time: 01:12:07 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_set_relocation_prefix Imagebase: 0x940000 Copyright Joe Security LLC 2019 Page 15 of 17 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: rundll32.exe PID: 4588 Parent PID: 3512

General

Start time: 01:12:10 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconvctl Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: rundll32.exe PID: 4596 Parent PID: 3512

General

Start time: 01:12:13 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconvlist Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Analysis Process: rundll32.exe PID: 4264 Parent PID: 3512

General

Start time: 01:12:16 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,locale_charset Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Disassembly