ID: 128399 Sample Name: iconv.dll Cookbook: default.jbs Time: 01:10:55 Date: 03/05/2019 Version: 26.0.0 Aquamarine Table of Contents
Table of Contents 2 Analysis Report iconv.dll 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Malware Analysis System Evasion: 6 Anti Debugging: 6 HIPS / PFW / Operating System Protection Evasion: 6 Behavior Graph 6 Simulations 7 Behavior and APIs 7 Antivirus and Machine Learning Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Screenshots 8 Thumbnails 8 Startup 9 Created / dropped Files 9 Domains and IPs 9 Contacted Domains 9 Contacted IPs 10 Static File Info 10 General 10 File Icon 10 Static PE Info 10 General 10 Entrypoint Preview 10 Rich Headers 12 Data Directories 12 Sections 12 Resources 12 Imports 13 Exports 13 Version Infos 13 Possible Origin 13 Network Behavior 13
Copyright Joe Security LLC 2019 Page 2 of 17 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 14 Analysis Process: loaddll32.exe PID: 3512 Parent PID: 4104 14 General 14 File Activities 14 Analysis Process: rundll32.exe PID: 4076 Parent PID: 3512 14 General 14 Analysis Process: rundll32.exe PID: 4300 Parent PID: 3512 15 General 15 Analysis Process: rundll32.exe PID: 4292 Parent PID: 3512 15 General 15 Analysis Process: rundll32.exe PID: 4288 Parent PID: 3512 15 General 15 Analysis Process: rundll32.exe PID: 4540 Parent PID: 3512 15 General 15 Analysis Process: rundll32.exe PID: 4588 Parent PID: 3512 16 General 16 Analysis Process: rundll32.exe PID: 4596 Parent PID: 3512 16 General 16 Analysis Process: rundll32.exe PID: 4264 Parent PID: 3512 16 General 16 Disassembly 16 Code Analysis 17
Copyright Joe Security LLC 2019 Page 3 of 17 Analysis Report iconv.dll Create Interactive Tour
Overview
General Information
Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 128399 Start date: 03.05.2019 Start time: 01:10:55 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 47s Hypervisor based Inspection enabled: false Report type: light Sample file name: iconv.dll Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 12 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winDLL@17/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .dll Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 2 0 - 100 true
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2019 Page 4 of 17 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Copyright Joe Security LLC 2019 Page 5 of 17 Mitre Att&ck Matrix
Initial Privilege Defense Credential Command and Access Execution Persistence Escalation Evasion Access Discovery Lateral Movement Collection Exfiltration Control Valid Windows Remote Winlogon Process Process Input System Service Application Input Data Data Obfuscation Accounts Management Helper DLL Injection 1 Injection 1 Capture 1 Discovery Deployment Capture 1 Compressed Software
Signature Overview
• Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a DirectInput object (often for capturing keystrokes)
System Summary:
Tries to load missing DLLs
Classification label
PE file has an executable .text section and no other executable section
Reads software policies
Runs a DLL by calling functions
Spawns processes
Malware Analysis System Evasion:
Program does not show much activity (idle)
Anti Debugging:
Program does not show much activity (idle)
HIPS / PFW / Operating System Protection Evasion:
Creates a process in suspended mode (likely to inject code)
Behavior Graph
Copyright Joe Security LLC 2019 Page 6 of 17 Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info ID: 128399 Is Dropped
Sample: iconv.dll Is Windows Process Startdate: 03/05/2019 Number of created Registry Values Architecture: WINDOWS Number of created Files Score: 2 Visual Basic
Delphi started Java
.Net C# or VB.NET loaddll32.exe C, C++ or other language
Is malicious
1 Internet
started started started
rundll32.exe rundll32.exe rundll32.exe
5 other processes
Simulations
Behavior and APIs
Time Type Description 01:11:55 API Interceptor 2x Sleep call for process: loaddll32.exe modified
Antivirus and Machine Learning Detection
Initial Sample
Source Detection Scanner Label Link iconv.dll 2% virustotal Browse iconv.dll 0% metadefender Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
Copyright Joe Security LLC 2019 Page 7 of 17 URLs
No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2019 Page 8 of 17 Startup
System is w10x64 loaddll32.exe (PID: 3512 cmdline: loaddll32.exe 'C:\Users\user\Desktop\iconv.dll' MD5: 229B30A06FA656B0EF73C53B67977DCC) rundll32.exe (PID: 4076 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,_libiconv_version MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4300 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4292 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_close MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4288 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_open MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4540 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_set_relocation_prefix MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4588 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconvctl MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4596 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconvlist MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 4264 cmdline: rundll32.exe C:\Users\user\Desktop\iconv.dll,locale_charset MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) cleanup
Created / dropped Files
No created / dropped files found
Domains and IPs
Contacted Domains
Copyright Joe Security LLC 2019 Page 9 of 17 No contacted domains info
Contacted IPs
No contacted IP infos
Static File Info
General File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Wi ndows Entropy (8bit): 7.316650828024265 TrID: Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: iconv.dll File size: 892928 MD5: d7cbbedfad7ad68e12bf6ffcc01c3080 SHA1: a21c860b81ed158e91b2b921b752f48fda6d6f1e SHA256: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a 6608f821becd646efb SHA512: 739a2913f882b712a4d20f831530a411081644704b9ae23 4f4623b4fb2400f6a36486454f6a25dc8676ef5c570d3e23 698b9a35bb3c2712ddb7e050661f36924 SSDEEP: 24576:hamf2FfWl8KuqGavkg3NyNIbbbIoIBAUZLY:hx+ s8KuqGaX0ToIBAUZLY File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... Z...;...;.. .;...$...;..H'...;...$...;...$...;...;...;...... ;...=...;..4....;..Rich.;...... PE..L...... @...... !......
File Icon
Icon Hash: 74f0e4ecccdce0e4
Static PE Info
General Entrypoint: 0x1000d0b7 Entrypoint Section: .text Digitally signed: false Imagebase: 0x10000000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED DLL Characteristics: Time Stamp: 0x400493B0 [Wed Jan 14 00:56:16 2004 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: e7aa0aeef61e4ca89f4b87b602f40e02
Entrypoint Preview
Instruction
Copyright Joe Security LLC 2019 Page 10 of 17 Instruction push ebp mov ebp, esp push ebx mov ebx, dword ptr [ebp+08h] push esi mov esi, dword ptr [ebp+0Ch] push edi mov edi, dword ptr [ebp+10h] test esi, esi jne 00007F432870FC0Bh cmp dword ptr [100D6168h], 00000000h jmp 00007F432870FC28h cmp esi, 01h je 00007F432870FC07h cmp esi, 02h jne 00007F432870FC24h mov eax, dword ptr [100D6178h] test eax, eax je 00007F432870FC0Bh push edi push esi push ebx call eax test eax, eax je 00007F432870FC0Eh push edi push esi push ebx call 00007F432870FB1Ah test eax, eax jne 00007F432870FC06h xor eax, eax jmp 00007F432870FC50h push edi push esi push ebx call 00007F432870FC58h cmp esi, 01h mov dword ptr [ebp+0Ch], eax jne 00007F432870FC0Eh test eax, eax jne 00007F432870FC39h push edi push eax push ebx call 00007F432870FAF6h test esi, esi je 00007F432870FC07h cmp esi, 03h jne 00007F432870FC28h push edi push esi push ebx call 00007F432870FAE5h test eax, eax jne 00007F432870FC05h and dword ptr [ebp+0Ch], eax cmp dword ptr [ebp+0Ch], 00000000h je 00007F432870FC13h mov eax, dword ptr [100D6178h] test eax, eax je 00007F432870FC0Ah push edi push esi
Copyright Joe Security LLC 2019 Page 11 of 17 Instruction push ebx call eax mov dword ptr [ebp+0Ch], eax mov eax, dword ptr [ebp+0Ch] pop edi pop esi pop ebx pop ebp retn 000Ch jmp dword ptr [1000E02Ch] cmp dword ptr [esp+08h], 01h jne 00007F432870FC15h cmp dword ptr [100D6178h], 00000000h jne 00007F432870FC0Ch push dword ptr [esp+04h] call dword ptr [1000E000h] push 00000001h pop eax retn 000Ch add byte ptr [eax], al add byte ptr [eax], al
Rich Headers
Programming Language: [EXP] VC++ 6.0 SP5 build 8804 [LNK] VC++ 6.0 SP5 build 8804
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0xd5990 0x101 .rdata IMAGE_DIRECTORY_ENTRY_IMPORT 0xd5844 0x3c .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0xd7000 0x6a8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0xd8000 0x92c .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0xe000 0x44 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0xc17a 0xd000 False 0.43075796274 data 6.30592873877 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0xe000 0xc7a91 0xc8000 False 0.747775878906 data 7.41222619181 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0xd6000 0x17c 0x1000 False 0.03955078125 data 0.606907436296 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0xd7000 0x6a8 0x1000 False 0.1748046875 data 1.71351888294 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0xd8000 0x113c 0x2000 False 0.253173828125 data 2.67014215625 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country RT_VERSION 0xd7060 0x648 data English United States Copyright Joe Security LLC 2019 Page 12 of 17 Imports
DLL Import MSVCRT.dll memset, malloc, memcmp, free, qsort, strlen, strcmp, _errno, _initterm, _adjust_fdiv, sprintf, abort, memcpy KERNEL32.dll DisableThreadLibraryCalls, GetACP
Exports
Name Ordinal Address _libiconv_version 1 0x100d6010 libiconv 2 0x1000cbf9 libiconv_close 3 0x1000cc2f libiconv_open 4 0x1000bf77 libiconv_set_relocation_prefix 5 0x1000cf15 libiconvctl 6 0x1000cc3d libiconvlist 7 0x1000cd21 locale_charset 8 0x1000ce83
Version Infos
Description Data LegalCopyright Copyright (C) 1999-2003 InternalName iconv.dll FileVersion 1.9 CompanyName Free Software Foundation LegalTrademarks Comments This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License. You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA ProductName libiconv: character set conversion library ProductVersion 1.9 FileDescription LGPLed libiconv for Windows NT/2000/XP and Windows 95/98/ME OriginalFilename iconv.dll Translation 0x0409 0x0000
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
Copyright Joe Security LLC 2019 Page 13 of 17 • loaddll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe
Click to jump to process
System Behavior
Analysis Process: loaddll32.exe PID: 3512 Parent PID: 4104
General
Start time: 01:11:54 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\loaddll32.exe Wow64 process (32bit): true Commandline: loaddll32.exe 'C:\Users\user\Desktop\iconv.dll' Imagebase: 0xd20000 File size: 112640 bytes MD5 hash: 229B30A06FA656B0EF73C53B67977DCC Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: rundll32.exe PID: 4076 Parent PID: 3512
General
Start time: 01:11:54 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,_libiconv_version Imagebase: 0x920000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Copyright Joe Security LLC 2019 Page 14 of 17 Analysis Process: rundll32.exe PID: 4300 Parent PID: 3512
General
Start time: 01:11:57 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: rundll32.exe PID: 4292 Parent PID: 3512
General
Start time: 01:12:00 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_close Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: rundll32.exe PID: 4288 Parent PID: 3512
General
Start time: 01:12:03 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_open Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: rundll32.exe PID: 4540 Parent PID: 3512
General
Start time: 01:12:07 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconv_set_relocation_prefix Imagebase: 0x940000 Copyright Joe Security LLC 2019 Page 15 of 17 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: rundll32.exe PID: 4588 Parent PID: 3512
General
Start time: 01:12:10 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconvctl Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: rundll32.exe PID: 4596 Parent PID: 3512
General
Start time: 01:12:13 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,libiconvlist Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: rundll32.exe PID: 4264 Parent PID: 3512
General
Start time: 01:12:16 Start date: 03/05/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: rundll32.exe C:\Users\user\Desktop\iconv.dll,locale_charset Imagebase: 0x940000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Disassembly
Copyright Joe Security LLC 2019 Page 16 of 17 Code Analysis
Copyright Joe Security LLC 2019 Page 17 of 17