ID: 236238 Sample Name: unetbootin- windows-677.exe Cookbook: default.jbs Time: 22:54:18 Date: 05/06/2020 Version: 29.0.0 Ocean Jasper Table of Contents
Table of Contents 2 Analysis Report unetbootin-windows-677.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 14 General Information 14 Simulations 14 Behavior and APIs 14 Joe Sandbox View / Context 15 IPs 15 Domains 15 ASN 15 JA3 Fingerprints 15 Dropped Files 15 Created / dropped Files 15 Static File Info 15 General 15 File Icon 15 Static PE Info 16 General 16 Entrypoint Preview 16 Data Directories 17 Sections 17 Resources 17 Imports 18 Version Infos 18 Possible Origin 18 Network Behavior 18 Code Manipulations 18 Statistics 18 System Behavior 18 Analysis Process: unetbootin-windows-677.exe PID: 2212 Parent PID: 5460 18 General 18 Registry Activities 19 Key Created 19
Copyright null 2020 Page 2 of 19 Disassembly 19 Code Analysis 19
Copyright null 2020 Page 3 of 19 Analysis Report unetbootin-windows-677.exe
Overview
General Information Detection Signatures Classification
Sample unetbootin-windows- Name: 677.exe SSaampplllee fffiiilllee iiiss ddiiiffffffeerrreennttt ttthhaann oorrriiiggiiinnaalll fff…
MD5: 182b69a71a5b69… TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original f Ransomware
Miner Spreading SHA1: 9093e0e533a62e… Tries to load missing DLLs
mmaallliiiccciiioouusss SHA256: malicious 7821b86a10b955… Evader Phishing sssuusssppiiiccciiioouusss
suspicious Most interesting Screenshot: cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 1 Range: 0 - 100 Whitelisted: false Confidence: 80%
Startup
System is w10x64 unetbootin-windows-677.exe (PID: 2212 cmdline: 'C:\Users\user\Desktop\unetbootin-windows-677.exe' MD5: 182B69A71A5B690A26ED562C8898F380) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
• Networking Copyright null 2020 Page 4 of 19 • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
Mitre Att&ck Matrix
Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Graphical User Winlogon Process Software Credential Process Application Data from Data Data Eavesdrop on Remotely Accounts Interface 1 Helper DLL Injection 1 Packing 1 Dumping Discovery 1 Deployment Local Compressed Obfuscation Insecure Track Device Software System Network Without Communication Authorization Replication Service Port Accessibility Process Network Security Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Through Execution Monitors Features Injection 1 Sniffing Software Services Removable Over Other Channels Redirect Phone Wipe Data Removable Discovery 1 Media Network Calls/SMS Without Media Medium Authorization External Windows Accessibility Path DLL Side- Input System Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Loading 1 Capture Information Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 1 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search Obfuscated Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Files or in Files Network Scripts Capture Encrypted Communication Swap Hijacking Information 1 Configuration Discovery
Behavior Graph
Copyright null 2020 Page 5 of 19 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 236238 Visual Basic Sample: unetbootin-windows-677.exe Startdate: 05/06/2020 Delphi Architecture: WINDOWS Java Score: 1 .Net C# or VB.NET
C, C++ or other language
started Is malicious
Internet unetbootin-windows-677.exe
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
Copyright null 2020 Page 6 of 19 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link unetbootin-windows-677.exe 3% Virustotal Browse unetbootin-windows-677.exe 5% Metadefender Browse unetbootin-windows-677.exe 6% ReversingLabs
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link ftp.heanet.ie/pub/linuxmint.com/stable/%1/ 0% Avira URL Cloud safe unetbootin.sourceforge.netr) 0% Avira URL Cloud safe
Copyright null 2020 Page 7 of 19 Source Detection Scanner Label Link www.slitaz.org/en 0% Virustotal Browse www.slitaz.org/en 0% Avira URL Cloud safe https://www.freedrweb.com/livecd 0% Virustotal Browse https://www.freedrweb.com/livecd 0% Avira URL Cloud safe https://www.sabayon.org 0% Virustotal Browse https://www.sabayon.org 0% Avira URL Cloud safe ftp.heanet.ie/mirrors/damnsmalllinux.org/current/ 0% Avira URL Cloud safe latestsalix.enialis.net/%1/salixlive%2-%3.iso 0% Avira URL Cloud safe gd.tuwien.ac.at/opsys/linux/damnsmall/current/ 0% Virustotal Browse gd.tuwien.ac.at/opsys/linux/damnsmall/current/ 0% Avira URL Cloud safe distro7site.org/distro-release-%1/distro-architecture%2.iso 0% Avira URL Cloud safe mirror.sov.uk.goscomb.net/linuxmint.com/stable/%1/ 0% Avira URL Cloud safe www.distro7site.org 0% Avira URL Cloud safe https://www.sabayon.org/ 0% Virustotal Browse https://www.sabayon.org/ 0% Avira URL Cloud safe ftp.surfnet.nl/pub/os/Linux/distr/dreamlinux/stable/ 0% Virustotal Browse ftp.surfnet.nl/pub/os/Linux/distr/dreamlinux/stable/ 0% Avira URL Cloud safe mirror.aarnet.edu.au/pub/SabayonLinux/iso/ 0% Avira URL Cloud safe www.gnewsense.org/ 0% Virustotal Browse www.gnewsense.org/ 0% Avira URL Cloud safe jukebox.linuxconsole.org/official/linuxconsole%1.isohttp://downloads.sourceforge.net/sourcefo 0% Avira URL Cloud safe mirror.yellowfiber.net/linuxmint/stable/%1/ 0% Avira URL Cloud safe https://linuxconsole.org 0% Avira URL Cloud safe https://linuxconsole.org/ 0% Avira URL Cloud safe download.tuxfamily.org/netbootcd/NetbootCD-current.iso 0% Avira URL Cloud safe www.distro2site.org 0% Avira URL Cloud safe cross-lfs.sabayonlinux.org/iso/ 0% Avira URL Cloud safe public.nimblex.net/Download/NimbleX-latest.iso 0% Avira URL Cloud safe distro6site.org/distro-release-%1/distro-architecture%2.iso 0% Avira URL Cloud safe hacktolive.org/download/os 1% Virustotal Browse hacktolive.org/download/os 0% Avira URL Cloud safe ftp.akl.lt/Linux/Mint/stable/%1/ 0% Avira URL Cloud safe cdimage.gnewsense.org/ 0% Virustotal Browse cdimage.gnewsense.org/ 0% Avira URL Cloud safe distro9site.org/distro-release-%1/distro-architecture%2.iso 0% Avira URL Cloud safe mirror.optus.net/linuxmint/isos/stable/%1/ 0% Avira URL Cloud safe mirror.umoss.org/sabayonlinux/iso/ 0% Avira URL Cloud safe elive.icedslash.com/isos/ 0% Avira URL Cloud safe www.distro1site.org 0% Avira URL Cloud safe elive.icedslash.com/isos/http://elive.leviathan-avc.com/http://elive.jumbef.net/http://elive. 0% Avira URL Cloud safe live.debian.net/cdimage/%1-builds/current/%2/debian-live-%1-%2-gnome-desktop.iso 0% Avira URL Cloud safe mirror.slitaz.org/iso/%1/ 0% Avira URL Cloud safe ftp.fsn.hu/pub/linux/distributions/sabayon/iso/ 0% Avira URL Cloud safe www.distro9site.org 0% Avira URL Cloud safe www.gnewsense.org 0% Virustotal Browse www.gnewsense.org 0% Avira URL Cloud safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation unetbootin-windows-677.exe, 00 false high distro.ibiblio.org/pub/linux/distributions/texstar/pclinuxos/live- 000000.00000002.1603677841.000 cd/english/preview/ 0000000E01000.00000040.0002000 0.sdmp
Copyright null 2020 Page 8 of 19 Name Source Malicious Antivirus Detection Reputation ftp.heanet.ie/pub/linuxmint.com/stable/%1/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp5.gwdg.de/pub/linux/debian/mint/stable/%1/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp unetbootin.sourceforge.netr) unetbootin-windows-677.exe false Avira URL Cloud: safe low www.slitaz.org/en unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1606054339.000 Avira URL Cloud: safe 0000003543000.00000004.0000000 1.sdmp https://www.freedrweb.com/livecd unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1606054339.000 Avira URL Cloud: safe 0000003543000.00000004.0000000 1.sdmp mirrors.kernel.org/centos/%1/isos/%2/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.netbsd.org/pub/NetBSD/NetBSD- unetbootin-windows-677.exe, 00 false high %1/%2/binary/kernel/netbsd-INSTALL.gz 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://www.freedos.org unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp mirror.csclub.uwaterloo.ca/linuxmint/stable/%1/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp cesium.di.uminho.pt/pub/sabayon/iso/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://www.sabayon.org unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1606054339.000 Avira URL Cloud: safe 0000003543000.00000004.0000000 1.sdmp, unetbootin-windows-677.exe, 00000000.00000002.1603677841.00000 00000E01000.00000040.00020000. sdmp ftp.heanet.ie/mirrors/damnsmalllinux.org/current/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://www.lubuntu.net/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp, unetbootin-windows-677.exe, 00000000.00000002.1603677841.00000 00000E01000.00000040.00020000. sdmp latestsalix.enialis.net/%1/salixlive%2-%3.iso unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.belnet.be/packages/damnsmalllinux/current/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp mirrors.easynews.com/linux/ubuntu-releases/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://www.ubuntu.com unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp gd.tuwien.ac.at/opsys/linux/damnsmall/current/ unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1603677841.000 Avira URL Cloud: safe 0000000E01000.00000040.0002000 0.sdmp unetbootin-windows-677.exe, 00 false high www4.frugalware.org/pub/linux/distributions/frugalware/frugalw 000000.00000002.1603677841.000 are- 0000000E01000.00000040.0002000 0.sdmp
Copyright null 2020 Page 9 of 19 Name Source Malicious Antivirus Detection Reputation https://www.kubuntu.org/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp cdimage.ubuntu.com/daily-live/current/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp distro7site.org/distro-release-%1/distro- unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown architecture%2.iso 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp cdimage.ubuntu.com/kubuntu/releases/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp mirror.sov.uk.goscomb.net/linuxmint.com/stable/%1/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://www.opensuse.org unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp, unetbootin-windows-677.exe, 00000000.00000002.1603677841.00000 00000E01000.00000040.00020000. sdmp https://www.slax.org unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp archive.ubuntu.com/ubuntu/dists/%1/main/installer- unetbootin-windows-677.exe, 00 false high %2/current/images/netboot/ubuntu-installer/ 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp www.ibiblio.org/pub/micro/pc- unetbootin-windows-677.exe, 00 false high stuff/freedos/files/distributions/%1/fdboot.imgLivehttp://downlo 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp releases.ubuntu.com/releases/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp www.distro7site.org unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://www.xubuntu.org/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp https://www.sabayon.org/ unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1606054339.000 Avira URL Cloud: safe 0000003543000.00000004.0000000 1.sdmp, unetbootin-windows-677.exe, 00000000.00000002.1603677841.00000 00000E01000.00000040.00020000. sdmp www.backtrack-linux.org/ajax/download_redirect.php? unetbootin-windows-677.exe, 00 false high id=BT%1-%2.iso 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp www.geexbox.org/wp-content/plugins/download- unetbootin-windows-677.exe, 00 false high monitor/download.php?id=geexbox-%1.iso 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.surfnet.nl/pub/os/Linux/distr/dreamlinux/stable/ unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1603677841.000 Avira URL Cloud: safe 0000000E01000.00000040.0002000 0.sdmp mirror.aarnet.edu.au/pub/SabayonLinux/iso/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe low 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp www.gnewsense.org/ unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1606054339.000 Avira URL Cloud: safe 0000003543000.00000004.0000000 1.sdmp unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown jukebox.linuxconsole.org/official/linuxconsole%1.isohttp://down 000000.00000002.1603677841.000 loads.sourceforge.net/sourcefo 0000000E01000.00000040.0002000 0.sdmp Copyright null 2020 Page 10 of 19 Name Source Malicious Antivirus Detection Reputation downloads.sourceforge.net/sourceforge/lubi/freebsd- unetbootin-windows-677.exe, 00 false high %1%2.img.gzhttp://downloads.sourceforge.ne 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp mirror.switch.ch/ftp/mirror/linuxmint/stable/%1/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp mirror.yellowfiber.net/linuxmint/stable/%1/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.wayne.edu/linux_distributions/ubuntu/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://linuxconsole.org unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp www.trolltech.com/qt/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1604332597.000 0000000FE1000.00000040.0002000 0.sdmp https://linuxconsole.org/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp download.tuxfamily.org/netbootcd/NetbootCD- unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown current.iso 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://getfedora.org unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp, unetbootin-windows-677.exe, 00000000.00000002.1603677841.00000 00000E01000.00000040.00020000. sdmp downloads.sourceforge.net/ophcrack/ophcrack-%1.iso unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://www.centos.org unetbootin-windows-677.exe, 00 false high 000000.00000002.1606943582.000 00000037C0000.00000004.0000000 1.sdmp www.distro2site.org unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp unetbootin-windows-677.exe, 00 false high ftp://ftp.ibiblio.org/pub/linux/distributions/mepis/released/antix/ 000000.00000002.1603677841.000 distro.ibiblio.org/pub/lin 0000000E01000.00000040.0002000 0.sdmp https://freenas.org/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp cross-lfs.sabayonlinux.org/iso/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.riken.jp/pub/Linux/linuxmint/stable/%1/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp public.nimblex.net/Download/NimbleX-latest.iso unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp distro6site.org/distro-release-%1/distro- unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown architecture%2.iso 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.nluug.nl/pub/os/Linux/distr/sabayonlinux/iso/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp
Copyright null 2020 Page 11 of 19 Name Source Malicious Antivirus Detection Reputation hacktolive.org/download/os unetbootin-windows-677.exe, 00 false 1%, Virustotal, Browse unknown 000000.00000002.1603677841.000 Avira URL Cloud: safe 0000000E01000.00000040.0002000 0.sdmp ftp.akl.lt/Linux/Mint/stable/%1/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp unetbootin-windows-677.exe, 00 false high download.opensuse.org/distribution/%1/iso/cd/openSUSE-%1- 000000.00000002.1603677841.000 GM-GNOME-Live-%2.iso 0000000E01000.00000040.0002000 0.sdmp downloads.sourceforge.net/sourceforge/lubi/gujin- unetbootin-windows-677.exe, 00 false high %1.img.gz 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp cdimage.gnewsense.org/ unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1603677841.000 Avira URL Cloud: safe 0000000E01000.00000040.0002000 0.sdmp https://www.archlinux.org/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1606943582.000 00000037C0000.00000004.0000000 1.sdmp ftp.uwsg.indiana.edu/linux/mepis/released/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp cdimage.ubuntu.com/kubuntu/daily-live/current/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp www.slax.org/get_slax.php?download=iso unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp cdimage.ubuntu.com/xubuntu/releases//releasedesktop unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp distro9site.org/distro-release-%1/distro- unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown architecture%2.iso 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp unetbootin-windows-677.exe, 00 false high ftp://ibiblio.org/pub/Linux/distributions/damnsmall/current/ibibli 000000.00000002.1603677841.000 o.org/pub/Linux/distributio 0000000E01000.00000040.0002000 0.sdmp www.trolltech.com/company/model/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1604332597.000 0000000FE1000.00000040.0002000 0.sdmp mirror.optus.net/linuxmint/isos/stable/%1/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp mirror.umoss.org/sabayonlinux/iso/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp unetbootin-windows-677.exe, 00 false high ftp://ibiblio.org/pub/linux/distributions/puppylinux/distro.ibiblio.o 000000.00000002.1603677841.000 rg/pub/linux/distributio 0000000E01000.00000040.0002000 0.sdmp ftp://ftp.drweb.com/pub/drweb/livecd/DL unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp elive.icedslash.com/isos/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ubuntu.mirrors.proxad.net/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp www8.frugalware.org/distro/frugalware/frugalware- unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp
Copyright null 2020 Page 12 of 19 Name Source Malicious Antivirus Detection Reputation https://www.geexbox.org unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp www.distro1site.org unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp bouncer.gentoo.org/fetch/gentoo-%1-livecd/%2/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp elive.icedslash.com/isos/http://elive.leviathan- unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown avc.com/http://elive.jumbef.net/http://elive. 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp live.debian.net/cdimage/%1-builds/current/%2/debian- unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown live-%1-%2-gnome-desktop.iso 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.kaspersky.com/devbuilds/RescueDisk10/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp www.puppylinux.com unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp, unetbootin-windows-677.exe, 00000000.00000002.1603677841.00000 00000E01000.00000040.00020000. sdmp ftp.nluug.nl/ftp/pub/os/Linux/distr/puppylinux/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.debian.org/debian/dists/%1/main/installer- unetbootin-windows-677.exe, 00 false high %2/current/images/hd-media/initrd.gz 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp distro.ibiblio.org/pub/linux/distributions/mepis/released/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp https://www.archlinux.org unetbootin-windows-677.exe, 00 false high 000000.00000002.1606943582.000 00000037C0000.00000004.0000000 1.sdmp mirror.slitaz.org/iso/%1/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp mirrors.gigenet.com/ubuntu/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp distro.ibiblio.org/archlinux/iso/latest/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp downloads.sourceforge.net/sourceforge/lubi/sbm- unetbootin-windows-677.exe, 00 false high %1.img.gz 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ibiblio.org/pub/Linux/distributions/damnsmall/current/ unetbootin-windows-677.exe, 00 false high 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp ftp.fsn.hu/pub/linux/distributions/sabayon/iso/ unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp www.distro9site.org unetbootin-windows-677.exe, 00 false Avira URL Cloud: safe unknown 000000.00000002.1603677841.000 0000000E01000.00000040.0002000 0.sdmp fd-doc.sourceforge.net/wiki/index.php? unetbootin-windows-677.exe, 00 false high n=FdDocEn.FdInstall 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp
Copyright null 2020 Page 13 of 19 Name Source Malicious Antivirus Detection Reputation https://www.freebsd.org unetbootin-windows-677.exe, 00 false high 000000.00000002.1606054339.000 0000003543000.00000004.0000000 1.sdmp unetbootin-windows-677.exe, 00 false high cdimage.ubuntu.com/kubuntu/releases/http://cdimage.ubuntu. 000000.00000002.1603677841.000 com/kubuntu/daily-live/current/lubu 0000000E01000.00000040.0002000 0.sdmp www.gnewsense.org unetbootin-windows-677.exe, 00 false 0%, Virustotal, Browse unknown 000000.00000002.1606054339.000 Avira URL Cloud: safe 0000003543000.00000004.0000000 1.sdmp
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 236238 Start date: 05.06.2020 Start time: 22:54:18 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 44s Hypervisor based Inspection enabled: false Report type: light Sample file name: unetbootin-windows-677.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winEXE@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, MusNotifyIcon.exe, UsoClient.exe
Simulations
Behavior and APIs
Copyright null 2020 Page 14 of 19 Time Type Description 22:54:45 API Interceptor 213x Sleep call for process: unetbootin-windows-677.exe modified
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
No created / dropped files found
Static File Info
General File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed Entropy (8bit): 7.999762028200734 TrID: Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% File name: unetbootin-windows-677.exe File size: 4833792 MD5: 182b69a71a5b690a26ed562c8898f380 SHA1: 9093e0e533a62e80e43146231f80f5d18ea777d2 SHA256: 7821b86a10b955561f101088b88b51cf0e63721e5e61d35 04fb41445e09a1a86 SHA512: ea6aea138064840d9d86df2a126c9302687185fef1b1631 6d9abd8e0484736b9d36b9c83a8d78784e3a44a2311863 ae75a1be9bccd88938264e1b36048fd9244 SSDEEP: 98304:Xo346jV8i6ym7iakVIq3nSMvihFEJvZ2XaJ4Tm/j XW:43rVJ6r6B9ahOVZY2v/j File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L..... &^...... 8..I..0...P...... `...... @......
File Icon
Copyright null 2020 Page 15 of 19 Icon Hash: 58c0e0f4787c6626
Static PE Info
General Entrypoint: 0x11de3a0 Entrypoint Section: UPX1 Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x5E26D4BB [Tue Jan 21 10:38:51 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: cac353b6ed4dd5570e529ec15ba76950
Entrypoint Preview
Instruction pushad mov esi, 00D46015h lea edi, dword ptr [esi-00945015h] push edi mov ebp, esp lea ebx, dword ptr [esp-00003E80h] xor eax, eax push eax cmp esp, ebx jne 00007FF44C264C7Dh inc esi inc esi push ebx push 00DDC21Dh push edi add ebx, 04h push ebx push 0049837Bh push esi add ebx, 04h push ebx push eax mov dword ptr [ebx], 00020003h nop nop nop nop nop push ebp push edi push esi push ebx sub esp, 7Ch mov edx, dword ptr [esp+00000090h] mov dword ptr [esp+74h], 00000000h mov byte ptr [esp+73h], 00000000h
Copyright null 2020 Page 16 of 19 Instruction mov ebp, dword ptr [esp+0000009Ch] lea eax, dword ptr [edx+04h] mov dword ptr [esp+78h], eax mov eax, 00000001h movzx ecx, byte ptr [edx+02h] mov ebx, eax shl ebx, cl mov ecx, ebx dec ecx mov dword ptr [esp+6Ch], ecx movzx ecx, byte ptr [edx+01h] shl eax, cl dec eax mov dword ptr [esp+68h], eax mov eax, dword ptr [esp+000000A8h] movzx esi, byte ptr [edx] mov dword ptr [ebp+00h], 00000000h mov dword ptr [esp+60h], 00000000h mov dword ptr [eax], 00000000h mov eax, 00000300h mov dword ptr [esp+64h], esi mov dword ptr [esp+5Ch], 00000001h mov dword ptr [esp+58h], 00000001h mov dword ptr [esp+54h], 00000001h
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xde1c70 0x30c .rsrc IMAGE_DIRECTORY_ENTRY_RESOURCE 0xddf000 0x2c70 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics UPX0 0x1000 0x945000 0x0 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_ DATA, IMAGE_SCN_MEM_READ UPX1 0x946000 0x499000 0x499000 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0xddf000 0x3000 0x3000 False 0.29736328125 data 4.76687268426 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country RT_ICON 0xddf148 0x25a8 data English United States RT_GROUP_ICON 0xde16f4 0x14 data English United States RT_VERSION 0xde170c 0x404 data English United States RT_MANIFEST 0xde1b14 0x15c XML 1.0 document, ASCII text English United States
Copyright null 2020 Page 17 of 19 Imports
DLL Import KERNEL32.DLL LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess ADVAPI32.DLL RegCloseKey COMDLG32.DLL PrintDlgA GDI32.dll BitBlt IMM32.DLL ImmNotifyIME msvcrt.dll cos OLE32.dll DoDragDrop OLEAUT32.DLL VariantInit SHELL32.DLL SHGetMalloc USER32.dll GetDC WINMM.DLL PlaySoundA WINSPOOL.DRV GetPrinterA WS2_32.DLL bind
Version Infos
Description Data LegalCopyright Copyright - Geza Kovacs - License - GNU GPL v2+ InternalName UNetbootin - Universal Netboot Installer FileVersion CompanyName Geza Kovacs LegalTrademarks ProductName UNetbootin - Universal Netboot Installer ProductVersion FileDescription UNetbootin - Universal Netboot Installer - http://unetbootin.sourceforge.net OriginalFilename unetbootin.exe Translation 0x0409 0x04e4
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Analysis Process: unetbootin-windows-677.exe PID: 2212 Parent PID: 5460
General
Copyright null 2020 Page 18 of 19 Start time: 22:54:44 Start date: 05/06/2020 Path: C:\Users\user\Desktop\unetbootin-windows-677.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\unetbootin-windows-677.exe' Imagebase: 0x400000 File size: 4833792 bytes MD5 hash: 182B69A71A5B690A26ED562C8898F380 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low
Registry Activities
Key Created
Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UNetbootin success or wait 1 D3DA7D RegCreateKeyExW
Disassembly
Code Analysis
Copyright null 2020 Page 19 of 19