Analysis Report
Overview
General Information |
---|
Analysis ID: | 65050 |
Start time: | 11:32:31 |
Start date: | 06/05/2015 |
Overall analysis duration: | 0h 3m 36s |
Report type: | full |
Sample file name: | FRUK22.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
HCA enabled: | true |
HCA success: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 26 | 0 - 100 | Report FP / FN |
Signature Overview |
---|
Cryptography: |
---|
Uses Microsoft's Enhanced Cryptographic Provider | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00401520 |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Creates a window with clipboard capturing capabilities | Show sources |
Source: C:\FRUK22.exe | Window created: |
Boot Survival: |
---|
Contains functionality to start windows services | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00403850 |
Data Obfuscation: |
---|
Binary may include packed or encrypted code | Show sources |
Source: initial sample | Static PE information: |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_1_00446A90 |
Entry point lies outside standard sections | Show sources |
Source: initial sample | Static PE information: |
Generates new code (likely due to unpacking of malware or shellcode) | Show sources |
Source: C:\FRUK22.exe | Code execution: |
PE file contains an invalid checksum | Show sources |
Source: initial sample | Static PE information: |
PE file contains sections with non-standard names | Show sources |
Source: initial sample | Static PE information: | ||
Source: initial sample | Static PE information: |
System Summary: |
---|
Executable creates window controls seldom found in malware | Show sources |
Source: C:\FRUK22.exe | Window found: |
Uses Rich Edit Controls | Show sources |
Source: C:\FRUK22.exe | File opened: |
Contains functionality to adjust token privileges (e.g. debug / backup) | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_004014B0 |
Contains functionality to create services | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00402900 |
Contains functionality to enum processes or threads | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00402B10 |
Contains functionality to load and extract PE file embedded resources | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00402AA0 |
Contains functionality to modify services (start/stop/modify) | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00403850 |
Reads ini files | Show sources |
Source: C:\FRUK22.exe | File read: |
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed) | Show sources |
Source: initial sample | Static PE information: |
Contains functionality to call native functions | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00402C20 | |
Source: C:\FRUK22.exe | Code function: | 1_2_00402DE0 |
Contains functionality to delete services | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00402900 |
PE file contains strange resources | Show sources |
Source: initial sample | Static PE information: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection) | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00403150 |
Anti Debugging: |
---|
Contains functionality to register its own exception handler | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_1_00446F90 |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_1_00446A90 |
Contains functionality to read the PEB | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_2_00403850 | |
Source: C:\FRUK22.exe | Code function: | 1_2_00320117 |
Program does not show much activity (idle) | Show sources |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: |
Malware Analysis System Evasion: |
---|
Found large amount of non-executed APIs | Show sources |
Source: C:\FRUK22.exe | API coverage: |
Program does not show much activity (idle) | Show sources |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query windows version | Show sources |
Source: C:\FRUK22.exe | Code function: | 1_1_00445930 |
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
No created / dropped files found |
---|
Contacted Domains/Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
TrID: |
|
File name: | FRUK22.exe |
File size: | 574464 |
MD5: | cbdda646a20d95f078393506ecdc0796 |
SHA1: | daa9a55fd946361f216248b563d01c5e16d44644 |
SHA256: | 10b5975b40f45ba153d91be5a2d6b1ad5c5a359ad5c385c426e39460a9c60c4b |
SHA512: | e2b5cf5a7f648df83b704885c9782806589a4d4aca2e95c588d144a0181da895bb0cc74016a176f404769d96a91793b8880b74ae9b80732dfb8f41e9fd06510b |
File Icon |
---|
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4456d4 |
Entrypoint Section: | AUTO |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui 111 |
Image File Characteristics: | 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE |
DLL Characteristics: | |
Time Stamp: | 0x55309EA0 [Fri Apr 17 05:48:16 2015 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 1 |
OS Version Minor: | 11 |
File Version Major: | 1 |
File Version Minor: | 11 |
Subsystem Version Major: | 1 |
Subsystem Version Minor: | 11 |
Entrypoint Preview |
---|
Instruction |
---|
jmp 0CFC9D5Ch |
add edx, dword ptr [eax] |
inc eax |
add byte ptr [edi+70h], cl |
outsb |
and byte ptr [edi+61h], dl |
je 0CFC9D65h |
outsd |
insd |
and byte ptr [ebx+2Fh], al |
inc ebx |
and byte ptr [eax], ah |
xor esi, dword ptr [edx] |
and byte ptr [edx+75h], dl |
outsb |
sub eax, 656D6954h |
and byte ptr [ebx+79h], dh |
jnc 0CFC9D76h |
insd |
and byte ptr [eax+6Fh], dl |
jc 0CFC9D76h |
imul ebp, dword ptr [edi+6Eh], 6F432073h |
jo 0CFC9D7Bh |
jc 0CFC9D6Bh |
push 43282074h |
sub dword ptr [eax], esp |
push ebx |
jns 0CFC9D64h |
popad |
jnc 0CFC9D67h |
sub al, 20h |
dec ecx |
outsb |
arpl word ptr [esi], bp |
and byte ptr [ecx], dh |
cmp dword ptr [eax], edi |
cmp byte ptr [32303032h], ch |
push ebx |
push ecx |
push edx |
push ebp |
mov ebp, esp |
sub esp, 08h |
mov eax, 00000001h |
call 0CFC9DB2h |
mov eax, dword ptr [004561E0h] |
add eax, 03h |
and al, FCh |
xor edx, edx |
sub esp, eax |
mov ecx, esp |
mov ebx, dword ptr [004561E0h] |
mov eax, ecx |
call 0CFC9E75h |
mov eax, dword ptr [004561E0h] |
mov dword ptr [ecx+00000104h], eax |
mov eax, ecx |
mov edx, ecx |
call 0CFC9E31h |
lea eax, dword ptr [ebp-08h] |
call 0CFCA0F9h |
mov ecx, dword ptr [00456258h] |
add ecx, 03h |
and cl, FFFFFFFCh |
call 0CFCA1A8h |
cmp ecx, eax |
jc 0CFC9D3Ah |
xor eax, eax |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4a000 | 0x6ba | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x59000 | 0x37200 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x58000 | 0x594 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Xored PE | ZLIB Complexity | File Type | Characteristics |
---|---|---|---|---|---|---|---|---|
AUTO | 0x1000 | 0x48900 | 0x48a00 | 6.82719373769 | False | 0.632876371558 | ump; data | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.idata | 0x4a000 | 0x6ba | 0x800 | 4.69143665948 | False | 0.39306640625 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
DGROUP | 0x4b000 | 0xcf70 | 0xb600 | 6.1835981847 | False | 0.574605082418 | ump; Targa image data - Map | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.reloc | 0x58000 | 0x0 | 0x600 | 6.44460562783 | False | 0.83984375 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x59000 | 0x0 | 0x37200 | 6.45978587849 | False | 0.666706526361 | ump; data | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country | Nbr Of Functions | Xored PE |
---|---|---|---|---|---|---|---|
RT_BITMAP | 0x59280 | 0xae | ump; data | 0 | False | ||
RT_BITMAP | 0x59330 | 0xaa | ump; data | 0 | False | ||
RT_BITMAP | 0x593dc | 0xb6 | ump; data | 0 | False | ||
RT_BITMAP | 0x59494 | 0xa6 | ump; data | 0 | False | ||
RT_BITMAP | 0x5953c | 0x1b0b0 | ump; data | 0 | False | ||
RT_BITMAP | 0x745ec | 0x19d18 | ump; data | 0 | False | ||
RT_ICON | 0x8e304 | 0xea8 | ump; data | 0 | False | ||
RT_ICON | 0x8f1ac | 0x8a8 | ump; data | 0 | False | ||
RT_ICON | 0x8fa54 | 0x568 | ump; GLS_BINARY_LSB_FIRST | 0 | False | ||
RT_GROUP_ICON | 0x8ffbc | 0x30 | ump; MS Windows icon resource - 3 icons, 48x48, 256-colors | 0 | False | ||
RT_MANIFEST | 0x8ffec | 0x18c | ump; ASCII text, with CRLF line terminators | 0 | False |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.DLL | CloseHandle, CreateEventA, CreateFileA, ExitProcess, FreeEnvironmentStringsA, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetCurrentThreadId, GetEnvironmentStringsA, GetFileType, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetOEMCP, GetProcAddress, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetVersion, LoadLibraryA, MultiByteToWideChar, SetConsoleCtrlHandler, SetEnvironmentVariableA, SetEnvironmentVariableW, SetStdHandle, SetUnhandledExceptionFilter, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WideCharToMultiByte, WriteFile |
USER32.DLL | BeginPaint, CharUpperA, CreateWindowExA, DefWindowProcA, DestroyWindow, DispatchMessageA, EndDialog, EndPaint, GetKeyboardState, GetMenu, GetMenuItemID, GetMessageA, GetParent, GetPropA, LoadAcceleratorsA, LoadIconA, LoadStringA, PostQuitMessage, RegisterClassExA, SendMessageA, SetParent, SetPropW, SetScrollInfo, SetScrollPos, SetScrollRange, ShowWindow, TranslateAcceleratorA, TranslateMessage, UpdateWindow, WindowFromPoint |
Network Behavior |
---|
No network behavior found |
---|
Hooks - Code Manipulation Behavior |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 11:32:57 |
Start date: | 06/05/2015 |
Path: | C:\FRUK22.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x400000 |
File size: | 574464 bytes |
MD5 hash: | CBDDA646A20D95F078393506ECDC0796 |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 6.8% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 27.9% |
Total number of Nodes: | 430 |
Total number of Limit Nodes: | 7 |
Executed Functions |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|